Welcome to WebProNews Breaking eBusiness and Search News
Advertise | Newsletter | Sitemap | News Feeds News Feed 
 WebProNews Search Part of the iEntry network iEntry inc. 

ProFTPd, Wu-ftpd, And General Ftp Security

A.P. Lawrence
Expert Author
Published: 2004-12-27

WebProNews RSS Feed


FTP in general has a long and sad history of security problems. If you need to run an ftp server, you need to keep careful track of vulnerabilites and exploits that may make for a very unhappy day.

Things have gotten better in recent years, but just as I started this article I checked the wu-ftpd site and found a fairly recent problem noted, and an even more recent problem discussed at proftpd.org . Makes you want to forget ftp entirely, doesn't it?

I do think the more widespread availablility of ssh (hence scp and sftp) has made anything but anonymous ftp less necessary, and that does help - at least there aren't as many unencrypted logins flying around.

The main problem with ftp is that it almost always runs with root privilege, at least part of the time. It needs to bind to low ports (20 and 21) at a minimum, which requires root, and there are probably other points where it needs more than ordinary user abilities. Modern implementations try to avoid being root when they don't need to, but of course that's not perfect. Other damage limiting attempts involve running in a chroot jail.

Note there is a bit of a difference between the chroot options often present in ftp configuration files and a real unix level chroot. To use the latter, you need to set up a number of files and directories to include libraries, vital commands and files like /etc/passwd and more. The "chroot" options for ftp daemons mean that an ftp login can't cd above the specified point. These are similar restrictions, but technically quite different.

There are many, many ftp server programs available. I found a short list at http://www.linuxmafia.com/faq/Network_Other/ftp-daemons.html and I'm sure there are many more. However, the most commonly found are wu-ftp and proftp (though vsftp is becoming more popular). Any ftp daemon is going to have its share of features and quirks, and of course its own security measures. Most all will provide at least basic security like setting umask and determining who can or cannot use the server. I won't be covering everything in what follows, but will hit the highlights.

FTP Security Basics

One simple security step with any ftp server is not to help by advertising. Here's a talkative server just begging for you to go look up its vulnerabilities:

ProFTPD 1.2.4 Server (FTP) [ftp.xyz.com]

If you add "ServerIdent Off" to the proftd.conf, it's a bit less chatty:

220 ftp.xyz.com FTP server ready.

For wu-ftp, the file is "ftpaccess", and you want 'greeting terse' or 'greeting brief'.

You surely also want to disallow certain users from using ftp. It would usually be a very poor idea to let root have an ftp login, for example. With both wu-ftp and proftp (and many other ftp's), you list disallowed users in /etc/ftpusers. Proftpd disallows root by default, regardless of ftpusers. If you did "RootLogin on" in proftpd.conf, you'd still need to remove root from /etc/ftpusers should you need this.

You can also restrict to certain ip's:

proftpd.conf:

<Limit LOGIN>
Order Allow,Deny
Allow 192.168.2.8, mydomain.com, anotherdomain.net,
Deny from all
</Limit>

wu-ftpd ftpaccess:
(from man page)

     deny <addrglob> <message_file>

     Always deny access to host(s) matching <addrglob>.
     <message_file> is displayed. <addrglob> may be
     "!nameserved" to deny access to sites without a working
     nameserver. It may also be the name of a file,
     starting with a slash ('/'), which contains
     additional address globs, as well as in the form
     address:netmask or address/cidr.

To prevent password guessing, you may set limits on login attempts:

proftpd.conf:

MaxLoginAttempts     4

wu-ftpd ftpaccess:

loginfails 3

You can also do things like limiting the total number of ftp sessions, though your ability to do that will have to be external if the daemon is started on demand by inetd or xinetd (xinetd includes feature for limiting connections). If run standalone, the main instances spawns off children to handle connections, and can limit those as desired.

Although not strictly a security issue, you can set limits on the amount of data or number of files that can be transferred, how long people can remain logged on, etc. See "man ftpaccess" for wu-ftpd and http://www.proftpd.org/docs/directives/linked/by-name.html for proftpd.conf.

Anonymous FTP

To have anonymous ftp, you usually need a little bit of setup. If you don't have an "ftp" user, you'll need to create that. Note that ftp servers allow "anonymous" as a synonym for ftp. That's from a config setting in proftpd.conf:

proftpd.conf: UserAlias    anonymous ftp

No special definition is necessary for wu-ftpd.

For most ftp's, you need a /var/ftp/ directory for anonymous ftp to work. The configuration files usually have examples of what you have to turn on for anonymous ftp.

There are configuration limits here:

proftpd.conf:

MaxClients    10 "Maximum anon users reached, try again later"

wu-ftpd ftpaccess:

limit anon 120 SaSu|Any2000-0600 /etc/msg.toomuchload
limit anon 30 Any /etc/msg.toomuchload
# Allows more users on weekends and 8PM to 6AM

Apparently sftp can be setup for anonymous use also (http://www.mcknight.de/jftpgw/howtouse-sftp.html, see last paragraph), though I've never seen it done. That said, a lot of sites don't even turn on sftp at all: it's a setting in the config file:

Subsystem sftp /usr/libexec/sftp-server

FTP Clients

My current favorite is lftp. My least favorite is Internet Explorer, though I will often have clents use that if I need them to ftp somewhere from Windows. Note that they can provide a login and password: use ftp://usr:password@ftphost.com, so you can use that even for an ftp to a user directory on your network.

*Originally published at APLawrence.com

Receive Our Daily Email of Breaking eBusiness News

About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

WebProNews RSS Feed

More Articles

Contact WebProNews
Advertisement





TOP NEWS

Targeted Information for Business
WebProNews is part of the iEntry network
Internet Business: Marketing: Small Business:
WebProNews MarketingNewz SmallBusinessNewz
WebProWorld AdvertisingDay PromoteNews
EcommNewz SalesNewz EntrepreneurNewz

Software: Search Engines: Web Design:
WebMasterFree Jayde B2B DesignNewz
NetworkingFiles SearchZA FlashNewz
SecurityConfig SearchNewz WebSiteNotes

Developer: IT Management: Security:
DevWebPro ITManagement SecurityProNews
DevNewz SysAdminNews SecurityConfig
TheDevWeb NetworkingFiles NetworkNewz
The iEntry Network consists of over 100 web publications reaching millions of Internet Professionals. Contact us to advertise.
eBUSINESS RESOURCES






 Advertise | Contact Us | Corporate | Newsletter | Sitemap | Submit an Article | News Feeds
 WebProNews is an iEntry, Inc. ® publication - $line) { echo $line ; } ?> All Rights Reserved
About WebProNews
WebProNews is the number one source for eBusiness News. Over 5 million eBusiness professionals read WebProNews and other iEntry business and tech publications.

WebProNews provides real-time coverage of internet business.

Free Email Newsletters:
WebProNews SearchNewz
WebProWorld DevWebPro
Marketing SecurityNews
Plus over 100 other newsletters!

Send me relevant info on products and services.


WebProWorld
Ten most recent posts.

NetworkingFiles
Featured Software

WebProNews in the News
View all recent mentions of WebProNews from around the world!

Recent Articles On ...
Google eBusiness
Yahoo Ask Jeeves
MSN Blogs
Search Engines Blogging
Affiliate Programs Marketing
eCommerce Advertising
eBay Sun Microsystems
AOL Adsense
Microsoft Adwords
Oracle IBM
Amazon Apple
SEM Mac
SEO iPod
Adsense XBox
PR Adobe



iEntry.com WebProWorld RSS Feed WebProWorld Contact WebProNews Print Version Email a friend Bookmark us