48.2.6. Securing FTP
The File Transfer Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.
Red Hat Enterprise Linux provides three FTP servers.
gssftpd
— A Kerberos-awarexinetd
-based FTP daemon that does not transmit authentication information over the network.- Red Hat Content Accelerator (
tux
) — A kernel-space Web server with FTP capabilities. vsftpd
— A standalone, security oriented implementation of the FTP service.
The following security guidelines are for setting up the
vsftpd
FTP service.
48.2.6.1. FTP Greeting Banner
Before submitting a username and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.
To change the greeting banner for
vsftpd
, add the following directive to the /etc/vsftpd/vsftpd.conf
file:
ftpd_banner=<insert_greeting_here>
Replace <insert_greeting_here> in the above directive with the text of the greeting message.
For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called
/etc/banners/
. The banner file for FTP connections in this example is /etc/banners/ftp.msg
. Below is an example of what such a file may look like:
######### # Hello, all activity on ftp.example.com is logged. #########
Note
It is not necessary to begin each line of the file with
220
as specified in Section 48.2.1.1.1, “TCP Wrappers and Connection Banners”.
To reference this greeting banner file for
vsftpd
, add the following directive to the /etc/vsftpd/vsftpd.conf
file:
banner_file=/etc/banners/ftp.msg
Important
Make sure that you specify the path to the banner file correctly in
/etc/vsftpd/vsftpd.conf
, or else every attempt to connect to vsftpd will result in the connection being closed immediately and a 500 OOPS: cannot open banner <path_to_banner_file>
error message.
Note that the
banner_file
directive in /etc/vsftpd/vfsftpd.conf
takes precedence over any ftpd_banner
directives in the configuration file: if banner_file
is specified, then ftpd_banner
is ignored.
It also is possible to send additional banners to incoming connections using TCP Wrappers as described in Section 48.2.1.1.1, “TCP Wrappers and Connection Banners”.