2.2.6. Securing FTP
The File Transfer Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.
Red Hat Enterprise Linux provides three FTP servers.
gssftpd
— A Kerberos-awarexinetd
-based FTP daemon that does not transmit authentication information over the network.- Red Hat Content Accelerator (
tux
) — A kernel-space Web server with FTP capabilities. vsftpd
— A standalone, security oriented implementation of the FTP service.
The following security guidelines are for setting up the
vsftpd
FTP service.
2.2.6.1. FTP Greeting Banner
Before submitting a user name and password, all users are presented with a greeting banner. By default, this banner includes version information useful to attackers trying to identify weaknesses in a system.
To change the greeting banner for
vsftpd
, add the following directive to the /etc/vsftpd/vsftpd.conf
file:
ftpd_banner=<insert_greeting_here>
Replace <insert_greeting_here> in the above directive with the text of the greeting message.
For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called
/etc/banners/
. The banner file for FTP connections in this example is /etc/banners/ftp.msg
. Below is an example of what such a file may look like:
######### Hello, all activity on ftp.example.com is logged. #########
Note
It is not necessary to begin each line of the file with
220
as specified in Section 2.2.1.1.1, “TCP Wrappers and Connection Banners”.
To reference this greeting banner file for
vsftpd
, add the following directive to the /etc/vsftpd/vsftpd.conf
file:
banner_file=/etc/banners/ftp.msg
It also is possible to send additional banners to incoming connections using TCP Wrappers as described in Section 2.2.1.1.1, “TCP Wrappers and Connection Banners”.