Red Hat Summit8.4. Securing the FTP service
You can use the File Transfer Protocol (FTP) to transfer files over a network. Because all FTP transactions with the server, including user authentication, are unencrypted, make sure it is configured securely.
Red Hat Enterprise Linux provides two FTP servers:
- Red Hat Content Accelerator (
tux) - A kernel-space web server with FTP capabilities.
- Very Secure FTP Daemon (
vsftpd) - A standalone, security-oriented implementation of the FTP service.
The following security guidelines are for setting up the vsftpd FTP service.
8.4.1. Securing the FTP greeting banner
When a user connects to the FTP service, the server displays a greeting banner that, by default, includes version information. Attackers might use this information to identify vulnerabilities in the system. You can hide this information by changing the default banner.
You can define a custom banner by editing the /etc/banners/ftp.msg file to either directly include a single-line message, or to refer to a separate file, which can contain a multi-line message.
Procedure
To define a single line message, add the following option to the
/etc/vsftpd/vsftpd.conffile:ftpd_banner=Hello, all activity on ftp.example.com is logged.To define a message in a separate file:
Create a
.msgfile which contains the banner message, for example/etc/banners/ftp.msg:######### Hello, all activity on ftp.example.com is logged. #########To simplify the management of multiple banners, place all banners into the
/etc/banners/directory.Add the path to the banner file to the
banner_fileoption in the/etc/vsftpd/vsftpd.conffile:banner_file=/etc/banners/ftp.msg
Verification
Display the modified banner:
$ ftp localhost Trying ::1… Connected to localhost (::1). Hello, all activity on ftp.example.com is logged.
8.4.2. Preventing anonymous access and uploads in FTP
By default, installing the vsftpd package creates the /var/ftp/ directory and a directory tree for anonymous users with read-only permissions on the directories. Because anonymous users can access the data, do not store sensitive data in these directories.
To increase the security of the system, configure the FTP server to permit anonymous users to upload files to a specific directory and block them from reading data. In the following example procedure, the anonymous user must be able to upload files in the directory owned by the root user, but not change it.
Procedure
Create a write-only directory in the
/var/ftp/pub/directory:# mkdir /var/ftp/pub/upload # chmod 730 /var/ftp/pub/upload # ls -ld /var/ftp/pub/upload drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/uploadAdd the following lines to the
/etc/vsftpd/vsftpd.conffile:anon_upload_enable=YES anonymous_enable=YESOptional: If your system has SELinux enabled and enforcing, enable SELinux boolean attributes
allow_ftpd_anon_writeandallow_ftpd_full_access.警告Configuring directories for anonymous read and write access increases risk, because the server might become a repository for stolen software.
8.4.3. Securing user accounts for FTP
FTP transmits usernames and passwords unencrypted over insecure networks for authentication. You can improve the security of FTP by denying system users access to the server from their user accounts.
Perform as many of the following steps as applicable for your configuration.
Procedure
Disable all user accounts in the
vsftpdserver, by adding the following line to the/etc/vsftpd/vsftpd.conffile:local_enable=NO-
Disable FTP access for specific accounts or specific groups of accounts, such as the
rootuser and users withsudoprivileges, by adding the usernames to the/etc/pam.d/vsftpdPAM configuration file. -
Disable user accounts, by adding the usernames to the
/etc/vsftpd/ftpusersfile.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}