The following is a FAQ on setting up a secure FTP Site. FTP sites are known for much abuse by transferring illegal files. They also open many oppurtunities for intruders to gain access via misconfigured setups. And lastly many versions of ftp servers have had security holes. This FAQ is intended to clean up this abuse by allowing administrators to go through this check list of steps to make sure their FTP is correctly configured and that they are running the most current ftp daemon.
This is organized in the following fashion, I am breaking into several parts
as follows:
Use an invalid password and user shell for better security. The entry in the passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.
linux:*:156:120:Kazik Balon::in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:
root:*:0:0:Ftp maintainer::For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.
ftp:*:400:400: Anonymous ftp::
Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.
Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody delete no guest,anonymous # delete permission? overwrite no guest,anonymous # overwrite permission? rename no guest,anonymous # rename permission? chmod no anonymous # chmod permission? umask no anonymous # umask permission?
# specify the upload directory information upload /var/spool/ftp * no upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs # path filters # path-filter... path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^- path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.
Gary Mills wrote a small program to support the following:
To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command: #types:options:description :.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS :-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS : : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIPHere it is:
-----------------8<-------------cut---------------
/* pipe.c: exec two commands in a pipe */ #define NULL (char *)0 #define MAXA 16 main(argc, argv) int argc; char *argv[]; { char *av1[MAXA], *av2[MAXA]; int i, n, p[2], cpid; i = 0; n = 0; while ( ++i < argc && n < MAXA ) { if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break; av1[n++] = argv[i]; } if ( n == 0 ) uexit(); av1[n] = NULL; n = 0; while ( ++i < argc && n < MAXA ) av2[n++] = argv[i]; if ( n == 0 ) uexit(); av2[n] = NULL; if ( pipe(p) != 0 ) exit(1); if ( ( cpid = fork() ) == (-1) ) exit(1); else if ( cpid == 0 ) { (void)close(p[0]); (void)close(1); (void)dup(p[1]); (void)close(p[1]); (void)execv(av1[0], av1); _exit(127); } else { (void)close(p[1]); (void)close(0); (void)dup(p[0]); (void)close(p[0]); (void)execv(av2[0], av2); _exit(127); } /*NOTREACHED*/ } uexit() { (void)write(2, "Usage: pipe-------- CUT HERE ------------| \n", 34); exit(1); }
as root:
touch ~ftp/.rhostsie. make these files zero-length and owned by root.
touch ~ftp/.forward
chmod 400 ~ftp/.rhosts
chmod 400 ~ftp/.forward
Due to the last /bin/mail bugs in SunOS:
touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftpConsider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports.
If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like:
other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again.
main() { if(chdir("/var/ftp")) { perror("chdir /var/ftp"); exit(1); } if(chroot("/var/ftp")) { perror("chroot /var/ftp"); exit(1); } /* optional: seteuid(FTPUID); */ execl("/bin/ftpd","ftpd","-l",(char *)0); perror("exec /bin/ftpd"); exit(1); }Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
You have to create a character special device with the appropriate major and minor device numbers. The appropriate major and minor numbers of ~ftp/dev/tcp are what the major and minor numbers of /dev/tcp are.
The ~ftp/dev is a directory and ~ftp/dev/tcp is a character special device. Make them owned and grouped by root. Permissions for ~ftp/dev is root read/write/exec and other & group read and exec. The permissions for ~ftp/dev/tcp is root read/write, other & group read.
Command for reading the man page is:
$ man ftpd
libc.so.* is owned by root with permissions 555.
Note: 4.1.2(or above) users: you also need to copy /usr/lib/libdl.so.* to ~ftp/lib.
mknod zero c 3 12chown ~ftp/dev/zero to root. Make sure it's readable.
Warning: For novices: Don't try to copy /dev/zero to ~ftp/dev/zero! This is an endless file of zeroes and it will completely fill your filesystem!
Statically linked versions may be available from the following sources:
If you want a statically linked "ls" get the GNU fileutils off a archive site near you and statically link it.
[Logging] Sun's standard ftpd logs *all* password information. To correct it, install patch:
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is used.In /etc/inetd.conf find the line that starts with "ftp". At the end of that line, it should read "in.ftpd". Change that to "in.ftpd -dl". In /etc/syslog.conf, add a line that looks like:
daemon.* /var/adm/daemonlogThe information can be separated (or like SunOs4.1.1 does not recognize daemon.* so it requires the following form), such as:
daemon.info /var/adm/daemon.info daemon.debug /var/adm/daemon.debug daemon.err /var/adm/daemon.errNote that the whitespace between the two columns must include at least one TAB character, not just spaces, or it won't work. Of course your log file could be anything you want. Then, create the logfile (touch /var/adm/daemonlog should do). Finally, restart inetd and syslogd, either individually, or by rebooting the system. You should be good to go. If you do not install the patch, make sure the log file is owned by root and mode 600, as the ftp daemon will log *everything*, including users' passwords.
Warning: You want to make all logs root only readable for security reasons If a user mistypes his password for his username, it could be compromised if anyone can read the log files.
Can be ftp'd from ftp.uu.net in "/networking/ftp/wuarchive-ftpd" directory. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. [Warning: Older versions of Wu-FTP are extremely insecure and in some cases have been trojaned.]
BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
archie.ac.il 132.65.20.254 (Israel server) archie.ans.net 147.225.1.10 (ANS server, NY (USA)) archie.au 139.130.4.6 (Australian Server) archie.doc.ic.ac.uk 146.169.11.3 (United Kingdom Server) archie.edvz.uni-linz.ac.at 140.78.3.8 (Austrian Server) archie.funet.fi 128.214.6.102 (Finnish Server) archie.internic.net 198.49.45.10 (AT&T server, NY (USA)) archie.kr 128.134.1.1 (Korean Server) archie.kuis.kyoto-u.ac.jp 130.54.20.1 (Japanese Server) archie.luth.se 130.240.18.4 (Swedish Server) archie.ncu.edu.tw 140.115.19.24 (Taiwanese server) archie.nz 130.195.9.4 (New Zealand server) archie.rediris.es 130.206.1.2 (Spanish Server) archie.rutgers.edu 128.6.18.15 (Rutgers University (USA)) archie.sogang.ac.kr 163.239.1.11 (Korean Server) archie.sura.net 128.167.254.195 (SURAnet server MD (USA)) archie.sura.net(1526) 128.167.254.195 (SURAnet alt. MD (USA)) archie.switch.ch 130.59.1.40 (Swiss Server) archie.th-darmstadt.de 130.83.22.60 (German Server) archie.unipi.it 131.114.21.10 (Italian Server) archie.univie.ac.at 131.130.1.23 (Austrian Server) archie.unl.edu 129.93.1.14 (U. of Nebraska, Lincoln (USA)) archie.univ-rennes1.fr (French Server) archie.uqam.ca 132.208.250.10 (Canadian Server) archie.wide.ad.jp 133.4.3.6 (Japanese Server)