FTP Service
The following sets of configuration guidelines are broad enough to address basic elements of FTP. Specific configuration steps can be found in the help or man pages.
General FTP Guidelines
- Ensure that the most up-to-date version of software is being used.
- Ensure that SITE EXEC is disabled if supported.
- Restrict users from using FTP via inclusion in the /etc/ftpusers file.
- Review and restrict FTP users' rights, especially anonymous users.
- Ensure that only required commands are contained within the ftp bin or sbin directories.
- Ensure that the ftp home directory is set to 555.
- Verify that the /etc/passwd and /etc/shadow files have no password or shell for ftp.
- Verify that ~ftp/etc files are sanitized and/or owned by root with 444 permissions.
- Ensure that a mail alias is set for ftp.
- Limit the number of writable directories and disallow reading; set permissions to 1733.
- Set writable directories to separate partitions, or set a size quota.
Anonymous FTP
- Ensure that anonymous can read only public information.
- Ensure that writable directories cannot be read; set permissions to 1733.
- Ensure that anonymous cannot create additional directories.
- Limit anonymous connections by total number and network addresses if able.