Using Proper Password and Group Files
Anonymous FTP should not be allowed to use the system's /etc/passwd file as the password file or the system's /etc/group as the group file in the ~ftp/etc directory. Doing so will enable intruders to get a copy of these files. You also should consider using the dummy version of both the ~ftp/etc/passwd and ~ftp/etc/group files. No account name in the ~/ftp/etc/passwd file should be the same as those in the system's /etc/passwd file.
Another risk associated with anonymous FTP is that it allows users to create directories. Users should not be able to automatically create a drop-off directory unless you have analyzed the risks involved. Many cases have been reported where these directories have been used to distribute pirated versions of copyrighted software or to exchange information regarding accounts and password files.
This section discusses three ways to address these problems. The solutions to these problems are listed:
- Use a modified FTP daemon
- Use protected directories
- Use a separate directory
Using Modified FTP Daemon
If you plan to allow a drop-off service, which will enable anonymous FTP users to store files on the FTP server, you should use a modified FTP daemon. This modified FTP daemon should be able to control access to the drop-off directory. Some modifications that you can make to the daemon are as follows:
- Implement a policy where any file dropped off can be accessed only after the administrator has examined it and moves it to a public directory. Only the administrator should be able to access the dropped off files. After verifying the content of the file, administrators can move these files to directories accessible to other users.
- Limit the amount of data transferred in one session. Anonymous FTP should be allowed to transfer limited data only.
- Limit the overall amount of data transferred based on available disk space.
- Ensure logging to enable earlier detection of abuses.
Public domain sources for such modified FTP daemons are available from the following sites:
- wuarchive.wustl.edu ~ftp/packages/wuarchive-ftpd
- ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
- gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
Using Protected Directories
If your site is planning to offer a drop off service and is unable to modify the FTP daemon, it is possible to control access by using protected directories. The protected directories enable you to restrict access to the anonymous FTP users. The protected directories are more useful if you are providing the drop off service to the anonymous FTP users. Although this method cannot guarantee complete protection, it has been used effectively by many sites.
You should protect the top-level directory, ~ftp/incoming, by giving only execute permission to the anonymous user. This will permit the anonymous user to move to a different directory. By doing this, you can restrict the user's view to the content of the directories.
Using a Single Disk Drive
Consider limiting the amount of data transferred to a single file system mounted as ~ftp/incoming. If possible, dedicate a disk drive and mount it as ~ftp/incoming. The ~ftp/incoming directory should be monitored on a regular basis to ensure that it is not being misused.
In this tutorial:
- Linux Other Network Servers
- Setting the FTP User Account
- Configurations File for FTP Server
- ftpusers
- Anonymous FTP
- Using Proper Password and Group Files
- Anonymous FTP Warnings
- Sendmail
- Sendmail Security
- Domain Name Service
- Domain Name Space
- Services Offered By a DNS Server
- DNS Transactions
- BIND
- BIND Configuration
- Resource Records (RR)
- Start of Authority (SOA)
- nslookup
- BIND Security
- Host Name Spoofing
- Running BIND with Least Privileges
- DNS Security Extensions (DNSEC)
- SAMBA
- SMB Protocol
- Mounting the SMB File System
- SAMBA Security
- Server-Level Security