32.9. Securing FTP
The ftpusers file. It's important to ensure that you have set up the file /etc/ftpusers which specifies those users that are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL other default vendor supplied accounts available in your /etc/passwd file.
The anonymous FTP program. To disable anonymous FTP, remove the anonymous user ftp from your password file and verify that anonftp-version.i386.rpm package is not installed on your system.
To remove the user ftp from your password file, use the following command:
[root@deep ] /# userdel ftp
|
[root@deep ] /# rpm -q anonftp
|
package anonftp is not installed
|
The upload command. By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files on the FTP server. For optimal security, we don't want users being able to upload into bin, etc, dev, and lib subdirectories in the /home/ftp directory. In our /etc/ftpaccess file we have already chroot'd users to /home/ftp and they cannot access any area of the filesystem outside that directory structure, but in case something happens to the permissions on them you should deny upload privileges in your /etc/ftpaccess file into these areas; /home/ftp/, /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib.
Edit the ftpaccess file, vi /etc/ftpaccess and add the following lines to deny upload privileges into these areas.
# We don't want users being able to upload into these areas.
upload /home/ftp/* / no
upload /home/ftp/* /etc no
upload /home/ftp/* /dev no
upload /home/ftp/* /bin no |
- Require only if you are not using the --enable-ls option.
- Require only if you are not using the --enable-ls option.