[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] FTP :-> Re: [suse-security] SuSE webserver

----- Original Message ----- 
From: "Tom Knight" <thomas.knight@xxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, July 14, 2004 1:12 PM
Subject: RE: [suse-security] SuSE webserver

> Okay, FTP server of choice - Hakim's document mentions using proftpD.
> Is this really more secure than all the mainstrain alternatives?
> I've gone (where possible) for RPMs maintained by SuSE, and proftp
> isn't one of them. On SLES, the choice appears to be:
> ?pure-ftpd?1.0.12      ?Lightweight, fast and secure FTP server
> ?vsftpd   ?1.1.0       ?A Very Secure FTP Daemon - written from scratch.
> Despite my earlier insistance that I never install an FTP daemon,
> I'm now finding that I have to in order to support one piece of
> software. It's either that or samba.... :-(
> Tom.
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

Another alternative is  vsftp which is presented below:


 Use VSFTP for a secure FTP server
Scott Lowe MCSE
January 22, 2003, 10:37 BST
Use VSFTP for a secure FTP server

File Transfer Protocol (FTP) servers can be useful for providing files to
customers and for exchanging files with partners and business associates.
However, FTP can become the bane of existence for the admins who must keep
these services secure and operational. Poorly secured FTP services can often
result in a successful attack on a server. That's where VSFTP comes in.

VSFTP is a secure, stable, and fast FTP server. It can greatly decrease the
chances of an attacker gaining access to a server via FTP exploits. Want
evidence? The Red Hat, OpenBSD, and SuSE FTP sites all have one thing in
common: They all run on VSFTP. Even SANS recommends VSFTP as the preferred
FTP daemon because of its tight security.

VSFTP basics
VSFTP is an FTP server daemon that runs on Linux/UNIX operating systems. Its
primary features are security, performance, and stability. VSFTP includes a
number of additional attractive features, including: a small system
footprint, the ability to handle virtual users, the choice of operating in a
standalone configuration or via the inetd daemon, and bandwidth throttling
for more site control.

As of this writing, the current version is 1.13, although version 1.2 is a
release candidate and may very well be available by the time this article is
published. Version 1.13 is a 117-KB archived download.

For this demonstration, I am using VSFTP 1.13 on a Red Hat 8.0 server with
version 2.4.18-14 of the kernel.

Installing VSFTP is much like installing any other application under Linux.
To expand the downloaded archive, switch to the directory in which you saved
it and type:

gunzip -dc vsftpd-1.1.3.tar.gz | tar xvf -

This will create a directory named vsftpd-1.1.3 and put all of the files
into it. Switch to that directory by typing cd vsftpd-1.1.3 at the prompt.

In this example, I am using a standard configuration, which begins by typing
make at the command prompt. If you want to make changes to the
configuration, you can edit the builddefs.h file in the distribution before
compiling with the make command. If the compilation process is successful, a
binary file named vasftpd will be placed into this directory. In my testing,
the compilation went quickly and was free of errors.

Adding users
VSFTP uses the Linux/UNIX "nobody" user as a part of the default
configuration. On most Linux/UNIX operating systems, this user exists by
default, but if it doesn't exist on your system(s), you'll need to add it.
On my system, I get the following results when I try to add it (which
indicates that the user already exists):

[root@rh8lab VSFTP d-1.1.3]# /usr/sbin/useradd nobody

useradd: user nobody exists

In addition, you need to create an FTP user if you want to support anonymous
FTP. If you plan to always authenticate the incoming user, you don't have to
do this. However, to preserve the security of VSFTP, the anonymous user's
home directory must not be owned by the FTP user, and the user should not
have any permissions for it. You can use the commands in Table A to
accomplish this.

  Table A mkdir /var/ftp/ Creates a directory named /var/ftp.
      /usr/sbin/useradd -d /var/ftp ftp Creates a user named "ftp" with the
home directory /var/ftp. On many systems, this user will already exist.
      chown root.root /var/ftp Changes ownership of the /var/ftp directory
to the root user.
      chmod og-w /var/ftp Removes the write permission from others and

Creating the FTP user and setting appropriate permissions

Next, make sure that the directory /usr/share/empty exists. If not, create
it with the mkdir command. Finally, you need to install the executable file,
help pages, and so forth, that were previously created during the build
process. To do this, change to the directory in which you built vsftpd and
type make install. This installs everything you need to begin using VSFTPD
except a configuration file. You can copy a sample configuration file to the
/etc directory by typing cp vsftpd.conf /etc.

Page 2

If you want to run VSFTP in standalone mode, all you need to do is add a
single line to the end of the /etc/vsftpd.conf file that reads "listen=YES"
and then execute /usr/local/sbin/vsftpd &. The & tells the program to
continue to run but bring you back to a command prompt. Assuming you get no
error messages, you can now connect to the FTP server as an anonymous user
and get directory listings, transfer files, etc.

Using xinetd
Since I'm doing my testing and demonstration on a Red Hat 8 system (which
uses xinetd), I will be focusing on the xinetd installation process.

If you are running an inetd machine, you can use the installation
instructions included with VSFTP for details on how to set up your server.
Everything should work if you add the lineftp stream tcp nowait root
/usr/local/sbin/vsftpd to /etc/inetd.d and then restart the inetd daemon
either via a reboot or kill -SIGHUP {pid of inetd}.Be sure that this is the
only "ftp" line in the file.

If you are running on an xinetd machine, a configuration file resides in
/etc/xinetd.d named vsftpd. If you can't find this file at that location,
you can copy it from the vsftpd.conf example that comes with the VSFTP
distribution. When editing this file, you'll see a number of parameters
underneath "service ftp" that dictate how the VSFTP server will function.
Table B lists these parameters, their defaults, and what they mean.

  Table B socket_type stream This is the type of TCP socket to use for this
protocol. FTP is a TCP stream.
      wait no This is associated with the ability for the socket to accept
      user root What user should be used to launch this service? Note that
VSFTP reduces privileges as soon as possible after starting.
      server /usr/local/sbin/vsftpd This is the location of the server
program associated with this configuration file. If you have vsftpd in a
different location, you should change this value.
      nice 10 This option modifies the default scheduling priority for the
process. 10 is the default with the range being 20 (highest) to 19 (lowest).
      disable no The service is not disabled. In other words, it should be
started when xinetd starts up.
      per_source No default This specifies the number of concurrent
connections allowed from the same IP address. It's useful for limiting the
number of connections from a single site.
      instances No default This limits the maximum number of concurrent FTP
connections to the server. It's useful for limiting server load.
      no_access No default This is a list of IP addresses that are not
allowed to access this service.

I will be using the default configuration file and restart xinetd on my Red
Hat server by typing /etc/rc.d/init.d/xinetd restart at the command prompt.
Note that if you previously configured VSFTP in standalone mode, you need to
remove the line "listen=YES" from /etc/vsftpd.conf. If you don't, xinetd
will restart, but the vsftpd service will not work. I made that mistake the
first time I configured VSFTP.

Once this is done, you should be able to connect to the VSFTP server as an
anonymous user and get directory listings, download files, etc.

Enabling controlled access
Setting up an FTP server to distribute software to anyone who connects can
be useful in many cases, but you may want to control access to the FTP
resources. For example, suppose you want to set up a site just for your

You can do this with VSFTP by making use of PAM. My Red Hat server uses PAM
for authentication, as do most Red Hat machines. To determine whether your
distribution uses PAM, look for a filename pam.conf or for a directory named
pam.d. Since my Red Hat server uses the pam.d directory for its PAM
information, I will be demonstrating that installation method only.

VSFTP comes with a sample PAM configuration located in the Red Hat
subdirectory of the distribution. This file needs to be renamed and copied
to the pam.d directory, which you can do with the command:

cp vsftpd.pam /etc/pam.d/ftp

Next, you need to change the VSFTP configuration to allow local user logins.
To do this, edit the file /etc/vsftpd.conf and uncomment the line

Now, when you attempt to connect to the server as a Linux/UNIX user, you
will be placed in that user's home directory. Listing A shows the results of
my demonstration. As you can see, a directory listing was provided after I
logged into the VSFTP server.

VSFTP powers many of the largest sites in the open source world, including
the security-conscious Open BSD project and Red Hat Linux. With its small
footprint, ability to handle large loads, security, and flexibility, it
makes an ideal FTP server for any organisation that wants file transfer
capability but not the major security headaches that typically come with it.

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here