Improving the Security of FTP

Use of the ftp and ftpd programs pose several security problems unless precautions are taken when configuring and administering this service. This section describes several techniques for improving security when using ftp and ftpd.

As mentioned in section 9.2.2, older versions of ftpd had several bugs that allowed crackers to break into a system. To minimize the threat of a break-in, the most recent version of ftpd should be used.

It is desirable to restrict certain remote users from accessing files. The /etc/ftpusers file contains a list of users who are not allowed to use FTP to access any files. At a minimum, the /etc/ftpusers file should contain all accounts, such as root, uucp, news, bin, ingres, nobody, daemon that do not belong to human users.

Setting up anonymous FTP may vary for different implementations. Below is a description of guidelines that can be followed to minimize unintended use of anonymous FTP [CA-93].

1. Disable the ftp account by placing an asterisk in the password field of the password file. This will prevent users from logging onto the system using a user name of ftp.

2. Verify that the anonymous FTP root directory and its subdirectories are not owned by the ftp account and are not in the same group as the ftp account. Anonymous FTP subdirectories generally include ftp/bin, ftp/etc, and ftp/pub. These directories should be write protected.

3. In order to print user names and group names when files are listed, a passwd and group file are needed in the ftp/etc directory. To prevent crackers from obtaining copies of the system's /etc/passwd and /etc/group files, a dummy copy of each file should be used. All password fields should be changed to asterisks.

4. An administrator should not provide writeable anonymous ftp directories unless the threats of providing writeable directories are known and precautions are taken to minimize these threats.

Several other precautions should be taken. It is possible for remote users to transfer large files to the ftp/pub directory. This can cause a disk partition to become full. To prevent this problem, put a file quota on the user ftp, or locate the ftp account's home directory on an isolated partition. The contents of the pub directories should be monitored and any suspicious files should be deleted.

Previously, hosts have been temporarily rendered unusable by massive numbers of FTP requests. If these incidents were deliberate, they would be considered a successful denial of service attack. Load-limiting techniques can help to avoid such problems.