32.9. Securing FTP

The ftpusers file. It's important to ensure that you have set up the file /etc/ftpusers which specifies those users that are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL other default vendor supplied accounts available in your /etc/passwd file.

The anonymous FTP program. To disable anonymous FTP, remove the anonymous user ftp from your password file and verify that anonftp-version.i386.rpm package is not installed on your system.

To remove the user ftp from your password file, use the following command:


        [root@deep ] /# userdel ftp
      
To verify that the RPM package of anonymous FTP program is not installed on your Linux system, use the following command:

        [root@deep ] /# rpm -q anonftp
      

        package anonftp is not installed
      

The upload command. By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files on the FTP server. For optimal security, we don't want users being able to upload into bin, etc, dev, and lib subdirectories in the /home/ftp directory. In our /etc/ftpaccess file we have already chroot'd users to /home/ftp and they cannot access any area of the filesystem outside that directory structure, but in case something happens to the permissions on them you should deny upload privileges in your /etc/ftpaccess file into these areas; /home/ftp/, /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib.

Edit the ftpaccess file, vi /etc/ftpaccess and add the following lines to deny upload privileges into these areas.


        # We don't want users being able to upload into these areas.
        upload /home/ftp/* /    no
        upload /home/ftp/* /etc no
        upload /home/ftp/* /dev no
        upload /home/ftp/* /bin no   (1)
        upload /home/ftp/* /lib no   (2)
      
(1)
Require only if you are not using the --enable-ls option.
(2)
Require only if you are not using the --enable-ls option.
The above lines specify to deny upload into the /, /etc, /dev, /bin and /lib directories of the chroot'd /home/ftp directory structure.