How can I secure the FTP servers?

The File Transport Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.

Red Hat Enterprise Linux provides three FTP servers.

• gssftpd - A kerberized xinetd -based FTP daemon which does not pass authentication information over the network.
  
• Red Hat Content Accelerator (tux ) - A kernel-space Web server with FTP capabilities.
  
• vsftpd - A standalone, security oriented implementation of the FTP service.
  

The following security guidelines are for setting up the vsftpd FTP service.

FTP Greeting Banner

Before submitting a user name and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.To change the greeting banner for vsftpd, add the following directive to
/etc/vsftpd/vsftpd.conf:

ftpd_banner=<insert_greeting_here>

Replace <insert_greeting_here> in the above directive with the text of the greeting message. For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what such a file may look like:

  ####################################################
  # Hello, all activity on ftp.example.com is logged.#
  ####################################################

Note: It is not necessary to begin each line of the file with 220. To reference this greeting banner file for vsftpd , add the following directive to
/etc/vsftpd/vsftpd.conf :

banner_file=/etc/banners/ftp.msg

Note: It also is possible to send additional banners to incoming connections using TCP wrappers.

Anonymous Access

The presence of the /var/ftp/ directory activates the anonymous account. The easiest way to create this directory is to install the vsftpd package. This package sets a directory tree up for anonymous users and configures the permissions on directories to read-only for anonymous users.By default the anonymous user cannot write to any directories.Caution: If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.

Anonymous Upload

To allow anonymous users to upload, it is recommended that a write-only directory be created within
/var/ftp/pub.To do this type:

mkdir /var/ftp/pub/upload

Next change the permissions so that anonymous users cannot see what is within the directory by typing:

chmod 730 /var/ftp/pub/upload

A long format listing of the directory should look like this:

drwx-wx---    2 root    ftp     4096 Feb 13 20:05 upload

Warning: Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software. Additionally under vsftpd, add the following line to /etc/vsftpd/vsftpd.conf :

anon_upload_enable=YES

User Accounts

Because FTP passes unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.To disable user accounts in vsftpd , add the following directive to /etc/vsftpd/vsftpd.conf:

local_enable=NO

Restricting User AccountsThe easiest way to disable a specific group of accounts, such as the root user and those with sudo privileges, from accessing an FTP server is to use a PAM list file. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.It is also possible to disable user accounts within each service directly.To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers .

Use TCP Wrappers To Control Access

Use TCP wrappers to control access to either FTP daemon.