Securing FTP servers (2.212.3)

The candidate should be able to configure an anonymous download FTP server. This objective includes configuring an FTP server to allow anonymous uploads, listing additional precautions to be taken if anonymous uploads are permitted, configuring guest users and groups with chroot jail, and configuring ftpaccess to deny access to named users or groups.

Key files, terms and utilities include:

ftpaccess, ftpusers, ftpgroups
/etc/passwd
chroot

Anonymous FTP allows users to connect to a system without needing a password. There are two special login names to facilitate this, “anonymous” and “ftp”. Both refer to the same account 'ftp' which we'll create, including the home directory and subtree needed:

# adduser ftp                    'create user and /home/ftp
....
# chown root.root /home/ftp      'make it owned by root
# chmod 555 /home/ftp            'set it unwritable by anyone, allow subdirs
# cd /home/ftp                  
# mkdir bin etc lib pub          'create needed sub directories
# chmod 511 bin etc lib          'set it unwritable by anyone
# chmod 555 pub                  'set it unwritable by anyone, allow subdirs
# mkdir pub/incoming             'upload directory
          
The “ftp” user will be chroot'ed which means that the root / directory will be remapped to /home/ftp. The command ls is located in the /bin directory which isn't visible anymore. For this reason the ls command must be copied to the /home/ftp/bin directory and the libraries the ls command needs and which obviously can't be found either must be copied to the /home/ftp/lib directory:
# cd /home/ftp
# cp /bin/ls bin/
# chmod 111 bin/ls               'executable only
          
And now to the libraries the ls needs:
# ldd /bin/ls
          librt.so.1 => /lib/librt.so.1 (0x4001e000)
          libc.so.6 => /lib/libc.so.6 (0x40030000)
          libpthread.so.0 => /lib/libpthread.so.0 (0x40153000)
          /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
          
We'll copy them:
# cp /lib/librt.so.1 lib/
# cp /lib/libc.so.6 lib/
# cp /lib/libpthread.so.0 lib/
# cp /lib/ld-linux.so.2 lib/
# chmod 555 lib/*                'readable and executable
# chown root.root lib/*          'make them all owned by root
          
If we want to present the anonymous user with a message after a
succesful login, we can do this by editing the /home/ftp/etc/motd file.

Finally, should we wish to see owner and group names instead of their numbers, the files /etc/passwd and /etc/group must also be copied to the /home/ftp/etc directory. The password field in both files, which is the second field, is not used and should not contain a real password so we'll replace it with an asterisk.

# perl -ne 's/^([^:]+:)([^:]*)(:.*)$/\1*\3/; print;' /etc/passwd > etc/passwd
# perl -ne 's/^([^:]+:)([^:]*)(:.*)$/\1*\3/; print;' /etc/group > etc/group
          

This user has been created with the command addftpuser during the installation of the server daemon, which includes the accompanying directory structure. The “ftp” user will operate within a chroot'ed environment:

# ls -lR /home/ftp
/home/ftp:
total 5
d--x--x--x    2 root     root         1024 Dec  6 19:07 bin
d--x--x--x    2 root     root         1024 Dec  6 19:07 etc
d--x--x--x    2 root     root         1024 Dec  6 19:07 lib
dr-xr-xr-x    3 root     root         1024 Dec  6 19:11 pub
-rw-r--r--    1 root     root          346 Dec  6 19:07 welcome.msg

/home/ftp/bin:
total 220
---x--x--x    1 root     root        48844 Dec  6 19:07 gzip
---x--x--x    1 root     root        43932 Dec  6 19:07 ls
---x--x--x    1 root     root       128780 Dec  6 19:07 tar

/home/ftp/etc:
total 3
-r--r--r--    1 root     root           18 Dec  6 19:07 group
-r--r--r--    1 root     root           44 Dec  6 19:07 passwd
-r--r--r--    1 root     root          178 Dec  6 19:07 pathmsg

/home/ftp/lib:
total 1374
-r-xr-xr-x    1 root     root        94529 Dec  6 19:07 ld-linux.so.2
-r--r--r--    1 root     root      1171196 Dec  6 19:07 libc.so.6
-r--r--r--    1 root     root       104744 Dec  6 19:07 libpthread.so.0
-r--r--r--    1 root     root        25596 Dec  6 19:07 librt.so.1

/home/ftp/pub:
total 2
drwxr-x-wx    2 root     root         1024 Dec  6 19:07 incoming
-rw-r--r--    1 root     root            6 Dec  6 19:11 test.bestand

/home/ftp/pub/incoming:
total 0
          
The files /home/ftp/etc/group and /home/ftp/etc/passwd are examples and must be replaced the real ones without real passwords:
# perl -ne 's/^([^:]+:)([^:]*)(:.*)$/\1*\3/; print;' /etc/passwd > etc/passwd
# perl -ne 's/^([^:]+:)([^:]*)(:.*)$/\1*\3/; print;' /etc/group > etc/group
          
The file welcome.msg contains the message that is displayed when the anonymous or ftp user successfully logs in. This is configured in /etc/wu-ftpd/ftpaccess as follows:
message /welcome.msg            login
          
The sequence of messages during a session is:
willem@pug:~$ ftp pug
Connected to pug.
220-#################################################################
220-THIS IS /etc/wu-ftpd/welcome.msg
220-configured with banner 
220---
220-Welcome, archive user @pug !
220-
220-The local time is: Fri Dec  7 01:56:38 2001
220-
220-This is an experimental FTP server.  If have any unusual problems,
220-please report them via e-mail to <root@pug>.
220-
220-If you do have problems, please try using a dash (-) as the first
220-character of your password -- this will turn off the continuation
220-messages that may be confusing your FTP client.
220-#################################################################
220-
220-
220 configured with greeting: pug FTP Server at your service!
Name (pug:willem): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-#################################################################
230-THIS IS /home/ftp/welcome.msg
230-configured with message
230---
230-Welcome, archive user anonymous@pug !
230-
230-The local time is: Fri Dec  7 01:57:05 2001
230-
230-This is an experimental FTP server.  If have any unusual problems,
230-please report them via e-mail to <root@pug>.
230-
230-If you do have problems, please try using a dash (-) as the first
230-character of your password -- this will turn off the continuation
230-messages that may be confusing your FTP client.
230-#################################################################
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
          

If you allow users to upload data into an incoming directory, do not allow the creation of sub-directories in that directory to prevent misuse.

Copyright Snow B.V. The Netherlands