A More Secure FTP

The FTP system discussed in the preceding sections, which is the basic one supplied with practically every Linux distribution, requires a bit of work to make it secure. However, it is still vulnerable to very experienced crackers. There’s a better alternative if you are paranoid about your system’s security: WU FTP. Developed at Washington University, WU FTP adds some extra features to the standard FTP system:

•  Better control of user and group IDs

•  Better tracking of uploads and downloads

•  Automatic shutdown

•  Automatic compression and decompression of files

If these features sound useful, you can obtain a copy of the source code of WU FTP from several sites, although the primary site is wuarchive.wustl.edu. Check for the file /packages/wuarchive-ftpd/wu-ftpd-X.X.tar.Z (where X.X is the latest version number). You will get the source code that needs to be compiled on your Linux system.

WU FTP uses a number of environment variables to control the service, and the accompanying documentation helps you set it up properly. Setting up WU FTP is much more complex than standard FTP, and the extra security, while useful, may be unnecessary for many FTP site machines you may have set up at home or work (unless you have sensitive information).

Protecting an Anonymous FTP System

Anonymous FTP is fast, relatively easy to use, and a huge security problem if you don’t carefully set up your system. The following list summarizes a few simple steps to setting up a better anonymous FTP site:

1.  Create a user account called ftp. Edit the /etc/passwd file manually and replace the password with an asterisk in the second field. This prevents anyone from gaining access through the ftp account.

2.  If a home directory wasn’t created for the ftp user when you created the account, set up a home directory for the ftp user’s sole use (such as /home/ftp).

3.  Set the ftp home directory so that the root user is the owner:

   chown root /usr/ftp

4.  Make the ftp home directory unwritable to anyone with the command:

   chmod ugo-w /usr/ftp

5.  Create a bin directory under the ftp home directory:

   mkdir ~ftp/bin

6.  Make the ~ftp/bin directory owned by root and unwritable to anyone else:

   chown root ~ftp/bin

   chmod ugo-w ~ftp/bin

7.  Place a copy of the listing commands (and any others that you want anonymous FTP users to use) in the bin directory:

cp /bin/ls ~ftp/bin

8.  Create an etc directory under the ftp home directory and make it owned by root and unwritable:

   mkdir ~ftp/etc

   chown root ~ftp/etc

   chmod ugo-w ~ftp/etc

9.  Copy the /etc/passwd and /etc/group files into the ~ftp/etc directory. Edit both files to remove all user accounts except ftp (and ftp’s group). (At the very least, remove all passwords for other accounts by placing asterisks in the password field.)

10.  Create the directory ~ftp/pub/incoming, and make it owned by root. Then, make the directory writable by anyone:

   mkdir ~ftp/pub/incoming

   chown root ~ftp/pub/incoming

   chmod ugo+w ~ftp/pub/incoming

11.  Place any files you want accessible by anonymous FTP into the ~ftp/pub directory. Users logging in through anonymous FTP will be able to transfer the files out. Allowing users to write files into the directory may not be desirable, so change the permissions or check the files frequently.

By following these steps (modified for your own particular needs), you can create a secure site that lets you breathe a little easier.

Summary

The information in this chapter enables you to set up your system as a full anonymous FTP site or just a site for the users you want to gain access. Although the process is simple, you have to take care to ensure the file permissions are properly set. Once your FTP site is up, you can let others on the Internet or your local area network know that you are running, as well as the type of material you store on your system. Then sit back and share!

From here, there are several other chapters you may want to read to learn more about related subjects. To learn about:

Setting ownerships and file permissions properly before and after you FTP them, read Chapter 9, “File and Directory Permissions.”

Programming your Linux shell to allow you to transfer files with a single command, see Chapter 14, “Shell Programming.”

Setting up your Linux system to use a local area network (so you can FTP files to other machines), read Chapter 37, “Networking.”