ProFTPd, wu-ftpd, and general ftp security

FTP in general has a long and sad history of security problems. If you need to run an ftp server, you need to keep careful track of vulnerabilites and exploits that may make for a very unhappy day. Things have gotten better in recent years, but just as I started this article I checked the proftpd.org . Makes you want to forget ftp entirely, doesn't it? I do think the more widespread availablility of ssh (hence scp and sftp) has made anything but anonymous ftp less necessary, and that does help - at least there aren't as many unencrypted logins flying around. The main problem with ftp is that it almost always runs with root privilege, at least part of the time. It needs to bind to low ports (20 and 21) at a minimum, which requires root, and there are probably other points where it needs more than ordinary user abilities. Modern implementations try to avoid being root when they don't need to, but of course that's not perfect. Other damage limiting attempts involve running in a 220 ftp.xyz.com FTP server ready. For wu-ftp, the file is "ftpaccess", and you want 'greeting terse' or 'greeting brief'. You surely also want to disallow certain users from using ftp. It would usually be a very poor idea to let root have an ftp login, for example. With both wu-ftp and proftp (and many other ftp's), you list disallowed users in /etc/ftpusers. Proftpd disallows root by default, regardless of ftpusers. If you did "RootLogin on" in proftpd.conf, you'd still need to remove root from /etc/ftpusers should you need this. You can also restrict to certain ip's: proftpd.conf: <Limit LOGIN> Order Allow,Deny Allow 192.168.2.8, mydomain.com, anotherdomain.net, Deny from all </Limit> wu-ftpd ftpaccess: (from man page) &nbsp&nbsp&nbsp&nbsp deny <addrglob> <message_file> &nbsp&nbsp&nbsp&nbsp Always deny access to host(s) matching <addrglob>. &nbsp&nbsp&nbsp&nbsp <message_file> is displayed. <addrglob> may be &nbsp&nbsp&nbsp&nbsp "!nameserved" to deny access to sites without a working &nbsp&nbsp&nbsp&nbsp nameserver. It may also be the name of a file, &nbsp&nbsp&nbsp&nbsp starting with a slash ('/'), which contains &nbsp&nbsp&nbsp&nbsp additional address globs, as well as in the form &nbsp&nbsp&nbsp&nbsp address:netmask or address/cidr. To prevent password guessing, you may set limits on login attempts: proftpd.conf: MaxLoginAttempts&nbsp&nbsp&nbsp&nbsp 4 wu-ftpd ftpaccess: loginfails 3 You can also do things like limiting the total number of ftp sessions, though your ability to do that will have to be external if the daemon is started on demand by inetd or xinetd (proftpd.conf: UserAlias&nbsp&nbsp&nbsp anonymous ftp No special definition is necessary for wu-ftpd. For most ftp's, you need a /var/ftp/ directory for anonymous ftp to work. The configuration files usually have examples of what you have to turn on for anonymous ftp. There are configuration limits here: proftpd.conf: MaxClients&nbsp&nbsp&nbsp 10 "Maximum anon users reached, try again later" wu-ftpd ftpaccess: limit anon 120 SaSu|Any2000-0600 /etc/msg.toomuchload limit anon 30 Any /etc/msg.toomuchload # Allows more users on weekends and 8PM to 6AM Apparently sftp can be setup for anonymous use also (APLawrence.com A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com