If you plan to offer FTP services, be warned.This can be a very risky proposi- tion. It is a risk that can be managed but never eliminated. A friend of mine—a veteran security administrator, programmer, and UNIX guru—was going over one of his own systems one day. He found a veritable treasure trove of pirated booty. Software of all kinds was hidden neatly away on his FTP server.Who knows how long the pirates were stealing his bandwidth and how much farther could they have gotten into his system if they had the urge?
Offering FTP services to clients is a handy thing. It allows you to distribute software cheaply and easily and in a way that most Web users are at least familiar with.The problem is that there are so many holes in so many of the software applications used to offer FTP. A quick search on SecurityFocus can keep you busy for a long time. For example, a recent multivendor vulnerability notice was posted on SecurityFocus and can be found at www.securityfocus.com/bid/2496. This vulnerability impacts Solaris, HP-UX, Linux, BSD, AIX, and others. So how can you keep yourself safe?
The only real answer is that you can’t, but you can take steps to make sure that you are as safe as possible. As usual, the first step is patching the system. Make sure that any known vulnerabilities are fixed. Next, you need to decide if you are going to offer anonymous FTP services. If you are, there are some general guide- lines you should follow. First, make sure that the environment that the FTP users are logging into is restricted. Solaris’s FTPD, luckily, performs a chroot(2) to the home directory of the FTP user.This saves you some trouble. Create a user— ftpuser, for example.This user should not use a valid shell in his or her /etc/ passwd entry. If the user did have a valid shell, login would be allowed, which is not what we want. I use /noshell as the shell for my FTP user entry.The home directory of this user should be the area where the FTP tree can be found. Something like /export/ftp is recommended. In addition, make sure that there is
no password for this user by placing NP in the /etc/shadow file entry for this user. Next, the file structure needs to be very carefully arranged:
■ ~ftp This directory should be owned by root and should not be writable
by user, group, or other.
■ ~ftp/bin This directory should be owned by root and should not be
writable by user, group, or other. It should also be symlinked to
~ftp/usr/bin and should contain the ls command, with mode set to 111.
■ ~ftp/usr/lib This directory should be owned by root and should not be
writable by user, group, or other.This directory should contain the fol- lowing files: ■ Ld.so.1* ■ libc.so.1* ■ libdl.so.1* ■ libmp.so.2* ■ libnsl.so.1* ■ libsocket.so.1* ■ nss_compat.so.1* ■ nss_dns.so.1* ■ nss_files.so.1* ■ nss_nis.so.1* ■ nss_nisplus.so.1* ■ nss_xfn.so.1* ■ straddr.so* ■ straddr.so.2*
■ ~ftp/etc This directory should be owned by root and should not be
writable by user, group, or other. Place limited copies of /etc/passwd, /etc/group, and /etc/netconfig, with mode 444.
■ ~ftp/pub This directory is where your files will be uploaded and
downloaded to. If you want to allow upload, set the mode to 777; otherwise, set the permissions to restrict write access.
■ ~ftp/dev This directory should be owned by root and should not be
writable by user, group, or other.You need to use mknod to create the files in this directory. Use the ls -lL (lowercase l, uppercase L) to get the major and minor numbers and then use these numbers to create the nodes.The files you need are /dev/zero, /dev/tcp, /dev/udp, and /dev/ticotsord. Set the read and write mode to 666 on these nodes.
■ ~ftp/usr/share/lib/zoneinfo This directory should be mode 555 and
owned by the root user. Its contents should be the same as those of /usr/share/lib/zoneinfo.
In addition, you need to make sure that the /etc/pam.conf file is properly configured to handle FTP authentication, whether anonymous or normal.The following lines should be in the pam.conf file:
ftp auth required /usr/lib/security/pam_unix.so.1 ftp account required /usr/lib/security/pam_unix.so.1 ftp session required /usr/lib/security/pam_unix.so.1
It’s also a good idea to make sure that the /etc/default/ftpd file is created and contains a valid banner for your site as well as a UMASK for files created by the FTP process. I recommend 077.
Another useful file is /etc/ftpusers.This file contains names of users who are
not allowed FTP access. It is strongly recommended that you put in this file all
the built-in accounts as well as all your user accounts who should not be accessing FTP services.The command is simple:
cat /etc/passwd | cut -f1 -d: > /etc/ftpusers chown root /etc/ftpusers
chmod 600 /etc/ftpusers