Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




32.9. Securing FTP

The ftpusers file. It's important to ensure that you have set up the file /etc/ftpusers which specifies those users that are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL other default vendor supplied accounts available in your /etc/passwd file.

The anonymous FTP program. To disable anonymous FTP, remove the anonymous user ftp from your password file and verify that anonftp-version.i386.rpm package is not installed on your system.

To remove the user ftp from your password file, use the following command:
        [root@deep ] /# userdel ftp
To verify that the RPM package of anonymous FTP program is not installed on your Linux system, use the following command:
        [root@deep ] /# rpm -q anonftp

        package anonftp is not installed

The upload command. By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files on the FTP server. For optimal security, we don't want users being able to upload into bin, etc, dev, and lib subdirectories in the /home/ftp directory. In our /etc/ftpaccess file we have already chroot'd users to /home/ftp and they cannot access any area of the filesystem outside that directory structure, but in case something happens to the permissions on them you should deny upload privileges in your /etc/ftpaccess file into these areas; /home/ftp/, /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib.

Edit the ftpaccess file, vi /etc/ftpaccess and add the following lines to deny upload privileges into these areas.
        # We don't want users being able to upload into these areas.
        upload /home/ftp/* /    no
        upload /home/ftp/* /etc no
        upload /home/ftp/* /dev no
        upload /home/ftp/* /bin no   (1)
        upload /home/ftp/* /lib no   (2)

Require only if you are not using the --enable-ls option.
Require only if you are not using the --enable-ls option.
The above lines specify to deny upload into the /, /etc, /dev, /bin and /lib directories of the chroot'd /home/ftp directory structure.

  Published under the terms of the Open Publication License Design by Interspire