Securing-Optimizing-RH-Linux-1_2_435
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
435
- Disable PID lock sleep messages (for busy sites).
- Don't require same IP for passive connections.
- Don't allow anonymous ftp access for better security.
- Use the new internal ls command of Wu -ftpd instead of the default ls of Linux for more security.
- Internal ls displays UID instead of username for better performance (faster).
Step 4
Now, we must install Wu-ftpd in the Linux server:
[root@deep wu-ftpd-2.6.0]# make
[root@deep wu-ftpd-2.6.0]# make install
[root@deep wu-ftpd-2.6.0]# install -m 755 util/xferstats /usr/sbin/
[root@deep wu-ftpd-2.6.0]# touch /var/log/xferlog
[root@deep wu-ftpd-2.6.0]# chmod 600 /var/log/xferlog
[root@deep wu-ftpd-2.6.0]# cd /usr/sbin/
[root@deep sbin]# ln -sf in.ftpd /usr/sbin/wu.ftpd
[root@deep sbin]# ln -sf in.ftpd /usr/sbin/in.wuftpd
[root@deep sbin]# strip /usr/bin/ftpcount
[root@deep sbin]# strip /usr/bin/ftpwho
[root@deep sbin]# strip /usr/sbin/in.ftpd
[root@deep sbin]# strip /usr/sbin/ftpshut
[root@deep sbin]# strip /usr/sbin/ckconfig
[root@deep sbin]# strip /usr/sbin/ftprestart
The above commands make and make install would configure the software to ensure your
system has the necessary functionality and libraries to successfully compile the package, compile
all source files into executable binaries, and then install the binaries and any supporting files into
the appropriate locations.
The install -m will install the program xferstats used to see static about transferred files and
the touch command will create the log file for xferstats under /var/log directory. The chmod
will change the mode of xferlog file to be readable and writable only by the super-user root.
After, we create symbolic links for in.ftpd binary and finally strip all binaries related to Wu-ftpd to
reduce their sizes for better performance.
Cleanup after work
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf wu-ftpd-version/ wu-ftpd-version.tar.gz
The rm command will remove all the source files we have used to compile and install Wu-ftpd. It
will also remove the Wu-ftpd compressed archive from the /var/tmp directory.
Setup an FTP user account for each user without shells
Its important to give to all your allowed FTP users no real shell account on the Linux system. In
this manner if for any reasons someone can successfully get out of the FTP chrooted
environment it will not have the possibility to execute some user tasks since it dont have a bash
shell. First of all, create new users for this purpose; these users will be the users allowing to
connect to your FTP server. This has to be separate from a regular user account with unlimited
access, because of how the "chroot" environment works. Chroot makes it appear from the user's
perspective as if the level of the file system you've placed them in is the top level of the file
system.
Step 1
Use the following command to create users in the /etc/passwd file. This step must be doing for
each additional new user you allow to access your FTP server.