HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_435
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 435 - Disable PID lock sleep messages (for busy sites). - Don't require same IP for passive connections. - Don't allow anonymous ftp access for better security.  - Use the new internal “ls” command of Wu -ftpd instead of the default “ls” of Linux for more security. - Internal “ls” displays UID instead of username for better performance (faster). Step 4 Now, we must install Wu-ftpd in the Linux server: [root@deep wu-ftpd-2.6.0]# make [root@deep wu-ftpd-2.6.0]# make install [root@deep wu-ftpd-2.6.0]# install -m 755 util/xferstats /usr/sbin/ [root@deep wu-ftpd-2.6.0]# touch /var/log/xferlog [root@deep wu-ftpd-2.6.0]# chmod 600 /var/log/xferlog [root@deep wu-ftpd-2.6.0]# cd /usr/sbin/ [root@deep sbin]#  ln -sf in.ftpd /usr/sbin/wu.ftpd [root@deep sbin]#  ln -sf in.ftpd /usr/sbin/in.wuftpd [root@deep sbin]#  strip /usr/bin/ftpcount [root@deep sbin]#  strip /usr/bin/ftpwho [root@deep sbin]#  strip /usr/sbin/in.ftpd [root@deep sbin]#  strip /usr/sbin/ftpshut [root@deep sbin]#  strip /usr/sbin/ckconfig [root@deep sbin]#  strip /usr/sbin/ftprestart The above commands “make ” and “make install” would configure the software to ensure your system has the necessary functionality and libraries to  successfully compile the package, compile all source files into executable binaries, and then install the binaries and any supporting files into the appropriate locations. The “install -m” will install the program “xferstats” used to see static about transferred files and the “touch” command will create the log file for “xferstats” under “/var/log” directory. The “chmod will change the mode of “xferlog” file to be readable and writable only by the super-user “root”. After, we create symbolic links for “in.ftpd” binary and finally strip all binaries related to Wu-ftpd to reduce their sizes for better performance. Cleanup after work [root@deep /]# cd /var/tmp [root@deep tmp]# rm -rf wu-ftpd-version/ wu-ftpd-version.tar.gz The “rm” command will remove all the source files we have used to compile and install Wu-ftpd. It will also remove the Wu-ftpd compressed archive from the “/var/tmp” directory. Setup an FTP user account for each user without shells It’s important to give to all your allowed FTP users no  real shell account on the Linux system. In this manner if for any reasons someone can successfully get out of the FTP chrooted environment it will not have the possibility to execute some user tasks since it don’t have a bash shell. First of all, create new users for this purpose; these users will be the users allowing to connect to your FTP server. This has to be separate from a regular user account with unlimited access, because of how the "chroot" environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them in is the top level of the file system. Step 1 Use the following command to create users in the “/etc/passwd” file. This step must be doing for each additional new user you allow to access your FTP server.