Securing-Optimizing-RH-Linux-1_2_445
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
445
Here, you can see that one user is logged in, 20 users are allowed to connect, and this user has
the username ftpadmin who claims to be win.openarch.com.
ftpcount
The ftpcount program utility, which is a simplified version of ftpwho, shows only the current
number of users logged in to the system and the maximum number of users allowed.
·
To shows only the current number of users logged in to the system and the maximum
number of users allowed, use the following command:
[root@deep /]# ftpcount
Service class openarch - 1 users ( 20 maximum)
Securing FTP
The ftpusers file
Its important to ensure that you have set up a file /etc/ftpusers which specifies those users that
are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the
following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator,
games, nobody and ALL default vendor supplied accounts available in your /etc/passwd file.
The anonymous FTP program
To disable anonymous FTP, remove the anonymous user ftp from your password file and verify
that anonftp-version.i386.rpm package is not installed in your system.
·
To remove the user ftp from your password file, use the following command:
[root@deep /]# userdel ftp
·
To verify if the RPM package of anonymous FTP program is not installed in your Linux
system, use the following command:
[root@deep /]# rpm -q anonftp
package anonftp is not installed
The upload command
By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter
allow remote clients to load and place files in the FTP server. For optimal security, we don't want
users being able to upload into bin, etc, dev, and lib, subdirectories in the /home/ftp
directory. In our /etc/ftpaccess file we are already chroot'd users to /home/ftp and they cannot
access any area of the filesystem outside that directory structure but in case something happens
to the permissions on them, you should deny upload privileges in your /etc/ftpaccess file into
these areas (/home/ftp/ /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib).
Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines to deny upload privileges into
these areas.
# We don't want users being able to upload into these areas.
upload /home/ftp/* / no
upload /home/ftp/* /etc no
upload /home/ftp/* /dev no
upload /home/ftp/* /bin no (require only if you are not using the --enable-ls option)
upload /home/ftp/* /lib no (require only if you are not using the --enable-ls option)