ftp lockdown

frznchckn · 05-15-2009, 03:40 PM

The SA shall configure the FTPd service to disallow read access whenever write permissions are required for anonymous FTP folders.

1) How can I tell if my box is running / providing the FTPd service?

2) How can I prevent anonymous FTP?

3) How can I prevent FTP and force SFTP?

3) if I wanted to, how can I prevent any (S)FTP from happening?

rayfordj · 05-15-2009, 07:51 PM

Any particular distro and/or ftp daemon?

assuming vsftpd:
1) /etc/rc.d/init.d/vsftpd status
2) modify /etc/vsftpd/vsftpd.conf and disable anonymous logins
-- reference inline documentation or man vsftpd.conf
3) SFTP is SSH-FTP; it uses the SSH with an ftp-style subsystem
-- FTPS (TLS/SSL FTP) can be configured and forced in vsftpd.conf
-- -- reference inline documentation or man vsftpd.conf
4) disable/restrict SSH access or disable the sftp-subsystem

frznchckn · 05-16-2009, 05:55 PM

The box is running Red Hat 5 I believe. It's a relatively new system, I'm the only one that uses it, and I know I have no setup / turned on FTP. Also I did not see /etc/rc.d/init.d/vsftpd, so I don't think it gets started by default?

rayfordj · 05-16-2009, 06:35 PM

it may or may not be installed. likely not installed if no vsftpd.conf.
you should be able to install it with:

Code:

yum install vsftpd

that should also give you the vsftpd service, since i now know RHEL5 is distro you can easily use chkconfig and service commands to start it and configure it to start on boot

Code:

service vsftpd status
service vsftpd start
chkconfig --list vsftpd
chkconfig vsftpd on

after configuring it to your requirements first... of course

frznchckn · 05-16-2009, 06:43 PM

I think I'll go with keeping it not installed. All of our file interactions are done using scp, I just had to verify that anon ftp couldn't happen. Which it can't if it's not installed!

thanks!

cloud9repo · 05-17-2009, 10:24 AM

Quote:

Originally Posted by frznchckn

The SA shall configure the FTPd service to disallow read access whenever write permissions are required for anonymous FTP folders.

1) How can I tell if my box is running / providing the FTPd service?

2) How can I prevent anonymous FTP?

3) How can I prevent FTP and force SFTP?

3) if I wanted to, how can I prevent any (S)FTP from happening?

Encryption and passwords seem most effective. Hack the daemon a bit, so you've got your costume.

Customize with a bit a fake access. Then, if all else fails, use another approach all together.

DO NOT disclose personal info to anyone, no matter how NICE they seem...