LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-27-2006, 04:13 AM   #1
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Rep: Reputation: 15
How about security on FTP?


Hello guys,
I am using SUSE 10.1 and i am running vsftpd.

I want to ask how can i improve my security?

Now i am using the default firewall for external zone and i opened the ports 20 and 21.

Do i need to enable the passv mode?

I need some extra firewall software or to change some properties?

What about the sftp? Is different than the vsftpd?


Thanks in advance!!
 
Old 09-27-2006, 04:31 AM   #2
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Rep: Reputation: 0
move to ssh

Most folks here will suggest that you move to ssh and use scp/sftp or winscp to move files securely between systems. It's generally not a good idea to use protocols which authenticate and perform file transfers in clear text. There are some steps you can take if you must use ftp.

1. Use tcp wrappers in inetd and edit hosts.allow/hosts.deny
2. Maintain your /etc/ftpusers file
3. Keep your vsftpd service patched and up to date.
 
Old 09-27-2006, 04:41 AM   #3
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
Quote:
Originally Posted by lostinvietnam
Most folks here will suggest that you move to ssh and use scp/sftp or winscp to move files securely between systems. It's generally not a good idea to use protocols which authenticate and perform file transfers in clear text. There are some steps you can take if you must use ftp.

1. Use tcp wrappers in inetd and edit hosts.allow/hosts.deny
2. Maintain your /etc/ftpusers file
3. Keep your vsftpd service patched and up to date.
yup - i would suggest using sftp - depending on how many users you need to satisfy with a file transfer possibility.
if it is you allone or one other or less than 10 - use sftp.
if security is important forget ftp. only use encrypted authentication.
 
Old 09-27-2006, 07:41 AM   #4
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
Thank you guys for your replies, i appreciate it very much.

About the passive mode. What is the need of that? Is this for security reasons?
 
Old 09-28-2006, 06:34 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
You can setup vsftp to use ssl. Last time I looked at sftp (in ssh) it seemed to be a mission to jail the user to his homedir. This might have changed.

Below part of the notes that I made

Quote:
1 Securing FTP (vsftpd)

The SSH daemon can include Secure FTP. The disadvantage is that ftp users have access to the full file system by default. Modification and configuration to prevent this is possible, but it is more difficult to set this up than the use of the VSFTPD daemon.
VSFTPD is chosen as it supports SSL.

The following information comes mostly from http://www.brennan.id.au/14-FTP_Server.html#secure

1.1 Check if compiled with ssl support

The first thing to do is to check if the version of vsftpd that is installed on the server is compiled with SSL support.

root@btd-techweb01:/etc# ldd /usr/sbin/vsftpd
libnsl.so.1 => /lib/libnsl.so.1 (0x40023000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40039000)
libdl.so.2 => /lib/libdl.so.2 (0x40068000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4006c000)
libutil.so.1 => /lib/libutil.so.1 (0x4007f000)
libssl.so.0 => /usr/lib/libssl.so.0 (0x40083000)
libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x400b4000)
libc.so.6 => /lib/libc.so.6 (0x401b3000)
/lib/ld-linux.so.2 (0x40000000)

If a line containing ‘libssl’ occurs, it is.

1.2 Create key and certificate

Similar to https, a key and a certificate need to be generated as shown below.

root@btd-techweb01:/etc/ssl# openssl req -x509 -nodes -days 30 \
-newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out \ /etc/ssl/certs/vsftpd.pem
Generating a 1024 bit RSA private key
........................................++++++
.++++++
writing new private key to '/etc/ssl/certs/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:mytown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany
Organizational Unit Name (eg, section) []:mydepartment
Common Name (eg, YOUR name) []:btd-techweb01
Email Address []:me@here.there


1.3 Configure vsftpd

To configure vsftpd for use with SSL, add the following lines to /etc/vsftpd.conf.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

Further configuration is required to limit the user access to his/her home-directory and to limit the users with ftp-access.

#jail the users to their home directory
chroot_local_user=YES

#limit users
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
 
Old 09-29-2006, 09:21 AM   #6
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
Thank you very much!
Very nice and helpfull post!!
 
Old 09-30-2006, 06:18 AM   #7
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
Ok, i made the setting but i can't connect to the server now.
I use Cute FTP Pro 8 client and here is the error:

STATUS:> [30/9/2006 12:17:01 μμ] Getting listing ""...
STATUS:> [30/9/2006 12:17:01 μμ] Connecting to FTP server... 192.168.1.3:21 (ip = 192.168.1.3)...
STATUS:> [30/9/2006 12:17:01 μμ] Socket connected. Waiting for welcome message...
ERROR:> [30/9/2006 12:17:02 μμ] Can't read from control socket. Socket error = #10054.
STATUS:> [30/9/2006 12:17:02 μμ] Time zone synchronization
COMMAND:> [30/9/2006 12:17:02 μμ] CWD /
ERROR:> [30/9/2006 12:17:02 μμ] Can't write to control socket. Socket error = #2000.
NOTE:> [30/9/2006 12:17:02 μμ] Time zone synchronization failed.


Also, another problem that i have is when i starting the vsftpd the status is failed.

Starting vsftpd startproc: exit status of parent of /usr/sbin/vsftpd: 1 failed


Why??
Please help me.

What i need to do so to be able to connect?

Last edited by georgiozoze; 09-30-2006 at 06:24 AM.
 
Old 10-02-2006, 12:18 AM   #8
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
It's obvious that you can not connect when vsftpd is not running. Can you post your vsftp.conf so we can have a look at it?

Is CuteFTP configured correctly to handle the encryption? I use Filezilla; there are two configuration options that I can use, both involving explicite encryption:
ftp over ssl
ftp over tls
 
Old 10-03-2006, 12:14 PM   #9
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
hey why don't u use OpenSSH -> SecureFTP

here is my success story on Sftp chrooted

http://www.linuxquestions.org/questi...d.php?t=488493
 
Old 10-03-2006, 02:29 PM   #10
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
The vsftpd.conf :


# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.

# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
#nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
ftpd_banner=" Have FUN !!! "

#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES

# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
chroot_local_user=YES

#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
#chroot_list_enable=YES
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200


# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
anonymous_enable=NO
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
#anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200


# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES

# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
pasv_enable=NO
# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
# Set listen=YES if you want vsftpd to run standalone
Listen=YES

# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=YES
allow_anon_ssl=No
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
 
Old 10-03-2006, 11:21 PM   #11
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
Don't see much wrong there. The only thing I notice is that you use pam; I'm not familiar with it and don't know how it influences vsftp login.

Anything in the log file(s)?
 
Old 10-05-2006, 05:35 PM   #12
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
SORRY FOR THE LATE, I WAS BUSY.

sO, I DIDN'T SEE SOMETHING IN THE LOG. ALL LOOKS FINE.

I THINK THAT THE PROBLEM EXISTED WHEN I RUN THE COMMAND: openssl req -x509 -nodes -days 30 \
-newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out \ /etc/ssl/certs/vsftpd.pem


SOMETHING WITH vsftpd.pem i believe.
 
Old 10-06-2006, 03:37 AM   #13
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
No Need To Shout
 
Old 10-06-2006, 04:43 AM   #14
georgiozoze
Member
 
Registered: Oct 2003
Posts: 35

Original Poster
Rep: Reputation: 15
Sorry, but what do you mean?
 
Old 10-06-2006, 06:51 AM   #15
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
Come Nathanael, you can see that he had caps-lock on by accident (small s, capital O ate beginning of sentence.

georgiozoze:
Shouting is when you write everything in capitals.

Did you get error messages while creating your certificate?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp security jfabiani Linux - Security 4 09-08-2006 07:35 AM
ftp security msamuels Linux - General 3 06-01-2005 12:58 AM
ftp security spate Linux - Software 1 01-19-2003 07:04 PM
FTP Security?? Milkman00 Linux - Software 3 08-11-2002 12:10 AM
FTP security vcheah Linux - Security 6 01-06-2002 05:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration