How to set up security - ftp users seem to be able to read too much
I need to set up my server to allow ftp access from the net. I set up a user, but this seemed to allow the user into way too many directories. so i created a new group of ftp_adsl and moved the user to this. I then changed the /home directory to only be readable to users, groups this was a little better, as now the user couldnt go into other users folders. However the user can still read all the contents of directories like /etc Is there a standard way to add users and set them up to minimal permissions. I had thought that yast would set the permissions to be secure enough. dids
* dids (richard@diddyland.com) [011125 07:56]:
However the user can still read all the contents of directories like /etc
Is there a standard way to add users and set them up to minimal permissions. I had thought that yast would set the permissions to be secure enough.
It depends whether you only want to allow anonymous ftp or access for real users to their directories. Anonymous access is what you have on ftp.suse.com and pretty much every other ftp server in the world; anyone can get access to a chroot'ed filesystem. Both the wuftpd and proftpd packages have a basic anonymous setup already, just read the docs in /usr/share/doc/packages to find out how to use it. Allowing ftp access for real users is a very bad idea since all authentication is done in clear text; better to use scp or sftp. If you must do it, use an ftpd that chroots users into their home directories. vsftpd and proftpd allow this, wuftpd 2.4 doesn't (not sure about 2.6 but you probably don't want to use that one anyway). -- -ckm
On Sunday 25 November 2001 9:18 pm, Christopher Mahmood wrote:
* dids (richard@diddyland.com) [011125 07:56]:
However the user can still read all the contents of directories like /etc
Is there a standard way to add users and set them up to minimal permissions. I had thought that yast would set the permissions to be secure enough.
It depends whether you only want to allow anonymous ftp or access for real users to their directories. Anonymous access is what you have on ftp.suse.com and pretty much every other ftp server in the world; anyone can get access to a chroot'ed filesystem. Both the wuftpd and proftpd packages have a basic anonymous setup already, just read the docs in /usr/share/doc/packages to find out how to use it.
Allowing ftp access for real users is a very bad idea since all authentication is done in clear text; better to use scp or sftp. If you must do it, use an ftpd that chroots users into their home directories. vsftpd and proftpd allow this, wuftpd 2.4 doesn't (not sure about 2.6 but you probably don't want to use that one anyway).
Thanks, what is the ftp server running by default on Suse ? dids
ah looks like the bsd one ok i'll change to proftp or wuftp regards dids
* dids (richard@diddyland.com) [011125 13:24]:
what is the ftp server running by default on Suse ?
There isn't one running by default b/c it's such a security risk, but we use wuftpd 2.4 on our servers b/c it was audited by our security team and both the 2.4 and 2.6 daemons are included in the wuftpd package. Also, take a look at http://freshmeat.net/projects/vsftpd/ We don't have a package for it yet but we may soon. -- -ckm
* Christopher Mahmood
http://freshmeat.net/projects/vsftpd/ We don't have a package for it yet but we may soon.
People who are interested should keep an eye on ftp.suse.com/pub/people/mmj As soon as they propagate, there will be vsftpd-1.0.0 packages for 7.1, 7.2 and 7.3 there. -- Mads Martin Joergensen, http://mmj.dk "Why make things difficult, when it is possible to make them cryptic and totally illogic, with just a little bit more effort." -- A. P. J.
On Sunday 25 November 2001 22:18, Christopher Mahmood wrote:
directories. vsftpd and proftpd allow this, wuftpd 2.4 doesn't (not sure about 2.6 but you probably don't want to use that one anyway).
Erm, why not? I've been running 2.6 for a while now. I was told that suse's security team had a) applied all known security patches, and b) performed a security audit on the source. Is there something I should know about? //Anders
On Sunday 25 November 2001 22:32, Anders Johansson wrote:
On Sunday 25 November 2001 22:18, Christopher Mahmood wrote:
directories. vsftpd and proftpd allow this, wuftpd 2.4 doesn't (not sure about 2.6 but you probably don't want to use that one anyway).
Erm, why not? I've been running 2.6 for a while now. I was told that suse's security team had a) applied all known security patches, and b) performed a security audit on the source. Is there something I should know about?
//Anders
Actually, forget I said anything. The rpm is 2.6 but it advertises itself as Version wu-2.4.2-academ[BETA-18](1) just like ftp.suse.com. Poorly named rpm, or is there something else behind this?
* Anders Johansson (andjoh@cicada.linux-site.net) [011125 14:03]:
On Sunday 25 November 2001 22:32, Anders Johansson wrote: Actually, forget I said anything. The rpm is 2.6 but it advertises itself as Version wu-2.4.2-academ[BETA-18](1) just like ftp.suse.com. Poorly named rpm, or is there something else behind this?
The package contains both the 2.6 and 2.4: /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd-2.6 2.6 has some nice features that 2.4 doesn't, but 2.4 is probably safer. -- -ckm
* Anders Johansson (andjoh@cicada.linux-site.net) [011125 13:32]:
On Sunday 25 November 2001 22:18, Christopher Mahmood wrote:
directories. vsftpd and proftpd allow this, wuftpd 2.4 doesn't (not sure about 2.6 but you probably don't want to use that one anyway).
Erm, why not? I've been running 2.6 for a while now. I was told that suse's security team had a) applied all known security patches, and b) performed a security audit on the source. Is there something I should know about?
2.4 was audited, the audit of 2.6 isn't finished yet. But yes, 2.6 has all known patches applied but considering wuftpd's history (or proftpd for that matter), that doesn't buy much. As I recommended to the original poster, check out vsftpd. Chris Evans has the right idea--built it commands, no ascii mode transfer, etc. And it's tiny (mine is 53688 stripped) compared to wuftpd or proftpd. -- -ckm
participants (4)
-
Anders Johansson -
Christopher Mahmood -
dids -
Mads Martin Jørgensen