54

Chapter 5. Server Security

5.6.3.1. Anonymous Upload

If you want to allow anonymous users to upload, it is recommended you create a write only directory

within

/var/ftp/pub/

.

To do this type:

mkdir /var/ftp/pub/upload

Next change the permissions so that anonymous users cannot see what is within the directory by

typing:

chmod 733 /var/ftp/pub/upload

A long format listing of the directory should look like this:

drwxr  r  

2 root

ftp

4096 Aug 20 18:26 upload

Warning

Administrators who allow anonymous users to read and write in directories often find that their server

become a repository of stolen software.

5.6.4. User Accounts

Because FTP passes unencrypted usernames and passwords over insecure networks for authentication,

it is a good idea to deny system users access to the server from their user accounts.

To disable user accounts in

wu ftpd

, add the following directive to

/etc/ftpusers

:

deny uid *

To disable user accounts in

vsftpd

, add the following directive to

/etc/vsftpd.conf

:

local_enable=NO

5.6.4.1. Restricting User Accounts

The easiest way to disable a specific group of accounts, such as the root user and those with

sudo

privileges from accessing th FTP server is to use a PAM list file as described in Section 4.4.2.4. The

PAM configuration file for

wu ftpd

is

/etc/pam.d/ftp

. The PAM configuration file for

vsftpd

is

/etc/pam.d/vsftpd

.

It is also possible to perform this test within each service directly.

To disable specific user accounts in

wu ftpd

, add the username to

/etc/ftpusers

:

To disable specific user accounts in

vsftpd

, add the username to

/etc/vsftpd.ftpusers

: