(RHCA)Red Hat Enterprise Linux RHS333: Red Hat Enterprise Security: Network Services

  Unit 10

FTP

Objectives

Upon completion of this unit, you should be able to:
  • Available FTP server
  • Limiting exposed server information
  • Configuration of logging
  • Types of users and user classes
  • Restricting access by host or user

Vulnerabilities

  • Weak authentication
  • Easily hijacked
  • Plain text passwords and data transfers

Resolutions

  • Only use ftp when other options are not feasible. Consider sftp or scp.
  • Restrict uploads for anonymous users.
  • Restrict local users to home directories.
  • Hide the server's version and other sensitive service information.

The FTP Protocol

  • Two channels, command and data
  • Client contacts server on port 21 to open command channel
  • PORT: Server opens data channel to client
    • Server connects from port 20 to client's port
  • PASV: Client opens data channel to server
    • Server specifies which port
    • Works better through some firewalls

FTP Servers

  • vsftpd
    • “Very Secure” and fast FTP server
  • Some alternatives are also shipped
    • gssftp (in krb5-workstation)
    • tux

Service Profile: vsftpd

  • Type: System V-launched daemon
  • Packages: vsftpd
  • Daemons: vsftpd
  • Ports: 21/tcp (ftp), 20/tcp (ftp-data)
  • Configuration: /etc/vsftpd/vsftpd.conf /etc/vsftpd/ftpusers /etc/pam.d/vsftpd
  • Conflicts: Kerberos ftpd (gsftpd)
  • Related: ip_conntrack_ftp

Login Banners

  • Banner provides information before login
  • Set security warning banners
    • banner_file=filename
  • Suppress server and version information
    • ftpd_banner=FTP server ready.
    • banner_file overrides this option

Informational Capabilities

  • Display file when client enters directory
    • message_file=.message
    • dirmessage_enable=YES

Logging Capabilities

  • To log all uploads and downloads:
    • xferlog_enable=YES
  • To log all FTP commands:
    • log_ftp_protocol=YES
    • xferlog_std_format=NO

Local Users

  • Users with local accounts may log in using their username and password
  • Local users start in their home directory
    • By default, does not chroot users
    • chroot_local_user=YES
  • Have read-write access by default

User/Group Access Control

  • Can control access by user with a file
    • /etc/vsftpd/ftpusers
  • Can also set up access control by group
    • Use pam_listfile.so with item=group

Anonymous FTP

  • Anonymous user can login by default
    • vsftpd sets up the /var/ftp directory
    • Can login as user anonymous or as ftp
  • Chroots to /var/ftp
  • Has read-only access by default

Anonymous FTP Uploading

  • Uploading of files by anonymous user should be carefully controlled
  • Set permissions and umask to only allow uploads to the upload directory
  • Disable use of sensitive commands
  • Examine files before allowing others to download

Connection Restrictions

  • max_clients limits the number of clients that may be connected
  • max_per_ip limits the number of clients that may be connected from one IP address

Host Access Restrictions

  • Block access from certain IP addresses
  • Using TCP Wrappers
    • vsftpd uses vsftpd in first field
    • Use twist option to display a message file

Other Useful Options

  • hide_ids tells the client that all files are owned by user ftp, group ftp
  • Limits can be placed on transfer rate
    • anon_max_rate
    • local_max_rate
  • user_config_dir allows per-user configuration settings

End of Unit 10

  • Questions and Answers
  • Summary
    • Overview of operation
    • Restricting information
    • Restricting users
    • Restricting access

你可能感兴趣的:(linux,red,hat,rhca,RHS333,linux认证)