The script will require some modification to fit the configuration of the local system.ĭownload a copy of the ftpchk shell script. You should consider using a script such as this from your system’s crontab to ensure that the configuration you’ve establish remains unchanged. There is a script available via AFS or anonymous ftp that will provide monitoring of the ftp server and reporting to root. It is imperative, however, that the user “ftp” not be put into the “ftpadmin” group and that the permissions are constantly monitored on this directory to make sure world-read is not enabled. You will still have to periodically clean it out. Your users will now be able to retrieve data from this directory. You can then set the directory to mode 773 with group “ftpadmin”. One common way to get around this administrative workload is to define a group such as “ftpadmin” in /etc/group that contains users who you want to be able to retrieve data from this directory. This makes it useless as a trading site and will keep it from being abused.You should also note that if you need to share data that is being uploaded you will have to move it from the /pub/incoming directory to a readable area for your users. The key component here is that while the anonymous user can write to the directory, they cannot read from it. In some cases, you may want to configure your setup slightly differently to suit your needs. To ensure that there are no readable files in this directory, run: # /bin/chmod -R u-r. Note that and files or directories inside /pub/incoming should not be readable by the anonymous ftp user. This allows the anonymous user to write into the incoming directory but not to change it. Mode 733 is read-writable by the owner, root, and writeable but not readable by group members and others. You should set this directory up with mode 733, owned by root (not ftp). In cases where the anonymous user must be able to upload files, we strongly suggest you select one directory, such as /pub/incoming, for uploads. \( -user ftp -a -type d \) -exec /bin/chown 0 \ \) To correct this problem, you can do the following as root: # cd ~ftp If either condition is true, the ftp area can be abused. Directories are owned by the anonymous user (ftp).Directories are created with world write permissions.Generally, write access is granted in one of two ways: The key to disallowing uploads by the anonymous user is disabling write access for that user. Section II: Limiting the anonymous user to downloading only. Note that departments with anonymous ftp access set up on a specific system should take care to ensure that the ftp account is not in the NIS password file, as that will enable it on all the systems in the NIS domain. Disabling anonymous ftp access altogether is as simple as removing this entry. Section I: Disabling anonymous ftp access altogether.Īnonymous ftp activity in Unix and Linux is enabled by adding the user “ftp” to the password file (locally or in the NIS password file). We have provided directions for configuring both generic UNIX or Linux FTP servers and Microsoft’s Internet Information Server (IIS) below. We have provided a script to help do that below, and you can also use Baseline to watch over your ftp area. For Unix and Linux systems, you should monitor your ftp area for signs of abuse.This is the least desirable configuration and should be avoided. An anonymous upload area will not permit anonymous downloads from the same directory, which prevents the site from being abused. If you must allow anonymous uploads, follow the special directions for creating an anonymous upload area.You must make sure that the unauthenticated users cannot put files into any directories on the FTP server, otherwise your server will be abused. If you need to allow anonymous access, allow only anonymous downloads.You should not allow the root directory (/) or entire disks to be shared (unless the entire disk is a single partition containing only shared information. Your FTP server should serve files from a specific directory on system where you will place files you wish to be available.An FTP server with anonymous access enabled will allow users in any part of the globe to browse and download the files on your server. Do not enable anonymous access unless you need unauthenticated access to your files.Security for an FTP server is relatively straightforward and the same principles apply for all platforms: Since HTTP can also be used to transfer files, FTP has become slightly more old-fashioned. FTP is superior to HTTP (web) if the goal is to transfer files, not display information. FTP servers are a common way of sharing files between individuals with or without authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |