Securing your Linux vsftp installations by locking down your server and chroot()'ing users -- Prefetch Technologies

As much as we all hate FTP and the insecurities of the protocol, I’ve given up on the fact that it’s going to be retired anytime soon. A lot of old legacy systems (mainframes, AS400s, etc.) don’t support SSH, but they so support the infamous FTP protocol. These two factors force a lot of companies to continue to use it, so we need to take every measure we can to protect the FTP servers that receive files from these systems.

I’ve been using vsftpd for quite some time, and it has one of the best security track records of the various FTP server implementations. When I’m forced to use FTP, I always install vsftp and perform a number of actions to lock down my FTP server installation. Here is a short list:

Enable SELinux
Change the default vsftp banner (“ftpd_banner” controls the string displayed)
Limit connections to known IP addresses (tcp_wrappers and iptables can help with this)
Disable anonymous logins (“anonymous_enable” controls this behavior)
Tighten up the umask to disable writeable files (“local_umask” controls the default umask to use)
Increase logging and use centralized log servers (“xferlog_enable” and syslog-ng can help with this)
Validate all identities in /etc/passwd and remove unneeded system accounts
Disallow ALL system accounts from logging in
Chroot all users to their home directory

The last item is especially important, since you don’t want users wandering around your file systems looking for files and directories that could be exploited through a software bug or misconfiguration. Chroot support is built into vsftpd, which is now the default FTP daemon in Redhat and CentOS Linux. Enabling chroot support is super easy, since you only need to uncomment the following line:

chroot_local_user=YES

Once enabled, users will only be able to see the files and directories in their home directory.

$ ftp ftp.prefetch.net

Connected to localhost (127.0.0.1).
220 Welcome to Matty's FTP server. Unauthorized access prohibited!
ftp> user bingo
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"

By default all users will be chroot’ed to their home directories, which may not be ideal in some situations. If you need to selectively allow access to directories outside of the chroot, you can enable “chroot_local_user” and add the usernames you want to be allowed to “browse” to /etc/vsftpd/chroot_list. If on the other hand you want to allow all users to access the server and only chroot a few, you can set chroot_list_enable to YES and list the user’s you want to chroot in the /etc/vsftpd/chroot_list. The location of the file that lists the users (/etc/vsftpd/chroot_list in the examples above) is controlled by the chroot_list_file variable, which can be set to the absolute path of a file that contains a list of users. While FTP sucks, it’s going to be with us for some time to come. If we have to support it, we might as well do all we can to secure it!

This article was posted by Matty on 2011-04-21 11:50:00 -0400 -0400