Title: Ftp overview

KBTAG: kben10000121
URL: http://www.securityportal.com/lskb/10000100/kben10000121.html
Date created: 01/08/2000
Date modified: 24/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Ftp overview
Keywords: Network/FTP

Summary:

FTP used to be the most used protocol on the Internet by sheer data traffic until it was surpassed by HTTP a few years ago (yes, there was a WWW-free Internet once upon a time). FTP does one thing, and it does it well, transferring of files between systems. The protocol itself is insecure, passwords, data, etc is transferred in cleartext and can easily be sniffed, however most ftp usage is 'anonymous', so this isn't a huge problem. One of the main problems typically encountered with ftp sites is improper permissions on directories that allow people to use the site to distribute their own data (typically copyrighted material, etc). Again as with telnet you should use an account for ftping that is not used for administrative work since the password will be flying around the network in clear text.

More information:

Problems with ftp in general include:

· Clear text authentication, username and password. 
· Clear text of all commands. 
· Password guessing attacks
· Improper server setup and consequent abuse of servers 
· Several nasty Denial of Service attacks still exist in various ftp servers
· Older version of WU-FTPD and derivatives have root hacks 

Securing FTP isn't to bad, between firewalling and TCP_WRAPPERS you can restrict access based on IP address / hostname quite well. In addition most ftp servers run chrooted by default for anyone anonymous access, or an account defined as guest. With some amount of work you can set all users that are ftping in to be chrooted to their home directory or wherever appropriate. You can also run ftp servers that encrypts the data (using such things as SSL/etc.) however this means your ftp clients must speak the encryption protocol, and this isn't always practical. Also make very sure you have no publicly accessible directories on your ftp server that are both readable and writeable, otherwise people will exploit it to distribute their own software (typically warez or porn).

An example of firewalling rules:

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 21
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 21
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 21

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 21
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 21
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 21

An example of the same using TCP_WRAPPERS in /etc/hosts.allow:

in.ftpd: 10.0.0.0/255.0.0.0, some.trusted.host

And in /etc/hosts.deny:

in.ftpd: 0.0.0.0/0.0.0.0

There are several encrypted alternatives to ftp as mentioned before, SSLeay FTPD, and other third party utils. Since most ftp accounts are not used as admin accounts (cleartext passwords, you have been warned), and hopefully run chrooted, the security risk is minimized. Now that we have hopefully covered all the network based parts of ftp, lets go over securing the user accounts and environment.

FTP Server

Libra FTP Server

http://libraftp.narod.ru/ - aimed at security.

NcFTPD

NcFTPD is a high volume ftp server, however it is only free for personal or .edu usage. You can get it from: http://www.ncftpd.com/ncftpd/.

NcFTPd MySQL Authentication is an authentication daemon that enables the popular NcFTPd FTP server to authenticate users using a MySQL database. It has advanced features like restricting users to their home directory, quotas, etc. http://www.foobar.lu/maym/projects/

BSD ftpd

The BSD ftp server (ftpd) has also been ported over to Linux, so if you have the urge to run it you can. Download it at: ftp://quatramaran.ens.fr/pub/madore/ftpd-BSD/.

Muddleftpd

Muddleftpd is a small ftp server. You can get it at: http://www.computing.edu.au/~kuiperba/muddleftpd/.

Troll ftpd

Troll ftpd is an extremely small and relatively secure ftp server. It cannot execute external programs, and is quite easy to configure. You can get it at: http://www.troll.no/freebies/ftpd.html.

BetaFTPD

BetaFTPD is a single threaded, small ftp server. You can get it at: http://members.xoom.com/_XOOM/sneeze/betaftpd.html.

FTP4ALL

Another GPL licensed FTP server, available from: http://www.ftp4all.de/v3/noframes/.

FTP - SSL

Also a drop in replacement for your favorite ftpd (probably WU-FTPD), also available as a set of patches for WU-FTPD. This is highly appropriate as most servers have many users that require ftp access. The tarball is available at: ftp://ftp.uni-mainz.de/pub/internet/security/ssl/, and as RPM packages at ftp://ftp.zedz.net/pub/replay/linux/redhat/.

FTP - SRP

SRP can also be used to encrypt the username/password login portion of your ftp session, or the entire session. You can get SRP at http://srp.stanford.edu/srp/ and it is covered in kben10000137.html .

sftp

sftp runs over ssh which makes for relatively ftp sessions. You can get it from: http://www.xbill.org/sftp/.

References:

FTP - WuFTPD overview

Chrooting users in ProFTPD and other configuration issues