Ключевые слова:security, ftp, (найти похожие документы)
_ RU.LINUX (2:5077/15.22) ___________________________________________ RU.LINUX _
From : Alex Korchmar 2:5020/28.101 27 Nov 98 04:37:22
Subj : secure ftpd
________________________________________________________________________________
Alan Long <[email protected]> wrote:
AC>> Что-то прочел я тут как-то Корчмаря и забоялся... Hарод,
бойся-бойся. Авось поможет.
AL> Попробуй посмотреть BeroFTP. ОH сделан на основе WU-FTPD но значительно
традиционный вопрос: ну и кто проводил аудит этого "на основе"?
Кто проводил аудит wu-ftpd - мы знаем.
> Alex
P.S. вот, кстати, устаревший, но все еще любопытный документик, которого
по крайней мере дебиановцы не читали.
[это старое письмо Christopher Klaus ([email protected]), я вырезал
малоинтересные для ru.linux части. ]
Part 1 - General Description of Setting up an "anonymous" ftp server.
How do I setup "anonymous" ftp securely?
PLEASE READ ALL NOTES AND WARNINGS!!!
1) Create the user ftp in /etc/passwd. Use a misc group. The user's home
directory will be ~ftp where ~ftp is the root you wish anonymous users to
see. Creating this user turns on anonymous ftp.
Use an invalid password and user shell for better security. The entry in the
passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
2) Create the home directory ~ftp. Make the directory owned by root (NOT ftp)
with the same group as ftp. Thus, owner permissions are for root and group
permissions are for the anonymous users. Set the permissions for ~ftp to 555
(read, nowrite, execute).
*** Some MAN pages recommend making the ~ftp directory owned by ftp.
*** This is a big NO-NO, if you want any type of security on your system.
3) Create the directory ~ftp/bin. This directory is owned by root (group
e.g. wheel) with permissions 111 (noread, nowrite, execute).
4) Copy the program ls into ~ftp/bin. ls is owned by root with permissions
111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin
should have the same permissions as well.
5) Make the directory ~ftp/etc. This directory is owned by root with
permissions 111.
6) Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc.
These files should be mode 444. The passwd file should only contain root,
daemon, uucp, and ftp. The group file must contain ftp's group. Use your
/etc/passwd and /etc/group files as a template for creating passwd and group
files going to ~ftp/etc. You may even change the user names in this file,
they are used only for 'ls' command. So for example if all files in your
~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with
uid=156 you may put
linux:*:156:120:Kazik Balon::
in the ~ftp/etc/passwd file (regardless of his real username). Leave only
these users who will own files under ftp hierarchy (e.g. root, daemon,
ftp...) and definitely remove *ALL* passwords by replacing them with '*' so
the entry looks like:
root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::
For more security, you can just remove ~ftp/etc/passwd and
~ftp/etc/group (the effect is that ls -l will not show the directories' group
names). Wuarchive ftp daemon (and some others) have some extensions based on
the contents of the group/passwd files, so read the appropriate documentation.
7) Make the directory ~ftp/pub. This directory is owned by you and has the
same group as ftp with permissions 555. On most systems (like SunOS) you may
want to make this directory 2555, ie. set-group-id, in order to create new
files with the same group ownership.
Files are left here for public distribution. All folders inside ~ftp/pub
should have the same permissions as 555.
*** Neither the home directory (~ftp) nor any directory below it should be
owned by ftp! No files should be owned by ftp either. Modern ftp daemons
support all kinds of useful commands, such as chmod, that allow outsiders to
undo your careful permission settings. They also have configuration options
like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
8) If you wish to have a place for anonymous users to leave files, create
the directory ~ftp/pub/incoming. This directory is owned by root with
permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will
normally not allow an anonymous user to overwrite an existing file, but a
normal user of the system would be able to delete anything. By setting the
mode to '1733' you prevent this from happening. In wuftpd you may configure
the daemon to create new files with permissions '600' owned by root or any
other user. Many times, incoming directories are abused by exchanging pirated
and pornographic material. Abusers often create hidden directories there for
this purpose. Making the incoming directory unreadable by anonymous ftp helps
to some extent. With ordinary ftp severs there is no way to prevent
directories being created in incoming. The WUarchive ftp server can limit
uploads to certain directories and can restrict characters used in file names
like this:
# specify the upload directory information
upload /var/spool/ftp * no
upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs
# path filters
# p
ath-filter...
path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for
your incoming-area) to prevent a denial-of-service attack by filling your
disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like
compression/decompression 'on the fly' or creation of tar files for the
directory hierarchies. Get the appropriate sources (gzip, gnutar, compress),
compile them and link statically, put in the ~ftp/bin directory and edit the
appropriate file containing the definitions of the allowed conversions.
/usr/bin/tar is already statically-linked. You may wish to use gnu tar
anyway.
Gary Mills wrote a small program to support the following:
I got compress from ftp.uu.net, in the root directory, I believe, and compiled
it. To do tar and compress, I wrote a tiny program called `pipe', and
statically-linked it. My /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
: : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress
-c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPR
ESS
: : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Here it is:
-----------------8<-------------cut---------------
/* pipe.c: exec two commands in a pipe */
#define NULL (char *)0
#define MAXA 16
main(argc, argv) int argc; char *argv[]; {
char *av1[MAXA], *av2[MAXA];
int i, n, p[2], cpid;
i = 0; n = 0;
while ( ++i < argc && n < MAXA ) {
if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break;
av1[n++] = argv[i];
}
if ( n == 0 ) uexit();
av1[n] = NULL;
n = 0;
while ( ++i < argc && n < MAXA )
av2[n++] = argv[i];
if ( n == 0 ) uexit();
av2[n] = NULL;
if ( pipe(p) != 0 ) exit(1);
if ( ( cpid = fork() ) == (-1) ) exit(1);
else if ( cpid == 0 ) {
(void)close(p[0]);
(void)close(1);
(void)dup(p[1]);
(void)close(p[1]);
(void)execv(av1[0], av1);
_exit(127);
}
else {
(void)close(p[1]);
(void)close(0);
(void)dup(p[0]);
(void)close(p[0]);
(void)execv(av2[0], av2);
_exit(127);
}
/*NOTREACHED*/
}
uexit() {
(void)write(2, "Usage: pipe <command> | <command>\n", 34);
exit(1);
}
9) Other things to do:
as root: touch ~ftp/.rhosts ~ftp/.forward
chmod 400 ~ftp/.rhosts ~ftp/.forward
ie. make these files zero-length and owned by root.
Due to the last /bin/mail bugs in SunOS:
touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp
Consider an email-alias for the ftp-admin(s) to provide an email-address for
problems-reports.
If you are mounting some disks from other machines (or even your own) to the
~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on
the host with ftpd) is something like:
other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0
This mounts under /home/ftp/pub/linux the disk from host 'other' with no
quota, no 'suid' programs (just in case), interruptible (in case 'other'
goes down) and 'bg' - so if 'other' is down when you reboot it will not stop
you trying to mount /home/ftp/pub/linux all over again.
[skip. Кому надо письмо целиком - могу сфорвардить]
Part 5 - How to Know if your Anonymous FTP Server is secure
This section is intended for the administrator to go down a small check
list of things to make sure his server is not easily compromised.
a) Check to make sure your ftp server does not have SITE EXEC command by
telneting to port 21 and typing SITE EXEC. If your ftp daemon has SITE EXEC
make sure it is the most current version (ie, Wu-FTP 2.4). In older versions
this allows anyone to gain shell via port 21.
b) Check to make sure no one can log in and make files or directories in the
main directory. If anyone can log in as anonymous FTP and make files such as
.rhosts and .forward, instant access is granted to any intruder.
c) Check to make sure the main directory is NOT owned by ftp. If it is
owned by FTP, an intruder could SITE CHMOD 777 the main directory and then
plant files to give him instant access. SITE CHMOD command should be removed
because anonymous users do not need any extra priviledges.
d) Check to make sure NO files or directories are owned by ftp. If they are,
it is possible an intruder could replace them with his own trojan versions.
e) There were several bugs in old daemons, so it is very important to make
sure you are running the most current ftp daemons.
[skip]
This paper is Copyright (c) 1994
by Christopher Klaus of Internet Security Systems, Inc.
Permission is hereby granted to give away free copies. You may
distribute, transfer, or spread this paper. You may not pretend that you
wrote it. This copyright notice must be maintained in any copy made.
--- ifmail v.2.14.os-p2 * Origin: Down System -2 (2:5020/28.101@fidonet)
