Rules Related To 'vsftpd'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Configure Firewalls to Protect the FTP Server

ftp_configure_firewall

Description

By default, iptables blocks access to the ports used by the web server. To configure iptables to allow port 21 traffic, one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:

-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"

Rationale

These settings configure the firewall to allow connections to an FTP server.

Disable FTP Uploads if Possible

ftp_disable_uploads

Description

Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options:

write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible.

Rationale

Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory.

Place the FTP Home Directory on its Own Partition

ftp_home_partition

Description

By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition.

Rationale

If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services.

Limit Users Allowed FTP Access if Necessary

ftp_limit_users

Description

If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:

userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well.
anonymous
ftp

Rationale

Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.

Enable Logging of All FTP Transactions

ftp_log_transactions

Description

Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf:

xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES

Rationale

To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.

Create Warning Banners for All FTP Users

ftp_present_banner

Description

Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options:

banner_file=/etc/issue

Rationale

This setting will cause the system greeting banner to be used for FTP connections as well.

Restrict Access to Anonymous Users if Possible

ftp_restrict_to_anon

Description

Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:

local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible.

Rationale

The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.'

Install vsftpd Package

package_vsftpd_installed

Description

If this system must operate as an FTP server, install the vsftpd package via the standard channels. The vsftpd package can be installed with the following command:

$ sudo dnf install vsftpd

Rationale

After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended.

Uninstall vsftpd Package

package_vsftpd_removed

Description

The vsftpd package can be removed with the following command:

 $ sudo dnf remove vsftpd

Rationale

Removing the vsftpd package decreases the risk of its accidental activation.

Disable vsftpd Service

service_vsftpd_disabled

Description

The vsftpd service can be disabled with the following command:

$ sudo systemctl mask --now vsftpd.service

Rationale

Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.