The tftp-server
package can be removed with the following command:
$ apt-get remove tftp-server
Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.
The tftp service should be disabled.
The tftp
service can be disabled with the following command:
$ sudo systemctl mask --now tftp.service
Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:
$ sudo systemctl show tftp | grep FragmentPath= FragmentPath=/etc/systemd/system/tftp.serviceand ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s $var_tftpd_secure_directory
Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:
$ sudo systemctl show tftp | grep ExecStart= ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }eand ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s $var_tftpd_secure_directory
Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.