Skills delivery: three moves to improve the security of the FTP server

  
                  

FTP is a file transfer protocol. Sometimes we call his image "concentration of document exchange." The main purpose of the FTP file server is to provide space for file storage, allowing users to upload or download the required files. In the enterprise, customers are often given a specific FTP space to facilitate the exchange of large files, such as design drawings up to several hundred megabytes. At the same time, FTP can also be used as a backup server for enterprise files, such as key applications such as databases on the FTP server to achieve offsite backup and so on.

Visible, the application of FTP server in the enterprise is very extensive. It's really because its function is so powerful, so many hackers and viruses have begun to "pay attention" to him. They attempted to use the FTP server as a springboard as a source of Trojans and viruses. At the same time, because the FTP server stores a lot of valuable content of the enterprise. Under the temptation of economic interests, the FTP server has become the object of attack by others.

So, the security of the FTP server is gradually becoming more important. The FTP server I use is based on the Vsftpd software on the Linxu operating system platform. Today, I use this software as an example to talk about how to design the security of the FTP server.

First, who can access the FTP server?

When considering the security of the FTP server, the first step to consider is who can access the FTP server. In the Vsftpd server software, three types of users are provided by default. Different users correspond to different permissions and operations.

One type is a Real account. This type of user means having an account on the FTP service. When such a user logs in to the FTP server, the default home directory is the directory whose account is named. However, it can also be changed to other directories. Such as the system's home directory and so on.

The second type of account is a real guest user. In an FTP server, we tend to set up an account for different departments or for a specific user. However, this account has a feature that it can only access its own home directory. In this way, the server guarantees the security of other files on the FTP service. This type of account is called the Guest user in the Vsftpd software. An account with such a user can only access directories under its home directory and not access files outside the home directory.

The third type of account is an Anonymous (anonymous) user, which is what we usually call anonymous access. This type of user means that there is no designated account in the FTP server, but it can still access some public resources anonymously.

When setting up an FTP server, we need to classify users according to their type. By default, the Vsftpd server will assign all established accounts to Real users. However, this often does not meet the needs of corporate security. Because such users can not only access their own home directory, but also access other users' directories. This brings certain security risks to the space where other users are located. Therefore, enterprises should modify the categories of users in the actual situation.

Modification method:

Step 1: Modify the /etc/Vsftpd/vsftpd.conf file.

By default, only Real and Anonymous users are enabled. If we need to enable the Guest class user, we need to enable this option. Modify the /etc/Vsftpd/vsftpd.conf file and remove the comment symbol in front of "chroot_list_enable=YES". After the removal, the system will automatically enable the Real type of account.

Step 2: Modify the /etc/vsftpd.conf file.

If you want to assign an FTP server account to the Guest account, you need to add users to this file. Normally, this file is not available on the FTP server and needs to be created manually by the user. After creating this file with the VI command, you can add the established FTP account to this file. In this case, an account belongs to the Real type of users. After logging in to the FTP server, they can only access their home directory and not be able to change the home directory.

Step 3: Restart the FTP server.

After the configuration is complete, you need to restart the FTP server for its configuration to take effect. We can restart the server or use the Restart command to restart the FTP service.

The author has several goodwill reminders when classifying users.

One is to try to use the user of the Guest type, and reduce the user of the Real class. Generally, when we create an FTP account, users only need to access the files in their home directory. When the permissions for a user are too large, it poses a threat to the security of other user files.

The second is to try not to use an anonymous type of account. Because they can access the FTP server without authorization. Although the resources it visits are subject to certain restrictions, they are still dangerous. Therefore, it is best to disable the anonymous type account without special needs.

Copyright © Windows knowledge All Rights Reserved