}
CCE 4399-2
Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use.
If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed.
Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed.
3.15 FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended.
However, there are some FTP server configurations which may be appropriate for some environments, particularly those which allow only read-only anonymous access as a means of downloading data available to the public.
3.15.1 Disable vsftpd if Possible
Is there a mission-critical reason for the machine to act as an FTP server?
If not, disable the software and remove it from the system:
# chkconfig vsftpd off
# yum erase vsftpd
CCE 3919-8, 14881-7
3.15.2 Use vsftpd to Provide FTP Service if Necessary
If this machine must operate as an FTP server, install the vsftpd package via the standard channels:
# yum install vsftpd
After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended.
3.15.3 Configure vsftpd Securely
The primary vsftpd configuration file is /etc/vsftpd.conf, if that file exists, or /etc/vsftpd/vsftpd.conf if it does not. For the remainder of this section, the phrase “the configuration file” will refer to whichever of those files is appropriate for your environment.
3.15.3.1 Enable Logging of All FTP Transactions
Edit the vsftpd configuration file. Add or correct the following configuration options:
xferlog_std_format=NO log_ftp_protocol=YES
CCE 4549-2
The modifications above ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.
Note: If verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log.
3.15.3.2 Create Warning Banners for All FTP Users
Edit the vsftpd configuration file. Add or correct the following configuration options:
banner_file=/etc/issue
CCE 4554-2
See Section2.3.7for an explanation of banner file use. This setting will cause the system greeting banner to be used for FTP connections as well.
3.15.3.3 Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access.
3.15.3.3.1 Restrict Access to Anonymous Users if Possible
Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not:
Edit the vsftpd configuration file. Add or correct the following configuration option:
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible.
CCE 4443-8
The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. See Section3.5 for more information about SSH.
3.15.3.3.2 Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access.
Edit the vsftpd configuration file. Add or correct the following configuration options:
userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via ftp, add a line containing that user’s name.
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well:
anonymous ftp
Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via ftp.
It was used to prevent system users such as the root user from logging in via the insecure ftp protocol.
However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via ftp. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous ftp access can be limited to legacy users who have been explicitly identified.
3.15.3.4 Disable FTP Uploads if Possible
Is there a mission-critical reason for users to upload files via FTP? If not:
Edit the vsftpd configuration file. Add or correct the following configuration options:
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible.
CCE 4461-0
Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
3.15.3.5 Place the FTP Home Directory on its Own Partition
By default, the anonymous FTP root is the home directory of the ftp user account. The df command can be used to verify that this directory is on its own partition.
If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services.
3.15.3.6 Configure Firewalls to Protect the FTP Server
Edit the file /etc/sysconfig/iptables. Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
These settings configure iptables to allow connections to an FTP server. The first line allows initial connections to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client and server negotiate an arbitrary port to be used for data transfer. The ip conntrack ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a machine which is running a firewall.