ANONYMOUS FTP CONFIGURATION GUIDELINES

---
Anonymous FTP can be a valuable service if correctly configured and
administered. The first section of this document provides general guidance in
initial configuration of an anonymous FTP area.  The second section addresses
the issues and challenges involved when a site wants to provide writable
directories within their anonymous FTP areas. The third section provides
information about previous CERT advisories related to FTP services.

The following guidelines are a set of suggested recommendations that have been
beneficial to many sites. We recognize that there will be sites that have
unique requirements and needs, and that these sites may choose to implement
different configurations.

I.  Configuring anonymous FTP

    A. FTP daemon

       Sites should ensure that they are using the most recent version
       of their FTP daemon.

    B. Setting up the anonymous FTP directories

       The anonymous FTP root directory (~ftp) and its subdirectories 
       should not be owned by the ftp account or be in the same group as
       the ftp account.  This is a common configuration problem.  If any of 
       these directories are owned by ftp or are in the same group as the 
       ftp account and are not write protected, an intruder will be able to 
       add files (such as a .rhosts file) or modify other files.  Many sites
       find it acceptable to use the root account.  Making the ftp root 
       directory and its subdirectories owned by root, part of the system 
       group, and protected so that only root has write permission will help 
       to keep your anonymous FTP service secure.

       Here is an example of an anonymous FTP directory setup:

           drwxr-xr-x  7   root    system  512 Mar 1       15:17 ./
           drwxr-xr-x 25   root    system  512 Jan 4       11:30 ../
           drwxr-xr-x  2   root    system  512 Dec 20      15:43 bin/
           drwxr-xr-x  2   root    system  512 Mar 12      16:23 etc/
           drwxr-xr-x 10   root    system  512 Jun 5       10:54 pub/

       Files and libraries, especially those used by the FTP daemon and
       those in ~ftp/bin and ~ftp/etc, should have the same protections
       as these directories.  They should not be owned by ftp or be in the 
       same group as the ftp account; and they should be write protected.

    C. Using proper password and group files

       We strongly advise that sites not use the system's /etc/passwd file as 
       the password file or the system's /etc/group as the group file in the 
       ~ftp/etc directory.  Placing these system files in the ~ftp/etc 
       directory will permit intruders to get a copy of these files. 
       These files are optional and are not used for access control.

       We recommend that you use a dummy version of both the ~ftp/etc/passwd 
       and ~ftp/etc/group files. These files should be owned by root. The
       dir command uses these dummy versions to show owner and group
       names of the files and directories instead of displaying arbitrary 
       numbers.

       Sites should make sure that the ~/ftp/etc/passwd file contains no 
       account names that are the same as those in the system's /etc/passwd 
       file.  These files should include only those entries that are relevant 
       to the FTP hierarchy or needed to show owner and group names. In 
       addition, ensure that the password field has been cleared.  The 
       examples below show the use of asterisks (*) to clear the password 
       field.

       Below is an example of a passwd file from the anonymous FTP area on
       cert.org:

           ssphwg:*:3144:20:Site Specific Policy Handbook Working Group::
           cops:*:3271:20:COPS Distribution::
           cert:*:9920:20:CERT::
           tools:*:9921:20:CERT Tools::
           ftp:*:9922:90:Anonymous FTP::
           nist:*:9923:90:NIST Files::

       Here is an example group file from the anonymous FTP area on cert.org:

           cert:*:20:
           ftp:*:90:


II. Providing writable directories in your anonymous FTP configuration

    There is a risk to operating an anonymous FTP service that permits 
    users to store files. We strongly recommend that sites do not 
    automatically create a "drop off" directory unless thought has been 
    given to the possible risks of having such a service. The CERT incident
    response staff has received many reports where these directories have been
    used as "drop off" directories to distribute bootlegged versions of
    copyrighted software or to trade information on compromised accounts and
    password files. The CERT staff has also received reports of file systems
    being maliciously filled causing denial of service problems.  

    This section discusses three ways to address these problems. The first is 
    to use a modified FTP daemon. The second method is to provide restricted 
    write capability through the use of special directories. The third method
    involves the use of a separate directory.

    A. Modified FTP daemon

       If your site is planning to offer a "drop off" service, we suggest
       using a modified FTP daemon that will control access to the "drop off" 
       directory.  This is the best way to prevent unwanted use of writable
       areas. Some suggested modifications are:

       1. Implement a policy where any file dropped off cannot 
          be accessed until the system manager examines the file 
          and moves it to a public directory.
       2. Limit the amount of data transferred in one session.
       3. Limit the overall amount of data transferred based on 
          available disk space.
       4. Increase logging to enable earlier detection of abuses.

       For those interested in modifying the FTP daemon, source code is 
       usually available from your vendor. Public domain sources are 
       available from:

          wuarchive.wustl.edu   ~ftp/packages/wuarchive-ftpd
          ftp.uu.net            ~ftp/systems/unix/bsd-sources/libexec/ftpd
          gatekeeper.dec.com    ~ftp/pub/DEC/gwtools/ftpd.tar.Z

       The CERT Coordination Center has not formally reviewed, evaluated, 
       or endorsed the FTP daemons described.  The decision to use the FTP 
       daemons described is the responsibility of each user or organization, 
       and we encourage each organization to thoroughly evaluate these 
       programs before installation or use. 

    B. Using protected directories

       If your site is planning to offer a "drop off" service and is unable 
       to modify the FTP daemon, it is possible to control access by using a 
       maze of protected directories.  This method requires prior coordination
       and cannot guarantee protection from unwanted use of the writable FTP 
       area, but has been used effectively by many sites.

       Protect the top level directory (~ftp/incoming) giving only execute 
       permission to the anonymous user (chmod 751 ~ftp/incoming).  This will 
       permit the anonymous user to change directory (cd), but will not allow 
       the user to view the contents of the directory.

	   drwxr-x--x  4   root    system  512 Jun 11      13:29 incoming/

       Create subdirectories in the ~ftp/incoming using names known only 
       between your local users and the anonymous users that you want to 
       have "drop off" permission.  The same care used in selecting passwords
       should be taken in selecting these subdirectory names because the 
       object is to choose names that cannot be easily guessed.  Please do not
       use our example directory names of jAjwUth2 and MhaLL-iF.

           drwxr-x-wx 10   root    system  512 Jun 11      13:54 jAjwUth2/
           drwxr-x-wx 10   root    system  512 Jun 11      13:54 MhaLL-iF/

       This will prevent the casual anonymous FTP user from writing files in 
       your anonymous FTP file system.  It is important to realize that this 
       method does not protect a site against the result of intentional or 
       accidental disclosure of the directory names.  Once a directory name 
       becomes public knowledge, this method provides no protection at all 
       from unwanted use of the area.  Should a name become public, a site 
       may choose to either remove or rename the writable directory.

    C. Using a single disk drive

       If your site is planning to offer a "drop off" service and is
       unable to modify the FTP daemon, it may be desirable to limit
       the amount of data transferred to a single file system mounted
       as ~ftp/incoming.  If possible, dedicate a disk drive and mount 
       it as ~ftp/incoming.

       The system administrator should monitor this directory (~ftp/incoming)
       on a continuing basis to ensure that it is not being misused.


III. Related CERT Advisories

    The following CERT Advisories directly relate to FTP daemons or impact
    on providing FTP service:

        CA-95:16.wu-ftpd.vul
        CA-93:06.wuarchive.ftpd.vulnerability
        CA-92:09.AIX.anonymous.ftp.vulnerability
        CA-88:01.ftpd.hole

    Past advisories are available from
	ftp://info.cert.org/pub/cert_advisories 
	http://www.sei.cmu.edu/technology/cert.cc.html

Copyright 1995 Carnegie Mellon University

This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

------------------------------------------------

archive@landfield.com