Wednesday, December 9, 2009

Secure existing ProFTPd server installation

SkyHi @ Wednesday, December 09, 2009

secure-proftpd

ProFTPd is a high-performant, extremely configurable and most of all secure FTP server written for use on Unix and Unix-like operating systems. The FTP daemon has Apache-like configuration syntax and supports virtual servers – a parallel FTP environments that are physically located on the same system but that answer to different IP addresses or ports.

ProFTPD generally uses a single configuration file, found at /etc/proftpd.conf or at /etc/proftpd/proftpd.conf. This small cheatsheet describes directives in config file that helps to harden currently running ProFTPd instance.

To quickly secure ProFTPd server – open config file and make the following changes:

<code>ServerType standalone
ServerName "SysAdmin.MD secured FTP server"
ServerIdent on "FTP server"
DeferWelcome on

UseIPv6 off
IdentLookups off

MaxInstances 30
MaxClients 10
MaxLoginAttempts 10 "Maximum number of allowed users are already connected (%m)"

DefaultRoot ~
AllowFilter "^[a-zA-Z0-9 ,]*$"
</code>

Below is a short explanation for each directive:

ServerType
Set the mode ProFTPd runs in. In standalone mode, a new connections to the server results in spawned child process for each new-connected client.

ServerIdent
Sets the default message displayed when a new client connects. You can check this message by connecting with telnet to ftp port. Example:

<code>srv:~# telnet 127.0.0.1 21<br />Trying 127.0.0.1...<br />Connected to 127.0.0.1.<br />Escape character is '^]'.<br />220 <strong>FTP server</strong></code>

DeferWelcome
Enabling this directive makes initial welcome message to be exceedingly generic and do not give any type of information about the host.

UseIPv6
Set to off to disable IPv6 protocol support which is annoying on IPv4 only boxes.

IdentLookups
Tells ProFTPd to disable attempts to identify the remote username when a client initially connects to the server.

MaxInstances
The directive configures the maximum number of child processes that may be spawned by a parent proftpd process in standalone mode. This directive is used to prevent undesirable denial-of-service attacks.

MaxClients
Configures the maximum number of authenticated clients which may be logged into a server. Once this limit is reached, additional clients attempting to authenticate will be disconnected with message:
Maximum number of allowed users are already connected.

DefaultRoot
The DefaultRoot directive controls the default root directory assigned to a user upon login.
Symbol ~ means that the client is chroot-jailed into their home directory

AllowFilter
AllowFilter controls what characters may be sent in a command to ProFTPD to prevent some possible types of attacks against FTP daemon.
Symbols "^[a-zA-Z0-9 ,]*$" tells to daemon to only accept commands containing alphanumeric characters and white-space.


Reference: http://www.sysadmin.md/secure-existing-proftpd-server-installation.html