Securing Ftp - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
43.2.5.3. The UserDir Directive
The UserDir directive is disabled by default because it can confirm the presence of a user account
on the system. To enable user directory browsing on the server, use the following directives:
UserDir enabled
UserDir disabled root
These directives activate user directory browsing for all user directories other than /root/. To add
users to the list of disabled accounts, add a space-delimited list of users on the UserDir disabled
line.
43.2.5.4. Do Not Remove the IncludesNoExec Directive
By default, the Server-Side Includes (SSI) module cannot execute commands. It is recommended that
you do not change this setting unless absolutely necessary, as it could potentially enable an attacker
to execute commands on the system.
43.2.5.5. Restrict Permissions for Executable Directories
Ensure that only the root user has write permissions to any directory containing scripts or CGIs. To do
this, type the following commands:
chown root <directory_name>
chmod 755 <directory_name>
Important
Always verify that any scripts running on the system work as intended before putting them
into production.

43.2.6. Securing FTP

The File Transfer Protocol (FTP) is an older TCP protocol designed to transfer files over a network.
Because all transactions with the server, including user authentication, are unencrypted, it is
considered an insecure protocol and should be carefully configured.
Red Hat Enterprise Linux provides three FTP servers.
• gssftpd — A Kerberos-aware xinetd-based FTP daemon that does not transmit authentication
information over the network.
• Red Hat Content Accelerator (tux) — A kernel-space Web server with FTP capabilities.
• vsftpd — A standalone, security oriented implementation of the FTP service.
The following security guidelines are for setting up the vsftpd FTP service.
630