oftpd: a Secure, Modern FTP Dæmon
FTP dæmons may not get much attention, but what attention they do get is in the form of security advisory after security advisory. There's not much hack value for most people in supporting something as old-school as FTP, so the state of the art has languished—until now. This article will introduce you to Shane Kerr's oftpd, an incredibly simple FTP dæmon that, we think, will start to replace the old, full-featured dæmons currently shipping on (and creating security issues for) Linux distributions everywhere.
Rick Moen, a Linux security guru who is also famous for his ability to install Linux on many obsolete or unusual systems, runs an FTP server mostly as an archive of Linux distributions to install over the network. Boot from floppy, select “Install from FTP” and Bob's your uncle. No need to figure out how to insmod the driver for somebody's ten-year-old 1x CD-ROM drive. (Please, don't everyone go knocking on Rick's door with your VIC-20s and PDP-8s; he gets plenty of challenges from regular installfests and user-group meetings.)
FTP remains useful for three reasons, Rick says. First, FTP provides automatic, informative directory listings, including file modification times, to facilitate mirroring. Second, there's no “index.html” to override a dæmon-generated directory listing in FTP, so it's easy to mirror entire directory trees or grab them with snarf.
Finally, Rick finds that you can get small FTP clients for legacy OSes or special situations where an HTTP client won't fit. For example, Rick used a MacOS FTP client to copy Debian floppies to an old Macintosh with no CD-ROM and insufficient memory for a web browser. People who install a lot of Red Hat or Red Hat-based systems using Kickstart floppies soon find that FTP installs are fast, convenient and let you keep a single software archive up-to-date on the FTP server. You can do the same thing with an NFS (Network File System) install, but FTP is faster.
The qualities people need from an FTP dæmon have changed since the old dæmons were written. First, the days of logging in to an FTP site with a username and password (which get sent in plaintext over the Net) are gone, gone, gone. People are using ssh, scp and other encrypted tools to protect their passwords on the Net when they transfer nonpublic files, so the FTP dæmon no longer needs to authenticate users. Second, performance matters. People aren't just using FTP to get an occasional piece of software or pass along work to colleagues. FTP servers should be prepared to get slammed by many clients all installing an entire Linux distribution at once.
So, the two goals for running a modern FTP server are: for security, simplify both your Policy and FTP dæmon to “anonymous FTP only”, and look for a dæmon that offers good performance. That's what brings us to oftpd.
For security, oftpd runs as a non-root user except for essential setup tasks. It runs “chrooted” to the public FTP directory. These features buy you a lot, security-wise, and an old-fashioned FTP dæmon that allows users to log in with a username and password that can't match it. For simplicity and performance, oftpd itself generates directory listings instead of running ls.
The first step in setting up oftpd is to get rid of the old ftp entry in inetd.conf. The FTP dæmon that probably came with your Linux distribution gets run by inetd, while oftpd runs standalone for speed. Just comment out the ftp line with a # at the beginning, so it looks something like this:
# ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
Now killall -HUP inetd to restart inetd, so that it knows not to respond to connections on the FTP port. If you ftp localhost you should get a Connection refused.
Now, we're ready to move on to oftpd itself. First, the easy part. To compile and install, just unpack the tar file, cd into the resulting directory and use the One True GNU Way (./configure; make; make install). To keep everything in its appropriate, canonical place, supply the bindir argument to the configure script, so that make install will put the oftpd executable in /usr/local/sbin, which is the appropriate directory for locally built dæmons:
sh ./configure --bindir=/usr/local/sbin && make
Then su root and do:
make installThe installation is so generic that the INSTALL document in the version of oftpd I used begins simply, “These are generic installation instructions”. That's a good thing. By the time you read this, there will probably be RPM or deb packages for your favorite distribution, so check there first for an even easier install.
The above compile and install step, as well as the following three steps, will be handled for you if you install oftpd from an RPM or deb package, but you'll have to complete them if you're installing oftpd from source.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- The Qt Company's Qt Start-Up
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- The Humble Hacker?
- The Death of RoboVM
- New Container Image Standard Promises More Portable Apps
- BitTorrent Inc.'s Sync
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide