5.3. FTP 安全化
如果您真的必须使用 FTP(没有使用 sslwarp 或插入 SSL 或使用 SSH 通道), 则应当 chroot ftp 为 ftp 用户的主目录, 这样用户就不会看到其目录以外的东西. 否则他们就可以遍历您的文件系统, 就象他们拥有这样的 shell 一样. 您应当在 proftpd.conf
中的global 部分增加以下行以启用 chroot 的这个特点:
- DefaultRoot ~
Restart ProFTPd by /etc/init.d/proftpd restart
and check whether you can escape from your homedir now.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf
: DenyFilter \*.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp
(provided by ssh). There are also free implementations of SSH for other operating systems: http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.cygwin.com for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: http://www.castaglia.org/proftpd/#Patches. This patch has been reported to Debian too, see http://bugs.debian.org/145669.