I have now disabled the FTP service and uninstalled (purged) the wu-ftpd package, because I almost never use FTP, and the service has been under continuous attack since day zero.
Note: To re-enable the service, in addition to re-installing the Debian package the corresponding FTP ports must also be re-opened on the ADSL router.
The following Debian packages need to be installed
DebConf configuration is almost perfect:
- daemon is started through inetd
- sessions are logged via syslogd (option "-l" in /etc/inetd.conf)
Due to security reasons, FTP users are not allowed to navigate outside of their home directories. To prevent such navigation, edit the file
and add the following line
Note: The Debian package wu-fptd seems to be pre-compiled so that it always uses ftpaccess. A regularly built daemon, however, would need the '-a' option to be present in /etc/inetd.conf.
Who can log in?
- Only users that appear in /etc/passwd
- Only users that do not in /etc/ftpusers. For instance, root is inside this file, which prevents FTP access by root.
- Entry in /etc/passwd must have a valid system shell
- Valid system shells are listed in /etc/shells
- This file is read by the system function getusershell() which is used by wu-ftpd
- If the user name is ftp or anonymous, the special guest account ftp must exist in /etc/passwd; if it exists, wu-ftpd executes a chroot() to the guest user's home directory
- Since there is no guest account on my system, no anonymous FTP access is possible
The combination of all these requirements should make sure that system users (e.g. www-data) are not able to log in. They either do not have a valid shell, or they do not have a password.