WuFTP

Service disabled

I have now disabled the FTP service and uninstalled (purged) the wu-ftpd package, because I almost never use FTP, and the service has been under continuous attack since day zero.

Note: To re-enable the service, in addition to re-installing the Debian package the corresponding FTP ports must also be re-opened on the ADSL router.


Debian packages

The following Debian packages need to be installed

wu-ftpd


Configuration

DebConf configuration is almost perfect:

  • daemon is started through inetd
  • sessions are logged via syslogd (option "-l" in /etc/inetd.conf)

Due to security reasons, FTP users are not allowed to navigate outside of their home directories. To prevent such navigation, edit the file

/etc/wu-ftpd/ftpaccess

and add the following line

restricted-uid *

Note: The Debian package wu-fptd seems to be pre-compiled so that it always uses ftpaccess. A regularly built daemon, however, would need the '-a' option to be present in /etc/inetd.conf.


Who can log in?

  • Only users that appear in /etc/passwd
  • Only users that do not in /etc/ftpusers. For instance, root is inside this file, which prevents FTP access by root.
  • Entry in /etc/passwd must have a valid system shell
    • Valid system shells are listed in /etc/shells
    • This file is read by the system function getusershell() which is used by wu-ftpd
  • If the user name is ftp or anonymous, the special guest account ftp must exist in /etc/passwd; if it exists, wu-ftpd executes a chroot() to the guest user's home directory
    • Since there is no guest account on my system, no anonymous FTP access is possible

The combination of all these requirements should make sure that system users (e.g. www-data) are not able to log in. They either do not have a valid shell, or they do not have a password.