Securing the FTP service on HP-UX: Introduction to the ftpaccess fileBy Chris Wong
In
the past there were only a few supported configuration options available for
configuring the File Transfer Protocol (FTP) service on HP-UX. Today, HP-UX
supports additional security methods developed by the
The FTP configuration file is the ftpaccess file. It resides in the /etc/ftpd directory. If you do not currently have one, make a copy from the one located in the newconfig directory:
On
HP-UX 11:
# cp /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/ftpaccess
On
HP-UX 11i:
# cp /usr/newconfig/etc/ftpd/examples/ftpaccess /etc/ftpd/ftpaccess
The FTP daemon will not use the configuration file until the /etc/inetd.conf file is edited to include the following:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a /etc/ftpd/ftpaccess
Replacing the lowercase “a” with the uppercase “A” will disable the use of the FTP configuration file. For the Internet Daemon to read this new configuration setting, you must run inetd with the “-c” option. (inetd –c). The following are examples of a few of the options available in the configuration file:
noretrieve:
Example:
noretrieve /etc/passwd /etc/group core .netrc .rhosts
Description:
Files listed after the noretrieve option are files that cannot be retrieved with FTP. When only the file name is specified (as with core, .netrc, and .rhosts), then no files on the system with that name can be retrieved. When the full pathname is used (as in /etc/passwd and /etc/group), that specific file cannot be retrieved. In this example, /etc/passwd could not be retrieved but a file named /tmp/passwd or /etc/passwd.old could be retrieved.
deny:
Example:
deny ctg500g /etc/ftpd/ctg500g_denymsg
Description:
The deny option is used to deny access to a particular host or a group of hosts. In addition, a message can be displayed to the client attempting FTP access. The “!nameserved” parameter can also be used as the hostname to prohibit access to sites who do not have a working nameserver. Note that the parameter ends in “d”, not “r”.
loginfails:
Example:
loginfails 2
Description:
The loginfails option is used to limit the number of FTP login attempts before the connection is terminated. The default value is 5.
banner:
Example:
banner /etc/ftpd/banner_msg
Description:
This displays a banner to the client prior to the name prompt.
message:
Example:
message /home/ftp/etc/message_msg login
Description:
The contents of the message file are displayed to the client after successful login. You may note that I placed this message file in a different directory. The message file must be placed in a directory that grants the client execute access. The permissions on the /etc/ftpd directory do not allow the client (other) execute access. However, the /home/ftp/etc directory does, so I placed the message file here. The sample ftpaccess file uses the /etc/msgs directory, this directory is not automatically created. The banner file can be placed in the /etc/ftpd directory since it is the FTP daemon that is reading this file, not the client (they have yet to login). The minimum file permissions on the message file are 444.
The message option has additional parameters that can be used with it. The message file can contain what is known as “macros” or “magic cookies”. Basically, these are variables for information such as the local date/time and the local host name. There are several variables available. In the following example, 3 of these variables are used in the message_msg file:
Hello %U from %R.
The current time is %T
Service will be down for maintenance on Sunday.
The following is displayed to the user named user100 from a host named ctg800:
230-Hello user100 from ctg800.
230-The current time is Wed Jan 22
230-Service will be down for maintenance on Sunday
readme:
Example:
readme /home/ftp/pub/filex login
Description:
When the file exists, the user is told when it was last modified.
These few examples are just some of the many options available. They can all be viewed by reading the man page for ftpd. (man 4 ftpd). One of the parameters that is available to use with many of the options is called class. A class is a grouping of hosts. At the beginning of the ftpaccess file you should define the classes. In the following example, a class named “prod” is created. This class is for the production servers.
class prod real ctg700 ctg701
The entry “real” describes the type of users. Anonymous, guest, and real are the three types of FTP users. Following the user type is the list of members. In this example there are two hosts in the prod class. Now that we have created a class, let’s see how we can use it with the message option:
message:
Example:
message /home/ftp/etc/message_prodmsg login prod
When an option supports a class, only the listed class(es) use the option. Each option can have multiple entries. In the above example, the message (message_prodmsg) is only displayed to clients who connect from either of the production boxes (ctg700 or ctg701). Note that the name of the message was changed to include the name of the class. You will want to do this since you can have multiple message statements using different classes. Let’s look at another option:
limit:
Example:
limit prod 2 Any /home/ftp/etc/limit_prodmsg
Description:
The limit option grants the
administrator the ability to limit the number of FTP sessions. When the class
option is used, the limit can be assigned per class. In this example we are
limiting the production class to 2 concurrent FTP sessions. The “Any” refers to
“Any week day”. Limits can be set for
various days and times. For example, Fr0900-1700, can
be used for Friday between
When creating classes the order is important. A host can only belong to one class. The first class it can become a member of will be its class. If you are unsure of which class a host is assigned to, simply create a message entry for each class. In the message text state the class name.
Next time we will go over additional features of the ftpaccess file as well as the ftphosts and ftpgroups files.
Chris Wong is a technical consultant and trainer based in
Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security. http://newfdawg.com
|
All Rights
Reserved, Copyright 2000 - 2002, TechTarget |
|
|
|
SearchHP.com
is a search service provided by TechTarget and is
completely |
||