Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
61626364656667686970
4.1.2 Securing Anonymous ftp
If a $HOME/.rhosts file is put into /home/ftp, then an unauthorized user could use
rlogin to log in as the user, ftp. The .rhosts file specifies hosts and users that are
allowed access to a local account using rcp, remsh, or rlogin without a password.
For more information, see hosts.equiv(4).
Following are some suggestions to making anonymous ftp more secure:
Make sure that neither /home/ftp nor any of its children is writable:
$chmod -R a -w /home/ftp
Make sure that the ftp entry in /etc/passwd is correctly configured:
ftp:*:500:100:Anonymous FTP user:/var/ftp:/usr/bin/false
Make sure that all passwords in ~ftp/etc/passwd are asterisks (*):
$more ~ftp/etc/passwd
root:*:0:3::/:/usr/bin/false daemon:*:1:5::/:/usr/bin/false
If you must have a writable pub directory, use 1733 permissions:
$chmod 1733 /home/ftp/pub
Use disk quotas or a cron job to control the size of /home/ftp/pub:
0 1 * * * find /home/ftp/pub/* -atime +1 exec rm -rf {} \;
Check anonymous ftp activity in /var/adm/syslog/syslog.log:
$tail /var/adm/syslog/syslog.log
4.1.3 Denying Access Using /etc/ftpd/ftpusers
The inetd daemon runs the file transfer protocol server, ftpd, when a service request
is received at the port indicated in /etc/services. The ftpd server rejects remote
logins to local user accounts which are listed in /etc/ftpd/ftpusers. These user
accounts are known as restricted accounts. See ftpd(1M), privatepw(1), and services(4).
In the /etc/ftpd/ftpusers file, each restricted account name must appear by itself
on a line. Also add user accounts with restricted login shells that are defined in /etc/
passwd, because ftpd accesses local accounts without using their login shells.
If /etc/ftpd/ftpusers does not exist, ftpd does not perform a security check. For
more information, see ftpusers(4).
On HP-UX 11i, the ftpd daemon is based on WU-FTPD. WU-FTPD is the HP
implementation of the ftpd daemon developed at Washington University. WU-FTPD
includes increased access control, enhanced logging capabilities, virtual hosts support,
and RFC1413 (Identification Protocol) support.:
For more information, see the HP-UX Remote Access Services Administrator's Guide:
http://www.hp.com/go/hpux-networking-docs
Click HP-UX 11i v3 Networking Software.
4.1 Overview of Internet Services and Remote Access Services 69