Product SiteDocumentation Site

5.3. Rendere sicuro FTP

Se avete realmente la necessità di usare il servizio FTP (senza poterlo costringere in un tunnel SSL o SSH o tramite sslwrap), dovreste usare chroot per ingabbiare FTP nella directory home dell'utente ftp, cosicché l'utente non sia in grado di vedere niente altro se non la sua directory. Altrimenti potrebbe attraversare il filesystem principale come se avesse una shell nel sistema. Potete aggiungere la seguente riga nel vostro proftpd.conf nella sezione globale per abilitare la funzione chroot:
DefaultRoot ~
Fate ripartire ProFTPd con /etc/init.d/proftpd restart e controllate se adesso riuscite ad uscire dalla vostra directory home.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter \*.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.cygwin.com for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: http://www.castaglia.org/proftpd/#Patches. This patch has been reported to Debian too, see http://bugs.debian.org/145669.