Link to home
Start Free TrialLog in
Avatar of kaesm
kaesm

asked on

Securing FTP in AIX 5.1

I have one for all of you AIX guru's out there -

We have recently taken on a vendor who needs FTP-Put access to a directory on our UNIX server in order to send invoice confirmation files to us. Setting up the basic FTP service on our server was no problem but now I have an issue with security. The directory they need to access is /pro/pronto/edi/in/berger - this is the ONLY directory they need to place files in. I have their user home directory set to /pro/pronto/edi/in so when the session is initated - that's their default directory. The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated.
Avatar of cpc2004
cpc2004
Flag of Hong Kong image

Most FTP site use userid anoymous for ftp get and put. They use directory read and write access to enforce security. Unless you use ssh sftp otherwise it is impossible to enforce ftp security.  
Avatar of kaesm
kaesm

ASKER

So even though anonymous access is not configured on this FTP server - they can more or less go and see what ever they want?!?! That being the case - can you point me to some documents that explain how to set up SSH/SFTP?
SOLUTION
Avatar of Kent Olsen
Kent Olsen
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have some question of your requirement
"The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated"
My question
1. Why do you allow the ftp user access another directory as it is not allowed
2. This is not an ftp issue and this is related to security setup of your installation. Do you allow a telnet session cd to a secure directory and remove files? Of course not and same to ftp users.


The general practicse
Restrict the read/write authority of the fto userid. The ftp userid cannot cd another directory but it doesn't have read/write access authority to other directory other than /pro/pronto/edi/in.

Q
Avatar of kaesm

ASKER

CPC2004
While your observations may seem simple to those experienced in AIX admin they are not to me. Had this been a Windows FTP server - none of this would have even been an issue. There are too many other users who need access to the parent directories to lock them down and not conflict with the other users/programs abilities. I guess what I am trying to say is that I'm not sure how to accomplish what you are suggesting. I've actually tried what you have suggested and only managed to create issue for the developer who is writing the program that all of this is being based on.

KDO
What you have suggested describes what I need to accomplish. Maybe it would be better to set this up using a different directory structure and restrict access to only those folders. Create a /ftp directory as the root ftp directory and construct the tree from there. My understanding of chroot is that it applies to the anonymous users. Can that principle be applied to the specific ftp user I have set up and/or the ftpuser group as well?

Cheers!
MK
Hi MK,

There are actually a lot of things to decide here.  Have you read the IBM documentation page on setting up the FTP server?

It's online here:

http://publib.boulder.ibm.com/infocenter/pseries/index.jsp?topic=/com.ibm.aix.doc/cmds/aixcmds2/ftpd.htm

In addition to the chroot(1) performed for user 'anonymous', AIX will also let you define directories as read-only, write-only, read-write, or off-limits.


Kent
Avatar of kaesm

ASKER

Kent,

This is getting me closer to my final destination.

I have an ftp structure configured with /home/ftp set as the root directory when you use the anonymous login. You cannot see the "real" root directory or anything else out of the ./ftp structure. Great - fantastic - exactly what I wanted. If I login using the vendors user account - I can cd anwhere I want. That's a bad thing. Now I just need to get the secure vendor account to behave exactly as the anonymous one does. I have looked at the document noted above but it doesn't prevent the user from migrating where every they desire.

MK
Hi MK,

Cool.  We're on the right track.  :)

Regarding security, is your user base fairly stable or do you add/delete users fairly often.  Also, do you want to allow FTP access for only a small set of users or all/most users?

My thinking here is that if the user base is fairly stable, you can simply add the users that aren't allow FTP access to the /etc/ftpusers file.  If you add/delete users fairly often, it can be a pain to keep the files in sync.  But a small shell script will do that for you.  Start a cron job that runs periodically.  If the passwd file has changed, it generates the /etc/ftpusers file.  (Of course, this is a backup process as your sysadmin will, of course, run this script every time he adds/deletes a user.)

Last, define the "regular" user that has ftp access in the /etc/ftpaccess.ctl file.  This forces AIX/FTP to treat the user as an anonymous account and perform a chroot(1).  This may or may not provide the total effect that you want, but it's a starting point.


Kent
Avatar of kaesm

ASKER

Our user base is more or less stable. Like many systems - it does have it's moments of change though. And there are really only a handfull of users that I want to give FTP access to anyway. I'm not sure if the system is reading the ftpaccess.ctl file I've already created or not. It doesn't seem to be. What should the command line be in the inetd for the ftp daemon be so that it reads this file? I'm looking into setting up Proftp as an alternative but I haven't been able to find an rpm package that will install. All of the "affinity" stuff is working as I've installed other rpm packages with no drama.

Matt

The command file should be read.  It might be that you've made changes to it since the last time that the daemon was started and need to restart the service.


refresh -s ftpd


Kent
Avatar of kaesm

ASKER

That's the command to refresh a subsystem not a subserver. What I have read thus far is to refresh inetd which does what you are refering to. I've actually gone so far as to stop/start the ftpd server via SMIT but that didn't change anything either. I've added the following lines to ftpaccess.ctl;

allow:ftpuser1,ftpuser2,ftpuser3
useronly:ftpuser1

We're are reaching critical mass with this from a time perspective so I may do a windows ftp server as a bridge until I can get the UNIX one working correctly.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kaesm

ASKER

I haven't been able to find an rpm that will install on my AIX server - any suggestions?
Avatar of kaesm

ASKER

I've discovered a number dependancies that are not installed for proftpd to work and will need to set that up first. For now - I have locked down the process via our firewall so that it's restricted by IP and FTP-PUT only. They can see the directories but cannot open or view anything. Not the best but it will get this working for now. In the mean time - I'm going to keep working on this. Thanks for everyone's help and if you have anymore suggestions, feel free...

Cheers,

MK
you can fetch bff from www.bullfreeware.com
Avatar of kaesm

ASKER

ProFTPD was the answer. Thanks for all the help!