• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 15069
  • Last Modified:

Securing FTP in AIX 5.1

I have one for all of you AIX guru's out there -

We have recently taken on a vendor who needs FTP-Put access to a directory on our UNIX server in order to send invoice confirmation files to us. Setting up the basic FTP service on our server was no problem but now I have an issue with security. The directory they need to access is /pro/pronto/edi/in/berger - this is the ONLY directory they need to place files in. I have their user home directory set to /pro/pronto/edi/in so when the session is initated - that's their default directory. The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated.
0
kaesm
Asked:
kaesm
  • 8
  • 4
  • 2
  • +1
2 Solutions
 
cpc2004Commented:
Most FTP site use userid anoymous for ftp get and put. They use directory read and write access to enforce security. Unless you use ssh sftp otherwise it is impossible to enforce ftp security.  
0
 
kaesmAuthor Commented:
So even though anonymous access is not configured on this FTP server - they can more or less go and see what ever they want?!?! That being the case - can you point me to some documents that explain how to set up SSH/SFTP?
0
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi kaesm,

It sounds like you want/need to set up the FTP server so that it forces the client to a particular directory tree using chroot.

Here's a man page on the FTP server daemon.  It's probably not detailed enough to get you through configuring the server, but it has a lot of good information.  Read through it and see if it offers the kind of protection that you need.

  http://resin.csoft.net/cgi-bin/man.cgi?section=8&topic=ftpd


I'll be glad to help you set up the server.
Kent
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
cpc2004Commented:
I have some question of your requirement
"The problem is they can cd to any other directory on the system from their with a standard FTP client and that's not a good thing. I can't mess up the security permissions for this directory structure or it will break other functions as well. ANY ideas would be VERY appreciated"
My question
1. Why do you allow the ftp user access another directory as it is not allowed
2. This is not an ftp issue and this is related to security setup of your installation. Do you allow a telnet session cd to a secure directory and remove files? Of course not and same to ftp users.


The general practicse
Restrict the read/write authority of the fto userid. The ftp userid cannot cd another directory but it doesn't have read/write access authority to other directory other than /pro/pronto/edi/in.

Q
0
 
kaesmAuthor Commented:
CPC2004
While your observations may seem simple to those experienced in AIX admin they are not to me. Had this been a Windows FTP server - none of this would have even been an issue. There are too many other users who need access to the parent directories to lock them down and not conflict with the other users/programs abilities. I guess what I am trying to say is that I'm not sure how to accomplish what you are suggesting. I've actually tried what you have suggested and only managed to create issue for the developer who is writing the program that all of this is being based on.

KDO
What you have suggested describes what I need to accomplish. Maybe it would be better to set this up using a different directory structure and restrict access to only those folders. Create a /ftp directory as the root ftp directory and construct the tree from there. My understanding of chroot is that it applies to the anonymous users. Can that principle be applied to the specific ftp user I have set up and/or the ftpuser group as well?

Cheers!
MK
0
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi MK,

There are actually a lot of things to decide here.  Have you read the IBM documentation page on setting up the FTP server?

It's online here:

http://publib.boulder.ibm.com/infocenter/pseries/index.jsp?topic=/com.ibm.aix.doc/cmds/aixcmds2/ftpd.htm

In addition to the chroot(1) performed for user 'anonymous', AIX will also let you define directories as read-only, write-only, read-write, or off-limits.


Kent
0
 
kaesmAuthor Commented:
Kent,

This is getting me closer to my final destination.

I have an ftp structure configured with /home/ftp set as the root directory when you use the anonymous login. You cannot see the "real" root directory or anything else out of the ./ftp structure. Great - fantastic - exactly what I wanted. If I login using the vendors user account - I can cd anwhere I want. That's a bad thing. Now I just need to get the secure vendor account to behave exactly as the anonymous one does. I have looked at the document noted above but it doesn't prevent the user from migrating where every they desire.

MK
0
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi MK,

Cool.  We're on the right track.  :)

Regarding security, is your user base fairly stable or do you add/delete users fairly often.  Also, do you want to allow FTP access for only a small set of users or all/most users?

My thinking here is that if the user base is fairly stable, you can simply add the users that aren't allow FTP access to the /etc/ftpusers file.  If you add/delete users fairly often, it can be a pain to keep the files in sync.  But a small shell script will do that for you.  Start a cron job that runs periodically.  If the passwd file has changed, it generates the /etc/ftpusers file.  (Of course, this is a backup process as your sysadmin will, of course, run this script every time he adds/deletes a user.)

Last, define the "regular" user that has ftp access in the /etc/ftpaccess.ctl file.  This forces AIX/FTP to treat the user as an anonymous account and perform a chroot(1).  This may or may not provide the total effect that you want, but it's a starting point.


Kent
0
 
kaesmAuthor Commented:
Our user base is more or less stable. Like many systems - it does have it's moments of change though. And there are really only a handfull of users that I want to give FTP access to anyway. I'm not sure if the system is reading the ftpaccess.ctl file I've already created or not. It doesn't seem to be. What should the command line be in the inetd for the ftp daemon be so that it reads this file? I'm looking into setting up Proftp as an alternative but I haven't been able to find an rpm package that will install. All of the "affinity" stuff is working as I've installed other rpm packages with no drama.

Matt
0
 
Kent OlsenData Warehouse Architect / DBACommented:

The command file should be read.  It might be that you've made changes to it since the last time that the daemon was started and need to restart the service.


refresh -s ftpd


Kent
0
 
kaesmAuthor Commented:
That's the command to refresh a subsystem not a subserver. What I have read thus far is to refresh inetd which does what you are refering to. I've actually gone so far as to stop/start the ftpd server via SMIT but that didn't change anything either. I've added the following lines to ftpaccess.ctl;

allow:ftpuser1,ftpuser2,ftpuser3
useronly:ftpuser1

We're are reaching critical mass with this from a time perspective so I may do a windows ftp server as a bridge until I can get the UNIX one working correctly.
0
 
gheistCommented:
try pureftpd or proftpd. they chroot
0
 
kaesmAuthor Commented:
I haven't been able to find an rpm that will install on my AIX server - any suggestions?
0
 
kaesmAuthor Commented:
I've discovered a number dependancies that are not installed for proftpd to work and will need to set that up first. For now - I have locked down the process via our firewall so that it's restricted by IP and FTP-PUT only. They can see the directories but cannot open or view anything. Not the best but it will get this working for now. In the mean time - I'm going to keep working on this. Thanks for everyone's help and if you have anymore suggestions, feel free...

Cheers,

MK
0
 
gheistCommented:
you can fetch bff from www.bullfreeware.com
0
 
kaesmAuthor Commented:
ProFTPD was the answer. Thanks for all the help!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now