How do I disable anonymous FTP on an AIX Server

Hi,

AIX has a means of configuring anonymous FTP apart from just creating the userids "ftp" and "anonymous".

The clue is in the file /etc/ftpaccess.ctl

The directives "useronly:" and "grouponly:" in that file define anonymous users.

There are more directives like "puseronly:" and "pgrouponly:" which define anonymous users that are password protected.

"allow:" and "deny:" restrict host access, and "readonly:" or "writeonly:" configure directory access.

Please check your system for the presence of that file!

This is the only record in the ftpaccess.ctl file:

pgrouponly: ftpguest

I documented the procedure for setting up anonymous users at our shop, but I didn't implement it on this particular server. I'm not sure why this would present a security problem.

Members of the group ftpguest can access your server via FTP, but only after having entered the respective user password.

I assume that the pure existence of ftpaccess.ctl is considered a security risk by your security scanner, without taking a closer look into it.

"pgrouponly" in ftpaccess.ctl includes chrooting the concerned FTP users to their home directories, by the way.

After inquiring further, I've determined that it's FTP in general that they're objecting to. For a more secure environment, they would prefer that we use sftp or scp.