User guide
Chapter 2. Securing Your Network
48
It also is possible to send additional banners to incoming connections using TCP Wrappers as
described in Section 2.2.1.1.1, “TCP Wrappers and Connection Banners”.
2.2.6.2. Anonymous Access
The presence of the /var/ftp/ directory activates the anonymous account.
The easiest way to create this directory is to install the vsftpd package. This package establishes
a directory tree for anonymous users and configures the permissions on directories to read-only for
anonymous users.
By default the anonymous user cannot write to any directories.
Warning
If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.
2.2.6.2.1. Anonymous Upload
To allow anonymous users to upload files, it is recommended that a write-only directory be created
within /var/ftp/pub/.
To do this, type the following command:
mkdir /var/ftp/pub/upload
Next, change the permissions so that anonymous users cannot view the contents of the directory:
chmod 730 /var/ftp/pub/upload
A long format listing of the directory should look like this:
drwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload
Warning
Administrators who allow anonymous users to read and write in directories often find that their
servers become a repository of stolen software.
Additionally, under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file:
anon_upload_enable=YES
2.2.6.3. User Accounts
Because FTP transmits unencrypted usernames and passwords over insecure networks for
authentication, it is a good idea to deny system users access to the server from their user accounts.
To disable all user accounts in vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf: