FreeBSD  Release  11.0  Install  Guide

Home______________________________________________________________________

 

FTP & Telnet

FTP is a dinosaur left over from the time before the internet was born, when research universities were leased lined together and FTP was used to share files among research Scientists. This was a time when data security was not even an idea yet. Over the years the FTP protocol became buried into the backbone of the emerging internet and it's un-secure protocol was never changed to address new security concerns. FTP has 2 flavors, it can run in active mode or passive mode. The difference is in how the data channel is acquired. Passive mode is more secure as the data channel is acquired be the ordinal ftp session requester. For a real good explanation of FTP and it's different modes read this http://www.slacksite.com/other/ftp.html

Telnet is another dinosaur from before the internet. It's used by a remote user to gain access to their account on an Unix type system.

FTP and Telnet share the same security concern, they both pass the logon ID and password as open text over the internet. It is technically possible for a remote user to capture and interrogate all the packets traveling the public internet looking for FTP or Telnet login requests, and then to use the captured info to gain access to your system as an official user. This does not mean they are in any kind of position to do anything more harmful than the official user could do. The same thing is happening in FTP when it's configured as a anonymous server. But some Information Technology security officials who are overly paranoid consider this a security hole even though the odds of this happing is very, very remote. I know commercial sites who have been using both Telnet and FTP in their native form of open text logins for over 30 years without any security problems. Using the native form of FTP and Telnet for the users on your private LAN is not a security risk, so it's covered here in detail so the reader learns how to enable it.

 

Installer Note. There are 82 other third party FTP software applications in the ftp category of the ports collection to chose from if you want or need something different than the built in FBSD FTP server. Telnet also has other ports to chose from in the net and security port categories.

 

Inetd, FBSD's Super Server

The inetd utility daemon is enabled at boot time by /etc/rc.conf. It listens for connections on Internet sockets it's configured for. When a connection is received on one of its sockets, it launches the configured program corresponding to that socket. After the launched program is finished, inetd closes down the launched program and returns to listen on the socket for the next service request. Essentially, inetd allows running one daemon (itself) to dynamically launch several others, reducing the load on the system from having each running its own daemon all the time. FTP and Telnet are just two of the many possible pre-configured, commented out services which are available. Most of the services are leftover dinosaur's from life before the Internet and are normally not used. See 'man inetd' for more info.

You edit the /etc/inetd.conf file and uncomment the follow statements to enable then:

#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

#telnet stream tcp nowait root /usr/libexec/telnetd telnetd

Add this statement to your /etc/rc.conf file and reboot to enable.

inetd_enable="YES"          # Run the Super Server daemon dispatcher

Without a firewall to deny access to these services from the public Internet, any user who has an account on your FBSD box can use these service from the LAN or public Internet.

 

Configure Insecure FTP

The FTP default configuration is defined so any user with an ID & password on your system will be able to upload and download into their /home directory. They also have the ability to cd (change directory) into any directory on the system and download from it. This is not a good situation. There are two config files available to you to control who has FTP access and confine them to their home directories. They are:

/etc/ftpusers You add the account name of users who you do not want to have access to FTP services.

/etc/ftpchroot This file is not there as part of the install process. You have to create it. You add the account names of the users who you want their FTP access on your system confined to their home directories. This should be everyone.

There are two other server options which can control the user's FTP abilities.

-o This puts the FTP server in upload only mode, the download function is disabled.

-r This puts the FTP server in read only mode. All commands which can modify files or directories are disabled. Example: delete file, rename file, make directory, and delete directory commands.

You would add these FTP server run time options to the end of the FTP statement in the inetd.conf file, like this:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -rol

The -l option means to enable logging.

 

Quotas

There is one major problem that all system administrators are faced with, limiting the size of the disk space of their users home directories. If nothing is done the directory size will just keep growing until all the free space in the /usr slice is consumed. The maximum size of the directories can by restricted to a pre-defined size using quotas.

See this for more info:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html

To enable the quotas function you have to add this statement to your kernel source and recompile.

options QUOTA

Edit /etc/fstab and change the /usr slice to look like this to enable quotas on it.

The keyword userquota is for individual user quotas. The keyword groupquota is for quotas on all the users belonging to a group. Best to specify both keywords now so you can select later how you want to use it.

/dev/ad0s1f /usr ufs rw,userquota,groupquota 2 2

After rebooting your system, issue the following command to create all the quota files needed by the quota system.

    quotacheck -a

Issue the following command to start the quota system on the /usr slice:

    quotaon -a

To edit user quotas for anonymous FTP, issue the following command:

    edquota -u ftp

To enable quotas every time you reboot your system edit /etc/rc.conf and add this:

    quota_enable="YES"

    check_quotas="YES"

To check on quota usage of anonymous FTP, issue the following command as root:

    quota ftp

 

Telnet

Telnet is dynamically launched by the inetd utility daemon the same way FTP is. The telnet client program on FBSD systems use SRA to encrypt the id and password so it does not go over the Internet in clear text. So as long as you are using a FBSD system as the remote system to login to your telnet server there is no security problem. The problem is with MS/Window boxes using standard telnet to access your telnet server. They transmit the ID and password over the public Internet in plain text.

 

Secure FTP & Telnet

There are MS/Windows clients which use ssh to login to your FBSD system using the sshd daemon. The sshd has its own built in version of a telnet server and an FTP like function for uploading and downloading from the user's home directory. These programs can use all the different kinds of secure and encrypted login functions. Describing them is out of the scope of this instructional guide. Here are some links to the most popular clients programs for MS/Windows that work with your FBSD system.

http://winscp.net/eng/docs/introduction

https://www.vandyke.com/products/securecrt/

 

Previous Page                                        Next Page         

This FreeBSD Install Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.