Management of the FTP Server

In this section, server management issues such as security, availability, and service constructions are described.

Execution Environment (Run Mode on the Unix like OS)

One major concern on establishing FTP service is the run mode of the server, i.e., stand alone or run by xinetd.

(1) Stand Alone Mode (Run as daemon)

On the stand-alone mode, server runs as a daemon that directly accepts connections from Clients by itself and serves for it. A daemon is a process that waits for some event and act for some service on the Linux. A daemon runs as a root process on the Linux. It is not recommended to run a service as daemon because daemon consumes memory resource even it only waits for some event and do nothing. Also it has security risk because daemon runs as root, the privileged process that tend to be the target of attacks, if once the process is compromised by using some technique like buffer overflow attack, the server may defect to the enemy and might be completely controlled by the hijacker.

To run a server as daemon, you should add a start-up command or script to the specified directory.

(2) Run by "xinetd"

The "xinetd" is called as super daemon that accepts connection from users, and invoke corresponding service.
The merits/benefits of using xinetd are:
Security

The xinetd or its wrapper software could control all connection requests depending on their policy as those connections are once accepted by xinetd at first.
Improve memory usage

There are no awaiting processes for the service that are needed to allocate resources, especially memory space.
To run a server by xinetd, you should add a directive to, or may be remove comment mark from, the configuration file "xinetd.conf".

(3) Run as User Process

You can run a daemon as user process. The user shall be restricted user like guest. System doesn't allow user process wait at a system port, i.e., lower than 1024. So the service is dedicated at higher port, like 8021.
This is old-fashioned technique but secure.

Environment of Service

(1) Intranet

If the service is to be provided within an intranet or a private network, the risk is low. Measures to be concerned are education of users against viruses bringing in on a portable media or malicious software that is unconsciously loaded.

(2) Internet

If the service is provided over the Internet, security must be concerned seriously as the Internet is the most insecure network. The server should be located in De-Militarized Zone (DMZ) and protected from vicious activities on the Internet by filtering unnecessary IP packet out by firewall. Also unnecessary services should be eliminated from the Server to get rid of risks.
 Figure 4-1. A model of Firewall and De-Militarized Zone (DMZ)

(3) GTS

The GTS is relatively secure network because it is exclusive network and managed by limited number of Organizations concerned. It is better to establish a firewall against GTS if you regard it is not so secure that your system may attacked or viruses may intrude via the GTS to interfere your operation.

Directory Structure

The structure of directory should reflect the purpose of the service. Imagine a three layered structure model by Date, Time, and Element. There are six possibilities.



Layer
TOP
MID
BOTTOM
Case#
1
Element
Date
Time
2
Date
Time
Element
3
Date
Element
Time
4
Element
Time
Date
5
Time
Date
Element
6
Time
Element
Date

In those cases, in generally, it might be rare requirement that Time is upper layer than Date. So cases 4 to 6 could be omitted, and cases 1 to 3 thought to be the real case to be concerned. The case 1 is suit for processing Date/Time sequence of single Element, might be suit for research purposes. In case 2, Element are in the bottom, is useful for knowing distribution of a phenomenon at a Date/Time. In case 3, data looks like the "Time sequence of a Element identified by Date", seems to suit for daily routine operation, e.g., real time weather monitoring or making weather animation. Both of case 2 and 3, you could copy, save, or delete data on a day by one command, is suit for daily operation.
 Although you could add some additional layers according to you purpose, the depth of the structure should not be unnecessarily deep, because there may be some system that have upper limit of the pathname length.  Anyway, a document that describes the structure of directory, namely site map, should be prepared and located at the top of directory.

Name of the Files

The name of files served by FTP is recommended to obey the rule defined in the Manual on the GTS, Attachment II-15. The code set for describing file name is platform dependent. It could be obstacles to FTP that the file transfer between two computers they have different code set for a file name. The ASCII could be used for common character set for the file names.

User Account

In constructing the service, the administrator have to make some decisions, e.g., by which account you use to upload the data and by which account users download the data, as well as the configuration of firewall which based on the policies of security and data provision.

(1) Real Account User

The real account user has his/hers own unique user ID and password. To whom, the server administrator is able to qualify specific users to access the server and also to monitor the actual status of each user such as the number and time of login and retrieving data by access and system logs. There is, however, security risk of intrusion by crackers because information of a user ID and a password flows over the Internet in clear text, which could be easily wiretapped. Therefore it is required that the server would be set up carefully with protection against intrusion in consideration of password supervision and restriction of user's executive privileges.

(2) Anonymous User

Anonymous user is a special real account user who only required to use the login name "anonymous" and a password "guest" or some others based on common conventions (e.g. user's e-mail address).
Since anybody can access the server without authentication, there is inevitable anxiety in security. Contrary to this negative aspect, usable functions are originally restricted with a limited set of privileges to minimize damage due to intrusion.

(3) Alias

The FTP communication has no protection against tapping as the username and password are passed in clear text. If a cracker captured IP traffic and get the username and password pair, he/she could login the server as formal user and make evil activity.
The FTP login by the combination of alias and password is effective, because the combination is not authenticated by other than FTP even if the pair is wiretapped.

(4) Virtual User

A Virtual User is not a real user but have a virtual name and password, those are authenticated by FTP server, so that the user couldn't behave as a real user but are restricted to use FTP service only.
The benefit of introducing virtual user is security. A virtual user could be treated as a real user for user management and an anonymous user for system management.

Security and Availability

(1) IP filtering

There are some kinds of methods for IP filtering. For instance, "TCP_Wrappers" and "iptables" are well-known good tools for the purpose. The "TCP_Wrappers" is able to filter undesirable access against network services by means of restriction by "allow" and "deny" indications based on domains, IP addresses and so on. The "iptables", one of Linux tools, is used to configure kernel to modify filtering and NAT (Network Address Translation) rules. It works as a kind of firewall and is usable in all network services. The "TCP_Wrappers" and "iptables" are available at the sites (http://www.porcupine.org/) and (http://www.netfilter.org/), respectively.

(2) Password Issues

Although the username and password of FTP is apt to be exposed, changing password is still minimum measure for security. But the FTP has no capability of changing password. To change the password, generally, telnet is used. This has following problems.
·         The FTP Server should open telnet service to the Users. If the User is on the Internet, this would be security risk.
·         Also telnet requires real username and password in clear text. This breaches the Alias.
To make password change securely;

·           Use secure protocol like ssh instead of telnet to change password.
·           Server manager, instead of Users, change the password and notify it to Users. The password should be sent by surface mail instead of e-mail for security. This might cause cost and delay. The best resolution is to send a secret list of passwords to Users by surface mail, and notify the index of password to Users by e-mail every time the password is to be changed.

(3) chroot() Jail

Some ftp server have a capability of limiting users from accessing upper directories, namely "chroot() jail". A chroot() jailed user recognizes the upper limit as the root directory (/). The jail directory shall be disguised as real root directory by placing ordinary directories, e.g. /etc, /bin, /usr, and /tmp be placed there.

(4) Tripwire

Tripwire is a tool for detecting tampering files on the server. Tripwire monitor specified files and raise warning if any of those files is altered. Tripwire, used be freeware, is now becomes a pay ware.

(5) Swatch

Swatch monitor log files, raise warning by beep, show message on the display, or send a mail if swatch found a string matched with one of specified patterns.

Effect of Firewall and Proxy

If you are an FTP User and you access FTP services on the Internet from your intranet, there must be firewall and/or proxy between your intranet and Internet. Firewall may cause some troubles. Some phenomena are illustrated below.

(1) Direction of Connection

A firewall blocks the inbound connection, the initiation of connection from outer network towards intranet. As described in the section 2, data connection of FTP is normally a inbound connection so that it will be blocked by firewall and transfer fails. To transfer files over firewall, use passive mode instead of active mode and make data connection to outbound connection.

(2) Link time out

The TCP connection is established by exchanging TCP packet. This means that firewall must pass the inbound packet to keep connection by allowing specific inbound packet, namely "make a hole in the firewall". This allowance becomes a flaw for security, because crackers the disguise the packet and send it to the intranet through the hole. To minimize the risk comes from the flaw, firewall watches the state of the connection, say link state, and close the hole when the connection is closed. Also firewall has a timer that ring when there are no communications through the hole or communication continues extremely long time; may be several minutes or more. If the timer expired, firewall closes the hole and “link time out” happens.
The proxy keeps a map for address conversion. So the proxy has same kind of timer as the firewall has, to collect elements of the map to reuse them due to limited memory resource for the map.

(3) Facts

A firewall product was believed that FTP reply messages from Server to Client are terminated by a carriage-return (\r) and line-feed (\n) sequence, and if a reply message arrives without it, the packet is dropped. Also the firewall expects each reply to the passive FTP command is immediately followed by a \r\n. And some Server have additional dot (.) in the reply. This caused drop of packets. Those troubles on some sites that caused from assumptions of message format were solved by modification of the configuration of firewall.

Log File

Analyze and Check of log files is one of the most important daily housekeeping affairs. Topics below are analyzable from the log files. If you have no such faculty, it might be possible that you show the log files to some expert and asks for beneficial advice.
1.     File Usage
2.     Performance and bottleneck
3.     Symptom of intrusions or compromise
4.     User's Activity
5.     Configuration nonconformity
There is a common format for log-file, namely "xferlog", which could be analyzed by free tools like analog. Most FTP servers have a capability of generating xferlog file by configuration parameter.
To avoid running out the disk space by log outputs, Log files must be squeezed or deleted before log run out the disk space. Or logrotate could control the total log size by rotating predefined number of log files and avoid the disk be blown up. The trigger of rotation is some event, e.g., timer, or operator command.
If the logrotate is invoked at the start of FTP server program, number of log-files shall be five or more to avoid losing evidence or precious log files on program maintenance or launch tests.
To avoid to hang-up the system by running out of the work space by filling it up with log outputs, the disk partition for the log file should be separated from system's work space. The best way to save logging is to establish a log server, which get and record log data over local area network so that log file remains without tamper even when FTP server has been compromised.

Previous_Page Next_Page

Comments

Popular posts from this blog

Linux File and Directory Permissions

How to Disable SSL for Webmin

INSTALL CISCO VPN CLIENT ON WINDOWS 10 (32 & 64 BIT). FIX REASON 442