Shulou(Shulou.com)06/02 Report--

Vulnerability description

FTP weak password or anonymous login vulnerability generally means that users using FTP enable anonymous login, or the length of the system password is too short, the complexity is not enough, only numbers, or only letters, etc., are easy to be attacked by hackers, malicious file uploads or more serious intrusions occur.

Vulnerability hazard

Hackers use weak passwords or anonymous login vulnerabilities to directly log on to the FTP service, upload malicious files, thus obtain system permissions, and may cause data disclosure.

Reinforcement scheme

Different FTP service software may have different protection procedures. This fix takes the FTP service included in Windows server 2008 and the vsftpd service in Linux as an example. You can refer to the following solution for security reinforcement of your FTP service.

Important tips:

Please make sure that your FTP service software is the latest official version. At the same time, it is recommended that you pay attention to the official patches from time to time and update them in a timely manner.

It is strongly recommended that this type of service is not available on the Internet. You can use secure access methods such as VPN to connect to the FTP server, and use security groups to control access to the source IP.

Security reinforcement of FTP Services in Windows system * *

Open the IIS Information Services Manager and view all the security hardening features related to FTP services.

Disable anonymous login

Create a FTP account.

In start > Administrative tools > computer Administration > Local users and groups, create a user, set a strong password (more than eight passwords are recommended, including a mixture of uppercase and lowercase letters, special characters, numbers, etc., do not use common strings such as birthday, name pinyin, etc.), and set the user to belong to the GUESTS user group.

Disable anonymous login.

Windows 2008 system FTP disables anonymous login service

Windows 2012 system FTP disables anonymous login service

Enable strong password security policy

In Windows system, strong password policy is controlled by group policy. You can open the Local Group Policy Editor (gpedit.msc), computer configuration > Windows Settings > Security Settings > account Policy > password Policy to enable password complexity policy.

After enabling the password must comply with the complexity requirements policy, a complexity policy check is performed when the user's password is changed or created, and the password must meet the following minimum requirements:

The password cannot contain the account name, the password cannot contain more than two consecutive characters in the user name, and the password is at least six characters long.

The password must contain at least three of the following four types of characters: uppercase letters (Amurz), lowercase letters (amurz), 10 basic numbers (0-9), special characters (for example:!, ¥, #,%)

Note: it is recommended that all Windows services that require user authentication adopt the above complex password policy.

Enable account login failure handling mechanism

This mechanism can effectively prevent brute force attacks by strongly dealing with failed login accounts.

Enable FTP directory isolation mechanism

The FTP directory isolation feature prevents users from viewing files in other user directories and prevents data leakage.

Specify access source IP

Enable authorization mechanism

You can configure authorization rules to restrict user access according to your business needs.

Enable SSL encrypted transport feature

To enable SSL encrypted transport, you need to create a server certificate:

In the FTP SSL settings, select the server certificate that has been created.

Enable logging featur

FTP logging in IIS is enabled by default, and you can configure log space size and other policies based on disk space.

FileZilla FTP Server security reinforcement

FileZilla FTP Server is a very popular open source, free FTP client-side and server-side software. If you use this to build FTP services, FileZilla FTP Server provides relevant security features. You can refer to FileZilla FTP Server security reinforcement solution to strengthen your FileZilla FTP Server security.

Security reinforcement of vsftpd Service in Linux system

1. Install the update patch in time

Back up your vsftp application configuration before installing the update patch. Obtain the latest version of the vsftp software installation package from the VSFTPD official website to complete the upgrade installation. Alternatively, you can download the latest version of the vsftp source package, compile it yourself and install the update. You can also execute the yum update vsftpd command to update through the yum source.

2. Disable anonymous login service

Add a new user (test) and configure a strong password. For example, execute the useradd-d / home-s / sbin/nologin test command.

Where the / sbin/nologin parameter indicates that the user cannot log in to the Linux shell environment. Test is the user name. Configure the user with a strong password through the passwd test command. The password length is recommended to be more than eight digits, and the password should include a mixture of uppercase and lowercase letters, special characters and numbers, and do not use common strings such as birthdays and name pinyin as passwords.

Modify the configuration file vsftpd.conf and execute the # vim / etc/vsftpd/vsftpd.conf command.

Anonymous_enable=NO. Configuring this parameter to NO forbids anonymous login. You must create user authentication before you can log in to the FTP service.

3. Suppress the display of banner information

Modify the VSFTP configuration file vsftpd.conf and set ftpd_banner=Welcome. When the vsftp service is restarted, the banner information is not displayed.

> ftp 192.168.10.200

Connected to 192.168.10.200.

220 Welcome

User (192.168.10.200: (none)):

4. Restrict FTP login users

The users listed in the ftpusers and user_list files are users who are not allowed to access the FTP service (for example, root, bin, daemon, and so on). Except for those who need to log in to FTP, all users should be added to this reject list.

5. Restrict FTP user directories

Modify the VSFTP configuration file vsftpd.conf.

Chroot_list_enable=YES

Chroot_list_file=/etc/vsftpd/chroot_list

Create a new / etc/vsftpd/chroot_list file and add a user name. For example, if user1 is added to the file, user1 is only allowed to be active in the user1 user's home directory after logging in to the FTP service.

6. Modify the listening address and default port

For example, modify the VSFTP configuration file vsftpd.conf to set port 8888 that listens on the 1.1.1.1 address.

Listen_address=1.1.1.1

Listen_port=8888

7. Enable logging

Modify the VSFTP configuration file vsftpd.conf to enable logging.

Xferlog_enable=YES

Xferlog_std_format=YES

If you need to customize the log location, you can modify the xferlog_file=/var/log/ftplog.

8. Other security configurations

Modify the VSFTP configuration file vsftpd.conf.

/ / limit the number of connections

Max_clients=100

Max_per_ip=5

/ / limit the transmission speed

Anon_max_rate=81920

Local_max_rate=81920

Note: if you do not need to use the FTP service, it is recommended that you turn it off.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.