FTP & Telnet

Telnet is another dinosaur from before the internet. It's used by a remote user to gain access to their account on an Unix type system.

FTP and Telnet share the same security concern, they both pass the logon ID and password as open text over the internet. It is technically possible for a remote user to capture and interrogate all the packets traveling the public internet looking for FTP or Telnet login requests, and then to use the captured info to gain access to your system as an official user. This does not mean they are in any kind of position to do anything more harmful than the official user could do. The same thing is happening in FTP when it's configured as a anonymous server. But some Information Technology security officials who are overly paranoid consider this a security hole even though the odds of this happing is very, very remote. I know commercial sites who have been using both Telnet and FTP in their native form of open text logins for over 30 years without any security problems. Using the native form of FTP and Telnet for the users on your private LAN is not a security risk, so it's covered here in detail so the reader learns how to enable it.

Inetd, FBSD's Super Server

The inetd utility daemon is enabled at boot time by /etc/rc.conf. It listens for connections on Internet sockets it's configured for. When a connection is received on one of its sockets, it launches the configured program corresponding to that socket. After the launched program is finished, inetd closes down the launched program and returns to listen on the socket for the next service request. Essentially, inetd allows running one daemon (itself) to dynamically launch several others, reducing the load on the system from having each running its own daemon all the time. FTP and Telnet are just two of the many possible pre-configured, commented out services which are available. Most of the services are leftover dinosaur's from life before the Internet and are normally not used. See 'man inetd' for more info.

You edit the /etc/inetd.conf file and uncomment the follow statements to enable then:

#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

#telnet stream tcp nowait root /usr/libexec/telnetd telnetd

Add this statement to your /etc/rc.conf file and reboot to enable.

inetd_enable="YES"          # Run the Super Server daemon dispatcher

Without a firewall to deny access to these services from the public Internet, any user who has an account on your FBSD box can use these service from the LAN or public Internet.

Configure Insecure FTP

The FTP default configuration is defined so any user with an ID & password on your system will be able to upload and download into their /home directory. They also have the ability to cd (change directory) into any directory on the system and download from it. This is not a good situation. There are two config files available to you to control who has FTP access and confine them to their home directories. They are:

/etc/ftpusers You add the account name of users who you do not want to have access to FTP services.

/etc/ftpchroot This file is not there as part of the install process. You have to create it. You add the account names of the users who you want their FTP access on your system confined to their home directories. This should be everyone.

There are two other server options which can control the user's FTP abilities.

-o This puts the FTP server in upload only mode, the download function is disabled.

-r This puts the FTP server in read only mode. All commands which can modify files or directories are disabled. Example: delete file, rename file, make directory, and delete directory commands.

You would add these FTP server run time options to the end of the FTP statement in the inetd.conf file, like this:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -rol

The -l option means to enable logging.

Anonymous FTP Server

There is one more native FTP function called 'Anonymous FTP Server'. The sysinstall program will build an Anonymous FTP Server environment for you. The sysinstall process on all FBSD versions since FBSD version 4.4 including the FBSD 5.2 version is outdated and no longer accurate. It builds and populates an anonymous directory tree which is unnecessary.

I will explain how to clean up the unneeded directories.

Start sysinstall by entering the following on the command line:

    /stand/sysinstall

From the main menu select:

    Configure Do post install configuration of FreeBSD

From the Configuration Menu select:

    Networking Configure additional network services

From the Networking Services Menu select:

    Anon FTP This machine wishes to allow Anonymous FTP

A request confirmation window opens:

    Respond YES

A configure options window pops up.
Tab to path configuration option.

    Change path from /var/ftp to /usr/ftp

Tab to upload sub-directory:

    Change it to anonymous.ftp

    Tab to ok and hit enter

You are asked if you want to create welcome message file:

    Answer NO

Then move the highlight bar to the exit line and hit enter.

Then again move highlight bar to the exit line and hit enter.

Tab to exit and hit enter to leave sysinstall.

Now you have to clean up the directories that sysinstall created for you but which are no longer necessary.

    cd /usr

    ls -l

drwxrwxr-x 2 root operator 512 Dec 25 16:48 .snap
drwxr-xr-x 2 root wheel 7168 Dec 25 16:54 bin
drwxr-xr-x 2 root wheel 512 Dec 25 16:54 compat
dr-xr-xr-x 6 root wheel 512 Dec 28 14:49 ftp
drwxr-xr-x 2 root wheel 512 Dec 25 16:54 games
drwxr-xr-x 3 root wheel 512 Dec 28 14:46 home

You see the ftp directory sysinstall created for you.

cd ftp

ls -l

drwxrwxrwt 2 root wheel 512 Dec 28 14:49 anonymous.ftp
dr-xr-xr-x 2 root wheel 512 Dec 28 14:49 bin
dr-xr-xr-x 2 root wheel 512 Dec 28 14:49 etc
drwxr-xr-x 2 root wheel 512 Dec 28 14:49 pub

The ftp directory contains those sub-directories. Look at the permissions on the anonymous.ftp directory. It ends with a  t. This is the directory that is going to be the FTP anonymous server new upload/download directory.

You are going to copy this directory to its final location.

    cp -rpf anonymous.ftp /usr/home/

Now you can remove the ftp directory and all its sub-directories:

    cd ..          # back down one level in the directory tree

    rm -rf ftp     # Remove them all

    ls             # look to be sure it gone

Lets look to verify the new directory is there:

    cd /usr/home

    ls -l

drwxrwxrwt 2 root wheel 512 Dec 28 14:49 anonymous.ftp

It's there and it has the correct permissions.

Now you have to edit the password file and change the FTP user to point to the correct location of its upload/download directory:

vipw

Find this line:

ftp:*:14:5::0:0:Anonymous FTP Admin:/usr/ftp:/nonexistent

Change it so it looks like this with the directory path pointing to the new location:

ftp:*:14:5::0:0:Anonymous FTP Admin:/usr/home/anonymous.ftp:/nonexistent

Your Anonymous FTP server configuration is now completed.

There is one major problem that all anonymous FTP servers are faced with: limiting the size of the disk space of the upload directory. You also have this problem with your users home directories. The directory size will just keep growing until all the free space in the /usr slice is consumed. The size in the directories can by restricted to a pre-defined size using quotas.

Quotas

See this for more info:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html

To enable the quotas function you have to add this statement to your kernel source and recompile.

options QUOTA

Edit /etc/fstab and change the /usr slice to look like this to enable quotas on it.

The keyword userquota is for individual user quotas. The keyword groupquota is for quotas on all the users belonging to a group. Best to specify both keywords now so you can select later how you want to use it.

/dev/ad0s1f /usr ufs rw,userquota,groupquota 2 2

After rebooting your system, issue the following command to create all the quota files needed by the quota system.

    quotacheck -a

Issue the following command to start the quota system on the /usr slice:

    quotaon -a

To edit user quotas for anonymous FTP, issue the following command:

    edquota -u ftp

To enable quotas every time you reboot your system edit /etc/rc.conf and add this:

    quota_enable="YES"

    check_quotas="YES"

To check on quota usage of anonymous FTP, issue the following command as root:

    quota ftp

Telnet

Telnet is dynamically launched by the inetd utility daemon the same way FTP is. The telnet client program on FBSD systems use SRA to encrypt the id and password so it does not go over the Internet in clear text. So as long as you are using a FBSD system as the remote system to login to your telnet server there is no security problem. The problem is with MS/Window boxes using standard telnet to access your telnet server. They transmit the ID and password over the public Internet in plain text.

Secure FTP & Telnet

There are MS/Windows clients which use ssh to login to your FBSD system using the sshd daemon. The sshd has its own built in version of a telnet server and an FTP like function for uploading and downloading from the user's home directory. These programs can use all the different kinds of secure and encrypted login functions. Describing them is out of the scope of this instructional guide. Here are some links to the most popular clients programs for MS/Windows that work with your FBSD system.