PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS SUBJECT: INTERNET ANONYMOUS FTP ACTIVITY (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-20). 1. THE INTERNET COMPUTER EMERGENCY RESPONSE TEAM (CERT) COORDINATION CENTER, AND ASSIST HAVE BEEN RESPONDING TO A NUMBER OF INCIDENTS INVOLVING SITES THAT ARE EXPERIENCING UNWANTED ACTIVITIES WITH ANONYMOUS FTP ON INTERNET (INCLUDING MILNET) SYSTEMS. THIS IS NOT A NEW PROBLEM, BUT SINCE THIS TYPE OF ACTIVITY DOES NOT SEEM TO BE DIMINISHING, THIS BULLETIN HAS BEEN ISSUED AND CONTAINS INFORMATION CONCERNING ANONYMOUS FTP PROBLEMS AND CORRESPONDING SOLUTION SUGGESTIONS TO HELP SITES CONTROL ANONYMOUS FTP ACTIVITY. ASSIST BULLETINS 92-14, 92-59, AND 93-12 CAN ALSO BE REFERENCED FOR INFORMATION ON FTP AND THE IMPACT OF PROVIDING FTP SERVICES. 2. THE FOLLOWING 3 ITEMS ARE THE MOST COMMON ANONYMOUS FTP RELATED PROBLEMS: A. IMPROPER CONFIGURATIONS LEADING TO SYSTEM COMPROMISE. B. EXCESSIVE TRANSFER OF DATA CAUSING DELIBERATE OVER-FILLING OF DISK SPACE THUS LEADING TO DENIAL OF SERVICE. C. USE OF WRITABLE AREAS TO TRANSFER COPYRIGHTED SOFTWARE AND OTHER UNAUTHORIZED INFORMATION. THIS ADVISORY PROVIDES AN UPDATED VERSION OF THE ANONYMOUS FTP CONFIGURATION GUIDELINES THAT ARE AVAILABLE FROM CERT. THE PURPOSE OF THESE GUIDELINES IS TO ASSIST SYSTEM ADMINISTRATORS AT SITES THAT OFFER ANONYMOUS FTP SERVICES. THESE GUIDELINES WILL AID A SYSTEM ADMINISTRATOR IN CONFIGURING ANONYMOUS FTP CAPABILITIES TO MINIMIZE UNINTENDED USE OF SERVICES OR RESOURCES. SYSTEMS ADMINISTRATORS SHOULD BE AWARE THAT ANONYMOUS FTP CAPABILITIES SHOULD BE CONFIGURED AND MANAGED ACCORDING TO THE POLICIES ESTABLISHED FOR THEIR SITE. YOU MAY OBTAIN FUTURE COPIES OF THESE GUIDELINES THROUGH ANONYMOUS FTP FROM CERT.ORG (192.88.209.5) IN /PUB/TECH_TIPS/ANONYMOUS_FTP, AND FROM THE ASSIST BBS AT 703-756- 7993, DSN 289. 3. FOLLOWING IS THE ANONYMOUS FTP CONFIGURATION GUIDELINES INFORMATION PROVIDED BY THE CERT: ANONYMOUS FTP CAN BE A VALUABLE SERVICE IF CORRECTLY CONFIGURED AND ADMINISTERED. THE FIRST SECTION OF THIS DOCUMENT PROVIDES GENERAL GUIDANCE IN INITIAL CONFIGURATION OF AN ANONYMOUS FTP AREA. THE SECOND SECTION ADDRESSES THE ISSUES AND CHALLENGES INVOLVED WHEN A SITE WANTS TO PROVIDE WRITABLE DIRECTORIES WITHIN THEIR ANONYMOUS FTP AREAS. THE THIRD SECTION PROVIDES INFORMATION ABOUT PREVIOUS CERT ADVISORIES RELATED TO FTP SERVICES (AND ASSIST BULLETINS). THE FOLLOWING GUIDELINES ARE A SET OF SUGGESTED RECOMMENDATIONS THAT HAVE BEEN BENEFICIAL TO MANY SITES. CERT RECOGNIZES THAT THERE WILL BE SITES THAT HAVE UNIQUE REQUIREMENTS AND NEEDS, AND THAT THESE SITES MAY CHOOSE TO IMPLEMENT DIFFERENT CONFIGURATIONS. I. CONFIGURING ANONYMOUS FTP A. FTP DAEMON SITES SHOULD ENSURE THAT THEY ARE USING THE MOST RECENT VERSION OF THEIR FTP DAEMON. B. SETTING UP THE ANONYMOUS FTP DIRECTORIES THE ANONYMOUS FTP ROOT DIRECTORY (~FTP) AND ITS SUBDIRECTORIES SHOULD NOT BE OWNED BY THE FTP ACCOUNT OR BE IN THE SAME GROUP AS THE FTP ACCOUNT. THIS IS A COMMON CONFIGURATION PROBLEM. IF ANY OF THESE DIRECTORIES ARE OWNED BY FTP OR ARE IN THE SAME GROUP AS THE FTP ACCOUNT AND ARE NOT WRITE PROTECTED, AN INTRUDER WILL BE ABLE TO ADD FILES (SUCH AS A .RHOSTS FILE) OR MODIFY OTHER FILES. MANY SITES FIND IT ACCEPTABLE TO USE THE ROOT ACCOUNT. MAKING THE FTP ROOT DIRECTORY AND ITS SUBDIRECTORIES OWNED BY ROOT, PART OF THE SYSTEM GROUP, AND PROTECTED SO THAT ONLY ROOT HAS WRITE PERMISSION WILL HELP TO KEEP YOUR ANONYMOUS FTP SERVICE SECURE. HERE IS AN EXAMPLE OF AN ANONYMOUS FTP DIRECTORY SETUP: DRWXR-XR-X 7 ROOT SYSTEM 512 MAR 1 15:17 ./ DRWXR-XR-X 25 ROOT SYSTEM 512 JAN 4 11:30 ../ DRWXR-XR-X 2 ROOT SYSTEM 512 DEC 20 15:43 BIN/ DRWXR-XR-X 2 ROOT SYSTEM 512 MAR 12 16:23 ETC/ DRWXR-XR-X 10 ROOT SYSTEM 512 JUN 5 10:54 PUB/ FILES AND LIBRARIES, ESPECIALLY THOSE USED BY THE FTP DAEMON AND THOSE IN ~FTP/BIN AND ~FTP/ETC, SHOULD HAVE THE SAME PROTECTIONS AS THESE DIRECTORIES. THEY SHOULD NOT BE OWNED BY FTP OR BE IN THE SAME GROUP AS THE FTP ACCOUNT; AND THEY SHOULD BE WRITE PROTECTED. C. USING PROPER PASSWORD AND GROUP FILES WE STRONGLY ADVISE THAT SITES NOT USE THE SYSTEM'S /ETC/PASSWD FILE AS THE PASSWORD FILE OR THE SYSTEM'S /ETC/GROUP AS THE GROUP FILE IN THE ~FTP/ETC DIRECTORY. PLACING THESE SYSTEM FILES IN THE ~FTP/ETC DIRECTORY WILL PERMIT INTRUDERS TO GET A COPY OF THESE FILES. THESE FILES ARE OPTIONAL AND ARE NOT USED FOR ACCESS CONTROL. WE RECOMMEND THAT YOU USE A DUMMY VERSION OF BOTH THE ~FTP/ETC/PASSWD AND ~FTP/ETC/GROUP FILES. THESE FILES SHOULD BE OWNED BY ROOT. THE DIR COMMAND USES THESE DUMMY VERSIONS TO SHOW OWNER AND GROUP NAMES OF THE FILES AND DIRECTORIES INSTEAD OF DISPLAYING ARBITRARY NUMBERS. SITES SHOULD MAKE SURE THAT THE FTP/ETC/PASSWD FILE CONTAINS NO ACCOUNT NAMES THAT ARE THE SAME AS THOSE IN THE SYSTEM'S /ETC/PASSWD FILE. THESE FILES SHOULD INCLUDE ONLY THOSE ENTRIES THAT ARE RELEVANT TO THE FTP HIERARCHY OR NEEDED TO SHOW OWNER AND GROUP NAMES. IN ADDITION, ENSURE THAT THE PASSWORD FIELD HAS BEEN CLEARED. THE EXAMPLES BELOW SHOW THE USE OF ASTERISKS (*) TO CLEAR THE PASSWORD FIELD. BELOW IS AN EXAMPLE OF A PASSWD FILE FROM THE ANONYMOUS FTP AREA ON CERT.ORG: SSPHWG:*:3144:20:SITE SPECIFIC POLICY HANDBOOKWORKINGGROUP:: COPS:*:3271:20:COPS DISTRIBUTION:: CERT:*:9920:20:CERT:: TOOLS:*:9921:20:CERT TOOLS:: FTP:*:9922:90:ANONYMOUS FTP:: NIST:*:9923:90:NIST FILES:: HERE IS AN EXAMPLE GROUP FILE FROM THE ANONYMOUS FTP AREA ON CERT.ORG: CERT:*:20: FTP:*:90: II. PROVIDING WRITABLE DIRECTORIES IN YOUR ANONYMOUS FTP CONFIGURATION THERE IS A RISK TO OPERATING AN ANONYMOUS FTP SERVICE THAT PERMITS USERS TO STORE FILES. CERT STRONGLY RECOMMENDS THAT SITES DO NOT AUTOMATICALLY CREATE A "DROP OFF" DIRECTORY UNLESS THOUGHT HAS BEEN GIVEN TO THE POSSIBLE RISKS OF HAVING SUCH A SERVICE. CERT HAS RECEIVED MANY REPORTS WHERE THESE DIRECTORIES HAVE BEEN USED AS "DROP OFF" DIRECTORIES TO DISTRIBUTE BOOTLEGGED VERSIONS OF COPYRIGHTED SOFTWARE OR TO TRADE INFORMATION ON COMPROMISED ACCOUNTS AND PASSWORD FILES. CERT HAS ALSO RECEIVED NUMEROUS REPORTS OF FILE SYSTEMS BEING MALICIOUSLY FILLED CAUSING DENIAL OF SERVICE PROBLEMS. THIS SECTION DISCUSSES THREE WAYS TO ADDRESS THESE PROBLEMS. THE FIRST IS TO USE A MODIFIED FTP DAEMON. THE SECOND METHOD IS TO PROVIDE RESTRICTED WRITE CAPABILITY THROUGH THE USE OF SPECIAL DIRECTORIES. THE THIRD METHOD INVOLVES THE USE OF A SEPARATE DIRECTORY. A. MODIFIED FTP DAEMON IF YOUR SITE IS PLANNING TO OFFER A "DROP OFF" SERVICE, CERT SUGGESTS USING A MODIFIED FTP DAEMON THAT WILL CONTROL ACCESS TO THE "DROP OFF" DIRECTORY. THIS IS THE BEST WAY TO PREVENT UNWANTED USE OF WRITABLE AREAS. SOME SUGGESTED MODIFICATIONS ARE: 1. IMPLEMENT A POLICY WHERE ANY FILE DROPPED OFF CANNOT BE ACCESSED UNTIL THE SYSTEM MANAGER EXAMINES THE FILE AND MOVES IT TO A PUBLIC DIRECTORY. 2. LIMIT THE AMOUNT OF DATA TRANSFERRED IN ONE SESSION. 3. LIMIT THE OVERALL AMOUNT OF DATA TRANSFERRED BASED ON AVAILABLE DISK SPACE. 4. INCREASE LOGGING TO ENABLE EARLIER DETECTION OF ABUSES. FOR THOSE INTERESTED IN MODIFYING THE FTP DAEMON, SOURCE CODE IS USUALLY AVAILABLE FROM YOUR VENDOR. PUBLIC DOMAIN SOURCES ARE AVAILABLE FROM: WUARCHIVE.WUSTL.EDU ~FTP/PACKAGES/WUARCHIVE-FTPD FTP.UU.NET ~FTP/SYSTEMS/UNIX/BSD-SOURCES/LIBEXEC/FTPD GATEKEEPER.DEC.COM ~FTP/PUB/DEC/GWTOOLS/FTPD.TAR.Z THE CERT COORDINATION CENTER HAS NOT FORMALLY REVIEWED, EVALUATED, OR ENDORSED THE FTP DAEMONS DESCRIBED. THE DECISION TO USE THE FTP DAEMONS DESCRIBED IS THE RESPONSIBILITY OF EACH USER OR ORGANIZATION, AND WE ENCOURAGE EACH ORGANIZATION TO THOROUGHLY EVALUATE THESE PROGRAMS BEFORE INSTALLATION OR USE. B. USING PROTECTED DIRECTORIES IF YOUR SITE IS PLANNING TO OFFER A "DROP OFF" SERVICE AND IS UNABLE TO MODIFY THE FTP DAEMON, IT IS POSSIBLE TO CONTROL ACCESS BY USING A MAZE OF PROTECTED DIRECTORIES. THIS METHOD REQUIRES PRIOR COORDINATION AND CANNOT GUARANTEE PROTECTION FROM UNWANTED USE OF THE WRITABLE FTP AREA, BUT HAS BEEN USED EFFECTIVELY BY MANY SITES. PROTECT THE TOP LEVEL DIRECTORY (~FTP/INCOMING) GIVING ONLY EXECUTE PERMISSION TO THE ANONYMOUS USER (CHMOD 751 ~FTP/INCOMING). THIS WILL PERMIT THE ANONYMOUS USER TO CHANGE DIRECTORY (CD), BUT WILL NOT ALLOW THE USER TO VIEW THE CONTENTS OF THE DIRECTORY. DRWXR-X--X 4 ROOT SYSTEM 512 JUN 11 13:29 INCOMING/ CREATE SUBDIRECTORIES IN THE ~FTP/INCOMING USING NAMES KNOWN ONLY BETWEEN YOUR LOCAL USERS AND THE ANONYMOUS USERS THAT YOU WANT TO HAVE "DROP OFF" PERMISSION. THE SAME CARE USED IN SELECTING PASSWORDS SHOULD BE TAKEN IN SELECTING THESE SUBDIRECTORY NAMES BECAUSE THE OBJECT IS TO CHOOSE NAMES THAT CANNOT BE EASILY GUESSED. PLEASE DO NOT USE OUR EXAMPLE DIRECTORY NAMES OF JAJWUTH2 AND MHALL-IF. DRWXR-X-WX 10 ROOT SYSTEM 512 JUN 11 13:54 JAJWUTH2/ DRWXR-X-WX 10 ROOT SYSTEM 512 JUN 11 13:54 MHALL-IF/ THIS WILL PREVENT THE CASUAL ANONYMOUS FTP USER FROM WRITING FILES IN YOUR ANONYMOUS FTP FILE SYSTEM. IT IS IMPORTANT TO REALIZE THAT THIS METHOD DOES NOT PROTECT A SITE AGAINST THE RESULT OF INTENTIONAL OR ACCIDENTAL DISCLOSURE OF THE DIRECTORY NAMES. ONCE A DIRECTORY NAME BECOMES PUBLIC KNOWLEDGE, THIS METHOD PROVIDES NO PROTECTION AT ALL FROM UNWANTED USE OF THE AREA. SHOULD A NAME BECOME PUBLIC, A SITE MAY CHOOSE TO EITHER REMOVE OR RENAME THE WRITABLE DIRECTORY. C. USING A SINGLE DISK DRIVE IF YOUR SITE IS PLANNING TO OFFER A "DROP OFF" SERVICE AND IS UNABLE TO MODIFY THE FTP DAEMON, IT MAY BE DESIRABLE TO LIMIT THE AMOUNT OF DATA TRANSFERRED TO A SINGLE FILE SYSTEM MOUNTED AS ~FTP/INCOMING. IF POSSIBLE, DEDICATE A DISK DRIVE AND MOUNT IT AS ~FTP/INCOMING. IF THIS DEDICATED DISK BECOMES FULL, IT WILL NOT CAUSE A DENIAL OF SERVICE PROBLEM. THE SYSTEM ADMINISTRATOR SHOULD MONITOR THIS DIRECTORY (~FTP/INCOMING) ON A CONTINUING BASIS TO ENSURE THAT IT IS NOT BEING MISUSED. CPYRIGHT (C) CARNEGIE MELLON UNIVERSITY 1993 4. POINT OF CONTACT: (NOTE: THIS PARAGRAPH CONTAINS INFORMATION ABOUT NEW ASSIST CONTACT NUMBERS) ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM (703) 756-7974, DSN 289. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-759- 7243), PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN ALSO BE REACHED VIA E-MAIL AT "DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST ELECTRONIC BULLETIN BOARD AT (703) 756-7993, DSN 289, AND LEAVING A MESSAGE FOR THE SYSOP. ASSIST WILL BEGIN DISTRIBUTING BULLETINS OVER THE MILNET USING AN ELECTRONIC MAILING LIST, AND HAVE AN FTP SITE AVAIABLE FOR FILE DOWNLOADS IN 60-90 DAYS. BT