[Fixed] Security Vulnerability: Anonymous FTP Login

What is Anonymous FTP Login Vulnerability?

Reports if the remote FTP Server allows anonymous logins. A host that provides an FTP service may additionally provide Anonymous FTP login access as well. Under this arrangement, users do not strictly need an account on the host. Instead the user typically enters ‘anonymous’ or ‘ftp’ when prompted for username.

Although users are commonly asked to send their email address as their password, little to no verification is actually performed on the supplied data. Remark: NIST don’t see ‘configuration issues’ as software flaws so the referenced CVE has a severity of 0.0. The severity of this VT has been raised by Greenbone to still report a configuration issue on the target.

Security Vulnerability of Anonymous FTP Login

Based on the files accessible via this anonymous FTP login and the permissions of this account an attacker might be able to:

– gain access to sensitive files

– upload or delete files.

Anonymous FTP Login Solutions

If you do not want to share files, you should disable anonymous logins.

In commonly used Linux FTP servers, prohibiting anonymous access can typically be achieved through several methods, depending on the FTP server software you are using. Here are some common Linux FTP servers and their methods to disable anonymous access:

Solution 1. vsftpd (Very Secure FTP Daemon)

vsftpd is a widely used secure FTP server that usually disables anonymous access through the following steps:

• Edit the configuration file: By default, vsftpd’s configuration file is located at /etc/vsftpd.conf.
• Set anonymous access option: Ensure the following setting is in place:

  anonymous_enable=NO

This disables anonymous access.

• Restart the service: After updating the configuration, restart the vsftpd service to apply the changes:

  sudo systemctl restart vsftpd

Solution 2. ProFTPD

ProFTPD is another popular open-source FTP server where disabling anonymous access can be done as follows:

• Edit the configuration file: ProFTPD’s main configuration file is typically found at /etc/proftpd/proftpd.conf.
• Set anonymous access option: Ensure the following setting is in place:

  AllowAnonymous no

This will disable anonymous access.

• Restart the service: After updating the configuration, restart the ProFTPD service:

  sudo systemctl restart proftpd

Solution 3. Pure-FTPd

Pure-FTPd is a lightweight FTP server that also supports disabling anonymous access:

• Edit the configuration file: Pure-FTPd’s configuration file is usually located at /etc/pure-ftpd.conf or /etc/pure-ftpd/pure-ftpd.conf.
• Set anonymous access option: Ensure the following setting is in place:

  NoAnonymous yes

This disables anonymous access.

• Restart the service: After updating the configuration, restart the Pure-FTPd service:

  sudo systemctl restart pure-ftpd

Solution 4. Other FTP Servers

For other Linux FTP servers, there are typically similar configuration options to disable anonymous access. Key steps include:

• Locate the configuration file: Determine the location of the main configuration file for your FTP server.
• Edit the configuration file: Find the option that controls anonymous access.
• Set it to disable: Adjust the respective option to disable anonymous access.
• Restart the service: After updating the configuration, restart the FTP service to apply the changes.

Conclusion

Using these methods, you can effectively enhance system security and compliance by prohibiting anonymous FTP login based on the specific FTP server software you are using. Remember to backup configuration files before making any changes and ensure that the updated configuration does not affect normal system operation or legitimate user access.