SRV-013 Anonymous 계정의 FTP 서비스 접속 제한 미비

SRV-013 Anonymous 계정의 FTP 서비스 접속 제한 미비

【 상세설명 】
FTP 서비스는 파일을 전송하기 위한 프로토콜을 기반으로 하는 서비스로, 임의의 사용자가 FTP 서비스를 이용할 수 있는 익명(Anonymous) FTP 기능이 활성화된 경우 악의적인 사용자도 손쉽게 접근이 가능하므로 해당 기능의 허용 여부를 점검

【 판단기준 】
- 양호 : FTP 서비스 미사용 또는 Anonymous 설정 비활성화
- 취약 : Anonymous FTP 설정 활성화

【 판단방법 】
  1. Anonymous 계정(ftp 또는 임의의 Anonymous 계정) 존재 유무 확인
  2. Anonymous FTP 접속 제한 설정 확인

  ■ Linux, HP-UX, SOLARIS
    [ ftp ] : Anonymous 계정 존재 유무 확인 후 "ftpaccess" 파일 의 각 class 정의 type-list 에 "anonymous" 설정 확인
    # cat /etc/passwd
        ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

    # cat /etc/ftpaccess
    # cat /etc/ftpd/ftpaccess
        class    all        real,guest,anonymous    *
        class    example    real    127.0.0.1,192.168.56.*
        ...
        compress    yes    all
        tar         yes    example
        chmod       no     guest,anonymous
        delete      no     guest,anonymous
        ...

    ※ ftpaccess 파일 class 정의 형식 : <class> <class-name> <type-list> <source_ip_address OR hostname> 
    ※ type-list : real(실제 존재하는 사용자 계정), anonymous(anonymous FTP 계정), guest(게스트 권한 계정)

    [ proftp ] : Anonymous 계정 존재 유무 확인 후 Anonymous 절 내 User, UserAlias 설정 확인
    # cat /etc/passwd
        ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

    # cat /etc/proftpd.conf
    # cat /etc/proftpd/proftpd.conf
    # cat /etc/proftpd/conf/proftpd.conf
    # cat /usr/local/etc/proftpd.conf
    # cat /usr/local/proftpd/etc/proftpd.conf
        <IfDefine ANONYMOUS_FTP>
          <Anonymous ~ftp>
            User            ftp
            Group           ftp
            UserAlias       anonymous ftp
            ...
          </Anonymous>
        </IfDefine>
또는
    # cat /etc/proftpd.conf
    # cat /etc/proftpd/proftpd.conf
    # cat /etc/proftpd/conf/proftpd.conf
    # cat /usr/local/etc/proftpd.conf
    # cat /usr/local/proftpd/etc/proftpd.conf
        <IfDefine ANONYMOUS_FTP>
            Include /etc/proftpd/anonftp.conf
        </IfDefine>
    # cat /etc/anonftp.conf
    # cat /etc/proftpd/anonftp.conf
    # cat /etc/proftpd/conf/anonftp.conf
    # cat /usr/local/etc/anonftp.conf
    # cat /usr/local/proftpd/etc/anonftp.conf
        <Anonymous ~ftp>
            User            ftp
            Group           ftp
            ...
            UserAlias       anonymous ftp
            ...
        </Anonymous>

    ※ User <account_name> : anonymous로 사용되는 계정 
    ※ UserAlias anonymous <account_name> : 별칭으로 Anonymous 접속 시 사용되는 계정

    [ vsftp ] : Anonymous 계정 존재 유무 확인 후 "anonymous_enable=NO" 설정 확인
    # cat /etc/passwd
        ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

    # cat /etc/vsftpd.conf | grep anonymous_enable
    # cat /etc/vsftpd/vsftpd.conf | grep anonymous_enable
    # cat /etc/vsftpd/conf/vsftpd.conf | grep anonymous_enable
        anonymous_enable=YES

  ■ AIX
    [ ftp ] : 시스템 Anonymous 계정 존재 유무 확인 및 Anonymous FTP 설정 확인
    # cat /etc/passwd
        ftp:x:201:1::/home/ftp:/usr/bin/ksh

    # cat $FTP_HOME/etc/passwd
        root:x:0:0::/:/bin/ksh    
        ftp:x:201:1::/home/ftp:/usr/bin/ksh 
        <anonymous_account>:!:202:1::/home/<anonymous_account>:/usr/bin/ksh
    # lsuser -f <anonymous_account>
        <anonymous_account>:
        ...
        login=false
        rlogin=false
        ...
    # cat $FTP_HOME/etc/ftpaccess.ctl | grep useronly
        useronly: <anonymous_account>

    ※ AIX FTP 서비스는 "/usr/samples/tcpip/anon.ftp <username>" 스크립트로 FTP 계정 및 디렉터리를 생성하여 사용하거나 별도로 생성하여 설정
    (<username> 을 설정하지 않고 스크립트를 실행하면 "ftp" 로 계정 및 디렉터리 생성)
    ※ AIX Anonymous FTP 설정 : FTP 서비스 디렉터리 하위 경로에 별도로 계정 관련 파일 생성 및 설정한 후 사용 가능(시스템 계정 설정이 있어야 Anonymous FTP 계정 설정 가능)

    [ proftp ] : Anonymous 계정 존재 유무 확인 후 Anonymous 절 내 User, UserAlias 설정 확인
    # cat /etc/passwd
        ftp:x:201:1::/home/ftp:/usr/bin/ksh

    # cat /etc/proftpd.conf
    # cat /etc/proftpd/proftpd.conf
    # cat /etc/proftpd/conf/proftpd.conf
    # cat /usr/local/etc/proftpd.conf
    # cat /usr/local/proftpd/etc/proftpd.conf
        <IfDefine ANONYMOUS_FTP>
          <Anonymous ~ftp>
            User            ftp
            Group           ftp
            UserAlias       anonymous ftp
            ...
          </Anonymous>
        </IfDefine>
또는
    # cat /etc/proftpd.conf
    # cat /etc/proftpd/proftpd.conf
    # cat /etc/proftpd/conf/proftpd.conf
    # cat /usr/local/etc/proftpd.conf
    # cat /usr/local/proftpd/etc/proftpd.conf
        <IfDefine ANONYMOUS_FTP>
            Include /etc/proftpd/anonftp.conf
        </IfDefine>
    # cat /etc/anonftp.conf
    # cat /etc/proftpd/anonftp.conf
    # cat /etc/proftpd/conf/anonftp.conf
    # cat /usr/local/etc/anonftp.conf
    # cat /usr/local/proftpd/etc/anonftp.conf
        <Anonymous ~ftp>
            User            ftp
            Group           ftp
            ...
            UserAlias       anonymous ftp
            ...
        </Anonymous>

    ※ User <account_name> : anonymous로 사용되는 계정 
    ※ UserAlias anonymous <account_name> : 별칭으로 Anonymous 접속 시 사용되는 계정

    [ vsftp ] : Anonymous 계정 존재 유무 확인 후 "anonymous_enable=NO" 설정 확인
    # cat /etc/passwd
        ftp:x:201:1::/home/ftp:/usr/bin/ksh

    # cat /etc/vsftpd.conf | grep anonymous_enable
    # cat /etc/vsftpd/vsftpd.conf | grep anonymous_enable
    # cat /etc/vsftpd/conf/vsftpd.conf | grep anonymous_enable
        anonymous_enable=YES

【 조치방법 】
  1. Anonymous 계정(ftp 또는 임의의 Anonymous 계정) 삭제
  2. Anonymous FTP 접속 제한 설정
  3. FTP 서비스 재시작

2024-01-13 : (조치과정 삭제)