Turning Off FTP Access (ftpd)

Introduction

In general users should not connect to a machine using ftp to transfer files since the password is sent in clear text and, in principle, can be captured and used by others. The scp and sftp programs are secure replacements for ftp and should be used where ever possible.

Unless it is not supported on your architecture, please install ssh if it is not already installed (see xxx for information on installing ssh), and disable ftpd. See below for methods for disabling ftpd on various architectures.

General Information

The ftp network service is provided through the inetd socket listening daemon service which is common on many Unix like operating systems. Recently, Red Hat, with the release of it's 7.0 Linux distribution, migrated to the use of xinetd, a replacement for inetd. What follows are instructions on how to disable ftp for systems running inetd or xinetd. Also, there is a quick reference list for which systems are running inetd or xinetd.

Disabling ftp for Unix systems running xinetd

To disable ftp, edit the file /etc/xinetd.d/wu-ftpd, and set the field labeled disable to yes.

Signal the xinetd daemon to reload its configuration by executing the commands

  cd /etc/rc.d/init.d
  ./xinted reload
Finally, verify that the xinetd reloaded properly by looking at the output of the system log file using the following command.
  tail -200 /var/log/messages
If you don't see messages from xinetd indicating that it has reloaded its configuration, then contact your computer liaison.

Disabling ftp for Unix systems running inetd

To disable ftpd, edit /etc/inetd.conf and comment out the ftpd entry and then refresh inetd. In /etc/inetd.conf there is a line like

  ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
which you can find by searching for the string ftp. Comment it out by putting the pound character ("#") at the beginning of the line so that the entry looks like
  #ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
Save the file and then send the UP signal to inetd. This can usually be done with the commands
  cd /etc/rc.d/init.d
  ./inet reload
If your inet rc script does not support "reload", or you cannot find an equivalent file in the /etc/rc* directory, then find the process id using
  ps auxw | grep inetd | grep -v grep
and send the process the HUP signal using
  kill -HUP PID
where "PID" in the above is replaced by the actual process ID for inetd (the number returned in the second field of the "ps" command issued above).


Tom Throwe
Brett Viren
Last modified: Fri Jul 18 13:58:38 EDT 2003