Anonymous FTP must not be active on the system unless authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-846 | GEN004820 | SV-37526r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2017-03-01 |
Details
| Check Text ( C-36185r1_chk ) |
|---|
| Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful and the use of anonymous ftp has not been documented and approved by the IAO, this is a finding. Procedure: # ftp localhost Name: anonymous 530 Guest login not allowed on this machine. |
| Fix Text (F-31440r1_fix) |
|---|
| Configure the FTP service to not permit anonymous logins. |