Title

Anonymous FTP must not be active on the system unless authorized. (Cat II impact)

Discussion

Due to the numerous vulnerabilities inherent in anonymous FTP, it is recommended that it not be used. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package.

Check Content

Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful, this is a finding. Procedure: # ftp localhost Name: anonymous 530 Guest login not allowed on this machine.

Fix Text

Configure the FTP service to not permit anonymous logins.

Additional Identifiers

Rule ID: SV-227853r603266_rule

Vulnerability ID: V-227853

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.