Where can I find a good resource on properly securing tftp?

[Red Squirrel]

I can't seem to find much info at all on tftp. I am setting up a pxe server which requires tftp, but since this pxe server will be used on a rather untrusted network (a vlan used for plugging in random people's computers for working on them) I wnat to make sure it's very secure. I can't find any configuration options anywhere online, it's weird. It also runs as root by default, I don't want that. I tried to change the user as I did find that option in the /etc/xinet.d/tftp file but other than that I have not found much options at all on how to properly configure it, or an actual proper configuration file. The one in that folder is just basic and is more for the service itself than the actual program.

Is there perhaps an alternate tftp server that has more option and is more documented? Basically I want it to be 100% read only access, and run as a different user.

 

[thecoolnessrune]

TFTP is Trivial FTP. It does not support any encryption or authentication mechanism. It is essentially the IP version of a com terminal specifically for pushing data payloads. Encryption / Authentication has to be through other means. PXE is rarely implemented on a non-secured, isolated Network. You could put a VPN on each end and attach a VPN device (a small firewall from your favorite company) to the device being worked on, then that would put it on the PXE network. Or use a Wireless USB adapter to an SSID on a secured Wireless network. You need some sort of isolation if you don't trust the network, and TFTP will not do this for you.

 

[Red Squirrel]

Is there not even a way of making it read only? Basically I just don't want any files that are on the server to be modifiable or deletable. This is required for pxe boot to work. Basically this is still part of the internal network so not as risky as internet, but there could still potentially be an infected machine that is put on that network which could perhaps exploit it. Suppose another option is to have a quick way of turning it on/off. I rarely work on more than one machine at a time so when I do boot into an OS I can just turn it off.

 

[thecoolnessrune]

Yeah, by default, the standard linux tftp-server package won't allow files to be written unless they're touched first. By default, it also should not allow files to be overwritten. Since TFTP has no real authentication mechanism, always make sure the TFTP directory is it's own at the end of a tree, so nothing else can be touched. As long as the users can't get access to the server itself, the files in TFTP shouldn't be able to be changed. If they can get on your server, then you have bigger problems.

 

[Red Squirrel]

When you say touched do you mean like using touch command, so it will allow to write to an empty file, but once that file has data in it, it won't allow to overwrite? Suppose that works. I just don't want some kind of virus or something on a user's machine possibly finding the tftp server and then modifying stuff on it. Ex: a phony pxe boot image that causes damage. I figure the odds of something like this are super slim as I'm not aware of any viruses that target tftp, but may as well be properly protected from it.

 

[thecoolnessrune]

That's correct. By default, if following the RFC standard, TFTP will write to an empty file (created with the touch command for instance), but it it will not allow the overwriting of an existing file. Someone, like a couple of versions of the Solarwinds TFTP Server, inadvertently allowed overwrite of files, and security advisories were issued. Others, like the standard tftp server daemon in linux, won't do so unless you modify the server arguments in the config with -c to allow files to be created.

As long as the tftp directory is the last directory in a tree, you should have any concerns unless someone gains access to the server itself. Again, such things are easily mitigated by only exposing the ports and services needed, such as putting TFTP behind a firewall that only allows connections from that workgroup subnet on the TFTP port you configure, and only UDP.