[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] FTP Server on Linux



Are you saying they can snoop the whole directory tree? [I'm feeling obtuse
right now.]

How do ISPs like MindSpring prevent this activity?  Aren't they also
*NIX-based?

-Matthew Brown
----- Original Message -----
 From: Jeremy T. Bouse <undrgrid at UnderGrid.net>
To: Matthew Brown <matthew.brown at cordata.net>
Cc: <ale at ale.org>
Sent: Friday, January 22, 1999 12:52 PM
Subject: Re: [ale] FTP Server on Linux


>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>Matthew,
> Are primary web server is running Linux without FrontPage
>extensions so our users have to use FTP to upload. They have to have a
>valid acct and password to login. The only problem is that they can go
>snooping around the directory tree of your machine since it doesn't
>restrict them to their home directory. Because of this you do need to make
>sure file permissions for files/directories they should not access are set
>correctly. Also I would add the following line to your ftpaccess file:
>
> noretrieve /etc/passwd /etc/shadow core
>
> You may also wish to add /etc/shadow- and /etc/passwd- to that
>list of files but that should restrict them from being downloaded via FTP
>as shown below:
>
>Remote system type is UNIX.
>Using binary mode to transfer files.
>ftp> cd /etc/
>250 CWD command successful.
>ftp> dir passwd
>200 PORT command successful.
>150 Opening ASCII mode data connection for /bin/ls.
>- -rw-r--r--   1 root     root         3306 Jan 18 14:52 passwd
>226 Transfer complete.
>ftp> get passwd
>local: passwd remote: passwd
>200 PORT command successful.
>550 /etc/passwd is marked unretrievable
>ftp> get /etc/shadow
>local: /etc/shadow remote: /etc/shadow
>200 PORT command successful.
>550 /etc/shadow: Permission denied.
>ftp>
>
> This was done one of our Linux machines loggin into FTP as a
>non-root account. Hence the permission denied on /etc/shadow since it is
>set to 0640 owned by root:shadow.
>
> Of course if you do allow users to login via FTP they can snoop
>through other users files if the user doesn't know how to change the
>permissions on a file they don't want viewed. Most FTP clients should have
>this is an option or it can be done using the SITE command syntax.
>
> Respectfully,
> Jeremy T. Bouse
> Sr. System Administrator
>
>On Fri, 22 Jan 1999, Matthew Brown wrote:
>
>> Date: Fri, 22 Jan 1999 11:06:27 -0500
>> From: Matthew Brown <matthew.brown at cordata.net>
>> To: ale at ale.org
>> Subject: Re: [ale] FTP Server on Linux
>>
>> Thanks for the SPEEDY replies!
>>
>> I offer web hosting services (so far on NT) - killer bandwidth!, but I'd
>> like to move my shop almost ENTIRELY over to Linux, and styay with Linux
>> from here on out.  If you've followed the list for a month or two you may
>> remember I've been hacked pretty hard.  I am NOT interested in this
>> happening again.  Since it is not a problem on my NT server (yet!), I
have
>> left HTTP/FTP there.  I only do sendmail/ipopd on my Linux box.
>>
>> The FTP access would be authenticated, but NONE of the users need have
any
>> permissions/rights outside there little world.
>>
>> Doesthis answer the question about access?  I guess I see no need for
>> anon-FTP, but I do need everyone's data to go to 'their'subdirectories.
>>
>> -Matthew Brown
>>
>> ----- Original Message -----
>> From: Michael H. Warfield <mhw at wittsend.com>
>> To: Matthew Brown <matthew.brown at cordata.net>
>> Cc: <ale at ale.org>
>> Sent: Friday, January 22, 1999 10:26 AM
>> Subject: Re: [ale] FTP Server on Linux
>>
>>
>> >Matthew Brown enscribed thusly:
>> >
>> >> Should I be confident that I can turn on the FTP daemon without
>> compromising
>> >> my security too much.  Surely someone out there is using FTP and
Linux?
>> >
>> >> I only ask because I have heard (I think) that this is one of the
>> 'dangerous
>> >> daemons' to use as far as security.
>> >
>> > It can be.
>> >
>> > What is your objective?
>> >
>> > 1) Do you wish to start up an anonymous ftp server?
>> >
>> > 2) Do you wish to provide incoming or upload capability?
>> >
>> > 3) Do you wish to provide ftp access for non-anonymous accounts?
>> >
>> > Anonymous ftp should not bee too difficult to set up.  In fact,
>> >most distributions already have it setup and too many turn it on ftpd
>> >with anon ftp service by default (grrrr).  Even if they do set it up
>> >properly, offering a service on the network by default, which the user
>> >may not be aware of, is a serious security risk.
>> >
>> > If you wish to allow outsiders to upload data to your system,
>> >make sure ~ftp/incoming is writable but not readable or searchable by
>> >the ftp account!  Also read and understand the options in your
>> /etc/ftpaccess
>> >file.  Do not allow the creation of subdirectories under ~ftp/incoming.
>> >
>> > I would strongly advise against #3 and use safer file transfer
>> >methods such as scp.  Using ftp may result in user passwords being
passed
>> >in the clear on the network
>> >
>> >> -Matthew Brown
>> >
>> > Mike
>> >--
>> > Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>> >  (The Mad Wizard)      |  (770) 925-8248   |
http://www.wittsend.com/mhw/
>> >  NIC whois:  MHW9      |  An optimist believes we live in the best of
all
>> > PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
>>
>
>,--------------------------------------------------------------------------
---,
>|  Jeremy T. Bouse   -   SouthNet TeleComm Services, Inc.   -
www.STSI.net  |
>|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9
|
>|         Public PGP key available via 'finger undrgrid at UnderGrid.net'
|
>|  undrgrid at UnderGrid.net   -   NIC Whois: JB5713    -    sysadmin at STSI.net
|
>|      Anti-trust laws should be approached with exactly that attitude.
|
>`--------------------------------------------------------------------------
---'
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3a
>Charset: noconv
>
>iQCVAwUBNqi66+ak13roPZrlAQEfbgP+Nph2Gj2H80EJeV1ZwVKOKkjK7S60nz+w
>Tv3RLYdMJF+uP0BGGU5x1h1X96IQn1LClBjRUwB+QNz9nEx9O9TSzuXgM93VHnIU
>hnVzlliH17jQj+a3mwMp/6r8ONEBpuSZ/yiGNqzJYGie0Q91amRPGCHCSrn3Tf73
>0ZDk3WupOzk=
>=RoAn
>-----END PGP SIGNATURE-----