FTP server security.Nov 11 2003 02:04AM Michael Bellears (michael bellears staff datafx com au) (3 replies)
We are running 2000 advanced server, hosting multiple virtual domains
for clients, with FTP access via Virtual Directories.
I have noticed that any user connecting via FTP, is dumped into
"/username" - eg.
# ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
220 iis02 Microsoft FTP Service (Version 5.0).
Name (xxx.xxx.xxx.xxx:mb): craig
331 Password required for craig.
Password:
230 User craig logged in.
Remote system type is Windows_NT.
ftp> pwd
257 "/craig" is current directory.
If I perform a cd ../different_username, I am successfully dropped into
that clients dir:
ftp> cd ../1800contacts
250 CWD command successful.
ftp> pwd
257 "/1800contacts" is current directory.
Once in there, I am able to list, create, and delete - Obviously
something I need to restrict!
Is there anyway to 'jail' each user to there own directory tree? - i.e.
once authenticated, they cannot perform a "cd ../whatever" - If not, is
there a 'recommended' ownership/perms that will restrict access, but
still allow browsing via the web?
Regards,
MB
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
for clients, with FTP access via Virtual Directories.
I have noticed that any user connecting via FTP, is dumped into
"/username" - eg.
# ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
220 iis02 Microsoft FTP Service (Version 5.0).
Name (xxx.xxx.xxx.xxx:mb): craig
331 Password required for craig.
Password:
230 User craig logged in.
Remote system type is Windows_NT.
ftp> pwd
257 "/craig" is current directory.
If I perform a cd ../different_username, I am successfully dropped into
that clients dir:
ftp> cd ../1800contacts
250 CWD command successful.
ftp> pwd
257 "/1800contacts" is current directory.
Once in there, I am able to list, create, and delete - Obviously
something I need to restrict!
Is there anyway to 'jail' each user to there own directory tree? - i.e.
once authenticated, they cannot perform a "cd ../whatever" - If not, is
there a 'recommended' ownership/perms that will restrict access, but
still allow browsing via the web?
Regards,
MB
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
[ reply ]