SecurityFocus

FTP server security. Nov 11 2003 02:04AM
Michael Bellears (michael bellears staff datafx com au) (3 replies)

RE: FTP server security. Nov 13 2003 04:52AM
Laura A. Robinson (larobins bellatlantic net)

Re: FTP server security. Nov 12 2003 05:09AM
Jorge Alejandro Olivo Ramirez (jorge alestraidc net mx)

Re: FTP server security. Nov 11 2003 03:54PM
Ivan Hernandez (ivan hernandez globalsis com ar)

Usually setting the correct permissions on the directories of the other
users is all you need.
But... i would recommend to use sftp (ftp with SSL) in order to avoid
all that plaintext authentication. You can get a free working version
of an implementation of SSH with Cygwin (http://sources.redhat.com/cygwin)
Regadrs
Ivan Hernandez
http://biromeponja.8k.com

Michael Bellears wrote:

>We are running 2000 advanced server, hosting multiple virtual domains
>for clients, with FTP access via Virtual Directories.
>
>I have noticed that any user connecting via FTP, is dumped into
>"/username" - eg.
>
># ftp xxx.xxx.xxx.xxx
>Connected to xxx.xxx.xxx.xxx.
>220 iis02 Microsoft FTP Service (Version 5.0).
>Name (xxx.xxx.xxx.xxx:mb): craig
>331 Password required for craig.
>Password:
>230 User craig logged in.
>Remote system type is Windows_NT.
>ftp> pwd
>257 "/craig" is current directory.
>
>If I perform a cd ../different_username, I am successfully dropped into
>that clients dir:
>
>ftp> cd ../1800contacts
>250 CWD command successful.
>ftp> pwd
>257 "/1800contacts" is current directory.
>
>Once in there, I am able to list, create, and delete - Obviously
>something I need to restrict!
>
>Is there anyway to 'jail' each user to there own directory tree? - i.e.
>once authenticated, they cannot perform a "cd ../whatever" - If not, is
>there a 'recommended' ownership/perms that will restrict access, but
>still allow browsing via the web?
>
>Regards,
>MB
>
>-----------------------------------------------------------------------
----
>Network with over 10,000 of the brightest minds in information security
>at the largest, most highly-anticipated industry event of the year.
>Don't miss RSA Conference 2004! Choose from over 200 class sessions and
>see demos from more than 250 industry vendors. If your job touches
>security, you need to be here. Learn more or register at
>http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
>and use priority code SF4.
>-----------------------------------------------------------------------
----
>
>
>

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---

[ reply ]