Results 1 to 5 of 5

Thread: FTP and Security

  1. #1
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406

    Question FTP and Security

    Guys, I need some help and input.
    I was asked to deploy and FTP at my work. I have to find out from the central state office to see if it is allowed, but since we have 2 connections I still will have it to deploy it.
    I particulary don't feel too much confortable with it, since I know it posses big security risk.
    What I wanted to know if what do you recomend and which practices will be the best to have this running and minimize the risks.
    Thanks

  2. #2
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,732
    well here at me and stripes work they have an ftp site set up for our customers...and in the past it became a warez site. what they did was have an ingoing and out going folders with rights to that folder only...so basically the cust can upload dbs or files to ingoing but cannot copy from it. and the outgoing they can not write to it but can copy from it. Just some food for thought.



  3. #3
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    What I am worried is malicious access thru the FTP to the rest of the Domain. Since at work most stuff is holded in the LAN, there is a lot of sensible data, including the billing, oracle databases, and etc that are very important. So, I want to avoid any attack from that point. THE FTP access will be used for an automated process of orders

  4. #4
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    Might be worthwhile looking for examples of exploits that can be done to FTP, and try and cover those holes for your FTP server.

    Phish had a good idea with setting the permissions to in-box and out-box, but you need to be careful of what extra commands the user can use. Ie LIST, PWD, CD etc

    The common practice is CD .. This gets you out of the usual in-box, and into the main directory where FTP server is held. Then FTP acts just like Telnet/unix connection. They can get access to all files.

    Will you be using Anonymous access, or strong username and passwords ?? Be careful of buffer overflows, the usual exploit in most apps. Just keep checking for authorization after each command, simpliest way.

    --- 0wN3D by 3gG ---

  5. #5
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    well the CD command can be limited by ROOT and HOME, that way the folders will be recursive and CD will be uselss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •