[CLUE-Tech] enabling ftp

ian iguy at ionsphere.org
Sun Mar 18 09:14:04 MST 2001 

On Sun, Mar 18, 2001 at 08:17:46AM -0700, Lynn Danielson wrote:
> rfrank wrote:
> > On Saturday 17 March 2001 08:49, Ian  wrote:
> > > I can't say this enough.  TURN OFF FTP ASAP!!!!
> > 
> > Okay so now the order is ipchains, then ssh.  OpenSSH seems to be
> > preferred.  But that means I'll have to put new software on any machine
> > that needs to get to my site.  A small price, I guess, for security.
> > 
> > Roger Frank
> 
> So what about all of those sites that are running anonymous ftp
> on a 24 by 7 basis?  Granted, they're probably running in a DMZ,
> but are these machines getting hacked on a regular basis?
> 
> The argument I'm hearing is that plain text passwords which both
> telnet and ftp use are easily snoopable.  Therefore, ftp/telnet
> connections should not be used by any user account (especially 
> root accounts) on the box, because the account login information
> might be gathered and used to crack into the box.  But if I 
> should use a ProFTP package for example and configure for an
> anonymous account with very restricted privileges and filesytem
> access, is that such a horrible security risk?  As long as I
> never ftp to a less secure account no one should get any username
> or password information that will help them crack the box.  I'm
> all for using ssh, but if I need to share information with others
> on the net it seems running ftp for an anonymous account could 
> be done with some measure of safety.

Anonymous is different than account based systems.  As anonymous you 
are running as the ftp account which is EXTREMELY locked down by most
setups.  Granted if you allow someone to log in as ftp through telnet
or ssh then you are giving them access to your system.  It is a security 
risk.  However as with any security risk you try to mitigate it as much
as possible.  You do that by doing audits of your system with tools like
tripwire.  You don't allow the ftp account to login via telnet or ssh.
You don't let folks log in with their regular accounts over ftp.  

Most of those "bigger" sites don't have any ftp accounts enabled on the 
boxes to get shell access.  You get a different password for your FTP
account than the one for you shell account.

And one thing.. if you ftp to ANY account using cleartext passwords someone
can sniff it and do have the possiblity of cracking your box.  Its all
an issue of mitigating that risk.

ian
> 
> Lynn Danielson
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list