Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey all
I have question if you dont mind mee ask.
I have apache, ftp and mysql installed in centos.
Apache gets the user name and password on screen , checks with mysql and opens ftp to user
however if I type the http : // ip address/ftp/ I am able to access all data without entering user and password which is kind of an open gate that we do not want.
basically user ftp directory is /var/www/ftp and whoever types my server url and adds /ftp , he is able to see all ftp content. I do not know it is apache or ftp user issue
I think I am missing somethings.
Do you guys have any idea about that?
all suggestions are more than welcome.
thank you in advance
firstly thanks for reply.
I close,deleted the temp , even tried from a different computer.
I do not even need to enter user or password.
it is just automatically showing all the users and passwords data
normally all the ftp user's folders are inside of /var/www/ftp directory.
without user/pass they can't log in
but somehow if I type the ipaddress/ftp, I am seeing all the user's folders in /var/www/ftp.
please heelp?
thanks
What do you mean by 'opens ftp to user'? What condition changes to make ftp 'open', as opposed to some other state? How does the URL 'http://ip address/ftp/', regulate what users are permitted to access it? It appears that you may be confusing access control by two different protocols. The ftp server and the HTTP server do not normally interact. As far as I know, FTP inherits user permissions from the underlying filesystem.
--- rod.
ok,let me state this way.
lets say you have ftp server name called linuxftp. com
and
when you type http: //linuxftp. com , page is opening and asking for user and password which has been created before by admin
so far that is controlled by apache and mysql I guess.
if user enters right password, new page opening for user and user getting able to download or upload data to server.this can be either and ftp software or directly browser.
that is working fine so far
however, if I type http: //linuxftp. com /ftp/ , without any user and password,
I am seeing all others user contents which is basically I am seeing ftp directory.
please kindly let me know, if you have any questions about the achitecture
I appreciate
This sounds more like you don't have directory protection configured correctly (via Apache). It looks like when you're going to http: //linuxftp. com /ftp/, it is bypassing authentication. Are you sure you've set up htaccess correctly?
thanks for the reply.
I just checked
.htaccess securing another directory actually
can I copy the same .htaccess inside of this folder to make it secure?
thank you
problem was with apache disabling directory listing/browsing
httpd.conf
To disable directory listing
Options Indexes FollowSymLinks
I just removed ‘Indexes’ from the line.
I appreciate for your replies guys
You'd think that establishing directory protection would outright prevent directory listing/browsing, even if the config file for Apache had directory listing enabled.
In the upper posts, you confirmed that htaccess wasn't configured correctly. You also mentioned in a later post that httpd.conf was enabling directory listing which was the problem. Which was the actual issue?
IMO, applying both changes (to the .htaccess and .conf files) would help. If you didn't use .htaccess to seal off the directory but are relying on hiding the directory content by disabling directory listings, you're using the 'security by obscurity' method, which may get you into trouble later...IMO. Getting the same result as locking down the directory by hiding the directory content doesn't mean that the directory is secure.
If you're happy with the result, I guess that's OK, but its the wrong way to go about things.
I understand, you are %100 right.
but if I protect that folder with .htaccess, how are the users gonna access that?
users are accessing that folder with their individual user and passwords right, if I add .htaccess, are they still gonna be able to access with their individual password?
because that folder is protected with scripts,not with .htaccess.
or another question if you know the file name now, http://ipaddress/ftp/filename
you can still access , is there any way to disable it in apache?
thank you
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.