http/ftp server security
 

i setup a http/ftp server on a busybox based embedded system last night at home, it was tested out ok.

however today, when i accessed my test webpage on my http server, browser prompted me to open an 'Photo.scr' file. i didn't understand what it is until i checked the http server, it seems a new file 'Photo.scr' was created in the local directory and my 'index.html' has been modified as well.

when i checked other directories on the embedded system, there's a copy of 'photo.scr' in many other directories. i have setup my home router to forward the httpd/ftpd/telnet port so i could access the ftp/http sever away from home. it worries me that someone has gained access to the ftp server or maybe my router.

anyway to improve the security to fend off malicious 3rd party?

Telnet?! You can't be serious? Your server is compromised, full reinstall is in order. SFTP and SSH access only.

thanks for the fair warning!

i disabled ftp and telnet remote access on the router for embedded device and only allowed http port forwarding to the device. would that make the system secure?

on this particular device, only busybox (i.e. ftpd, telnetd, httpd) is installed, no SFTP and SSH running.

You should be running OpenVPN as the only publicly-available service, and use tls-auth (as I have described in other threads in this section) to further make the presence of the OpenVPN server invisible. You should use digital certificates, password-protecting (encrypting) the ones that you take with you.

All other services should "listen" only to the OpenVPN's secure subnet, and be prohibited (and, blocked by firewall rules) from listening directly to the outside world.

Within, you should be running services like sshd, which are only listening to the OpenVPN tunnel, and (as also described elsewhere in this section) these should use only digital certificates, not passwords.

Now, you can enter the machine, and everything that you send to it or receive from it is securely encrypted. But, to anyone else, it is a featureless box with no open ports. Although you can easily access the machine, and even do so without apparent challenge or impediment, everyone else finds a featureless smooth wall with nothing whatsoever to climb. There is literally nothing there for them to attack.

You can enter because you possess the necessary, one-of-a-kind, digital certificates (and, if you wish, the passwords needed to decrypt them). Certificates can be individually issued and revoked.

Any machine that has had ftpd and telnetd running needs to be wiped and reinstalled. Since you must reinstall, you might as well do it safely and leave out the unsecureable daemons. sundialsvcs' suggestion about OpenVPN could help you, or you could stay with SSH which has stronger ciphers. Either way, you'll want to rebuild your busybox so that there is no ftpd or telnetd and that sshd is there instead. If OpenSSH is too big, then you might look at Dropbear, an OpenSSH derivative.

Also, change any passwords you may have typed in during any telnet or ftp session (including initial log in). Telnet and ftp send this in clear text, so any packet sniffers along the way can gather the password data.

thanks, guys! much appreciated your inputs on this!

I've set up openSSH server running on the embedded device.

Make sure passwords are disabled and you only use public-key authentication.