LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-21-2007, 10:46 AM   #1
Hyakutake
Member
 
Registered: Apr 2004
Location: Portugal
Distribution: Slackware
Posts: 154

Rep: Reputation: 19
Arrow [vsftp] Need some advice.


Hello all.

I'm running vsFTP at home and I would like some (security) advice about my configuration.

It runs as an anonymous server and all logins are chrooted to a specific folder on a separated HD.

1.Is only anonymous better than local/virtual logins?

The idea of having only an anonymous server is because of the "big red button". The "big red button" saying "DO NOT PUSH" and every one pushes it.

There is no challenge to hack the server, no password, no nothing, just some files there... get the idea?

I want to upload so I have a hidden folder (hide_file={whatever}) wich only I know.

2. Is this a good thing? I mean is it possible to get all the folders even those who are not visible?

The firewall was configured with one of those iptables generator with permission for FTP server and passive ports.

3. If someone has nothing to do and decides "I'm gonna hack some ftp server today" and tries hack my machine. Something like flooding it or some other thing. How can I ban some IP for 1 or 2 hours if I get more than 20 connection attempts from that same address?

What do you have to say about my server?

Thanks,
Hyakutake

PS: It's the first time I get into mounting a server so please be kind to me

Last edited by Hyakutake; 09-21-2007 at 10:48 AM.
 
Old 09-21-2007, 04:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Hyakutake View Post
1.Is only anonymous better than local/virtual logins?
The general problem with FTP in general, apart from vulnerabilities in more than a few FTP daemons, weak password settings, the login being insecure (sniffable plain text), is that (if uploading is allowed) it can be (ab)used to try elevate access. How this works depends on for instance what access the user is allowed and what services are running on the host and how they interact (overly broad access rights, misconfiguration). For example, if you're not allowed to bring certain stuff on the system, you could try and upload it and execute there, of if you don't have an account but can upload, maybe a vulnerable service allows you to access and execute (or include) the file.

Restricting access is a good start. A local account means the user has an account on the system he/she can login with, a virtual account means the user has an account on the system only in the scope of this service: he or she cannot use it for anything else. Anonymous access means the user can only access the server under a specific inert account like for instance the "ftp" user. The "problem" with anonymous access is that everybody resides in one "class" and you cannot restrict their movements atomically like you can with virtual users. If a user doesn't need to upload then anonymous access should be enough, if you need to restrict access then a virtual user account should be considered. Only in a few circumstances the user should be given an account on the system.


Quote:
Originally Posted by Hyakutake View Post
I want to upload so I have a hidden folder (hide_file={whatever}) wich only I know.
2. Is this a good thing? I mean is it possible to get all the folders even those who are not visible?
If you have read the VSFTP docs carefully you know that it only stops people from the files or dirs being *listed* (ls), the docs explicitly warn that if people *know* the names they can access it.


Quote:
Originally Posted by Hyakutake View Post
3. If someone has nothing to do and decides "I'm gonna hack some ftp server today" and tries hack my machine. Something like flooding it or some other thing. How can I ban some IP for 1 or 2 hours if I get more than 20 connection attempts from that same address?
Depends on how you run VSFTP. If you run it from (X)inetd then you can set up limiters in the VSFTP Xinetd config file. If you run VSFTP as standalone or need more measures you can iptables modules like "recent" or equivalent to limit access.
 
Old 09-22-2007, 09:33 AM   #3
Hyakutake
Member
 
Registered: Apr 2004
Location: Portugal
Distribution: Slackware
Posts: 154

Original Poster
Rep: Reputation: 19
Thanks unSpawn

I know ftp is a bit old and not too trustable but I find it easy to configure.

I think I'll try virtual logins and see what it gives.

Thanks for your reply,
Hyakutake
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Vsftp crazy8 Linux - Software 15 09-24-2007 02:56 PM
vsftp help Fredstar Linux - Newbie 1 10-22-2004 12:01 PM
vsftp, yes again cawpin Linux - Newbie 2 12-14-2003 01:37 PM
Vsftp struja Linux - Software 2 09-24-2003 03:44 PM
vsftp Greg21 Linux - Software 1 03-01-2003 08:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration