oops... FTP is not safe!

[renevanh]

I just discovered a little security problem with my FTP server.
When I login using the windows commandline, I can easily get to the root of the entire filesystem!
Just cd .. a few times.
The PWD command shows I'm on /http/www/html , but that should be just /html.

If I use a client like WS_FTP95LE it's not possible to get to the root.

Anyone can give me the way to stop this... kinda dangerous

Regards,

René

[michael56]

I think the control varies depending on the FTP server you are using. If you are using ProFTPD, for example, you can add this to the config file to "jail" users to their home directories:

DefaultRoot ~

So take a look at the config settings/files for your FTP server. It might be called "chrooting" in the doc.

Hope this helps!

[davebardsley]

This link describes one way to chroot an ftp server:http://www.faqs.org/docs/securing/ftpd.html. Also check out

Code:

$ man chroot

.

Word of advice: FTP is inherently insecure and transports passwords (and all other communication for that matter) in clear text. Unless you absolutely must use ftp (?) consider using SSH protocol 2 without password authentication (RSA/DSA key exchange only) for logins and SCP (again protocol version 2) for file transfers.

[renevanh]

I just added

Code:

DefaultRoot ~

To the proftpd.conf and now it's "safe" again.

I need ftp because I use it a lot. Not just for files (to the webfolders) but alsof for school.
I just got 10MB space there, with very few rights and absolutly no change to use SSH, so I have to use FTP (through IE...)

Thanks for the help.

Regards,

René

[amf57]

The subject says it all.

Is it absolutely necessary to run your ftp server? SCP would be much safer. Winscp is a pretty good app for the windows client.

I realize that many do indeed need an ftp server running, but if it is just for your use SSH SCP etc would be best.