Find the answer to your Linux question:
Results 1 to 5 of 5
I just discovered a little security problem with my FTP server. When I login using the windows commandline, I can easily get to the root of the entire filesystem! Just ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2005
    Location
    Driebergen, The Netherlands
    Posts
    38

    oops... FTP is not safe!


    I just discovered a little security problem with my FTP server.
    When I login using the windows commandline, I can easily get to the root of the entire filesystem!
    Just cd .. a few times.
    The PWD command shows I'm on /http/www/html , but that should be just /html.

    If I use a client like WS_FTP95LE it's not possible to get to the root.

    Anyone can give me the way to stop this... kinda dangerous

    Regards,

    René

  2. #2
    Just Joined!
    Join Date
    Oct 2005
    Location
    North Carolina, USA
    Posts
    45
    I think the control varies depending on the FTP server you are using. If you are using ProFTPD, for example, you can add this to the config file to "jail" users to their home directories:

    DefaultRoot ~

    So take a look at the config settings/files for your FTP server. It might be called "chrooting" in the doc.

    Hope this helps!

  3. #3
    Just Joined!
    Join Date
    Jun 2005
    Location
    Canada, Halifax
    Posts
    86
    This link describes one way to chroot an ftp server:http://www.faqs.org/docs/securing/ftpd.html. Also check out
    Code:
    $ man chroot
    .

    Word of advice: FTP is inherently insecure and transports passwords (and all other communication for that matter) in clear text. Unless you absolutely must use ftp (?) consider using SSH protocol 2 without password authentication (RSA/DSA key exchange only) for logins and SCP (again protocol version 2) for file transfers.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2005
    Location
    Driebergen, The Netherlands
    Posts
    38
    I just added

    Code:
    DefaultRoot ~
    To the proftpd.conf and now it's "safe" again.

    I need ftp because I use it a lot. Not just for files (to the webfolders) but alsof for school.
    I just got 10MB space there, with very few rights and absolutly no change to use SSH, so I have to use FTP (through IE...)

    Thanks for the help.

    Regards,

    René

  6. #5
    Just Joined!
    Join Date
    Jan 2005
    Location
    3rd stone
    Posts
    4

    FTP not safe

    The subject says it all.

    Is it absolutely necessary to run your ftp server? SCP would be much safer. Winscp is a pretty good app for the windows client.

    I realize that many do indeed need an ftp server running, but if it is just for your use SSH SCP etc would be best.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •