Re: CRIME FTP

From: Mark Grigsby (mark@private)
Date: Wed May 07 2003 - 12:24:07 PDT

Next message: Louis Jurgens: "Re: CRIME FTP"

Previous message: Seth Arnold: "Re: CRIME FTP"
In reply to: Keith Proffitt: "CRIME FTP"
Next in thread: Louis Jurgens: "Re: CRIME FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Keith Proffitt wrote:

> Does anyone know if FTP (File Transfer Protocol) can have password
> protection to prevent inappropriate access?
> Or is FTP by nature not protected by authentication? Keith Proffitt
> -------------------------------------------------------------------------------
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.

  Traditionally, ftp is a system based application used to move files from one
userspace to another..  it relied on users active accounts on a system and
traditionally is matched to the user / pass associated with the "real account"
that user has on the server

 An anonymous server forgoes  the password protection and should by design be
chrooted (restricted to a small out of the way location in your file system with
no access to any of the regular security files used for access control) but
still requires a username and password...  The anonymous server may be
configured to use a particular pattern for the password, or may require the
password to contain a particular set of characters as a minimum and accept any
additional characters.  For example.

    Require E-Mail   *@*  would require any thing that looked like user@domain
additionally, you could use *@*.* to require pattern looking like
user@domain-name.com

    Require Local E-Mail  In this case, you could require the password to
require your domain.  I.E.  *@domain-name.com

    Many other patterns are possible, these are only a small example.

It has become common that web browsers automatically send the username and
password as either guest / your-email or anonymous/e-mail or some other equally
innocuous username and password...

 This is a very unsecure method of service access.  Recently,  many of the
public FTP servers now use pluggable authentiction modules that allow testing
the user / pass against an SQL database. (Postgresql, MySql or many others)
Even though the passwords are in clear text when seen on the wire, there is no
real access to the system in this case as there is no "REAL" user corresponding
to the account used for FTP access.

I would recommend some reading from the documents for WU-FTPD, PROFTPD or
others.  I personally use ProFTPd, and have found it to be easy to configure and
use.  You may find some documentation that may be of interest on the following
sites..

ProFTPD
http://proftpd.linux.co.uk/docs/

WU-FTPD  How To Index
http://www.wu-ftpd.org/HOWTO/

Silicon Valley E-Book
http://www.siliconvalleyccie.com/ftp-server.htm

I hope some of this has been valuable.

--
Mark Grigsby
Network Operations Manager
Preferred Communications Inc.
"http://www.pciwest.net"
mailto:mark@private
Voice: (541) 759-3126
Fax  : (541) 759-3214

Next message: Louis Jurgens: "Re: CRIME FTP"
Previous message: Seth Arnold: "Re: CRIME FTP"
In reply to: Keith Proffitt: "CRIME FTP"
Next in thread: Louis Jurgens: "Re: CRIME FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 07 2003 - 13:37:18 PDT