I recently noticed from my "LogWatch" emailed to me daily that there were a few people trying to access the server via FTP and one of them was successful getting in via anonymous login.

Mar 20 17:25:04 seng proftpd[26799]: xxx.*********** (ABordeaux-101-1-2-230.abo.wanadoo.fr[193.252.171.230]) - ANON anonymous: Login successful.


I searched the server but can't find anything wrong as it works fine.

How do I check if he has done any damage? I have disabled proFTP temporary. There are only a few of my sites on the server.

Any help is much appreciated.

cactus,

First you disable root access to any one thru

HideUser root

<Limit WRITE>

Deny All
</Limit>

Put all your access directives within
<Directory whatever/youwant/public >
Allow All
etc

</Directory>

blocks

Next you chmod 711 all partitions above & outside users home directory
And put a DocumentRoot directive so the user can only access from there

Some good example configs are in proftpd.org

Hope it helps..

Cheers
Balaji

Thanks a lot for the info, will try it out.

Regards

It is normal to have your system scanned 8-10 times a day for people looking for ANON sites. For the heck of it I put a 2000 server box up with FTP anonymous wide open to see how long it would take and what was going to happen. Within 72 hours someone was uploading 5 GB of warez / ISO's / VCD's to the box (at least 5). So I killed his connection took the box down and reported his IP to his ISP :).

Originally posted by MotleyFool


Next you chmod 711 all partitions above & outside users home directory
And put a DocumentRoot directive so the user can only access from there

Balaji

Balaji,

Do u mean that people can chmod lets say the /usr partition to 711?

Imran

There are actually a few exploits for anon FTP, and they're relatively easy to find, because a lot of people don't update their systems.

http://www.webhostingtalk.com/showthread.php?s=&threadid=37065

and get rid of proFTPD, its more likely to get you rooted then an anonymous ftp.

Originally posted by jambler
and get rid of proFTPD, its more likely to get you rooted then an anonymous ftp.
:confused:
Got something to back that statement up with?

-Dan

I'd take Proftpd. :)

http://www.linuxsecurity.com/advisories/other_advisory-1793.html
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-005.php?dis=8.1
http://online.securityfocus.com/bid/3310
http://linux.oreillynet.com/pub/a/linux/2002/01/14/insecurities.html
http://online.securityfocus.com/advisories/3102
http://www.linuxsecurity.com/advisories/other_advisory-1150.html

Need more?

Originally posted by jayjay
I'd take Proftpd in a hearbeat.

Neither are worth anything on a production level server. Take a look and you'll understand why. NcFTPD is better,.. but still not perfect.

Look at wuftpd, and how many exploits come out.

All those exploits are fixed, I think. I need to look them over a bit, when I have time.

It's cool if there's a few exploits and they are fixed.

But, ehhh I'll look at NcFTPd. *ponders*

Originally posted by jayjay
It's cool if there's a few exploits and they are fixed.

So I take it you dont mind the insecurity in between the time that your using their product, the exploit is released, someone taking the time to develop a patch, and you patching your ftpd??

I'm sorry, but any insecurity whatsoever isn't "cool" by me.

And yes, I'd rather walk packets from point to point then use WuFTPD. : )

Well, I'd rather support freeware than pay for NcFTPd. If I'm not making any money, then why pay for that? I setup ProFTPd pretty tight and have not had any problems. Although I'am looking for a better solution, but it doesn't cost money. aka I support the freeware.

I don't run anon ftp servers. And proftpd has proven to be better than WuFTPd or GLFTPd.

I'm also a security consultant btw.

Yes, NcFTPd is more secure. However, that does not make ProFTPd crap. Every major program has exploits now and again. NcFTPd is not nearly as widely used, which is one of the reasons it sees less exploits.

The list that you posted all seemed to be the same exploit being reported on different sites. Yes, I am aware that there have been others, but that's like saying that everyone should drop apache and go to stronghold.

-Dan

One reason why WuFTPd has so many explotis, is the reverse of NcFTPd. ALOT of people use it. The more people use something, the more exploits will come out.

I think proftpd is written pretty good, and has proven to be a good ftpd for my staff and myself.

Originally posted by serve-you
Yes, NcFTPd is more secure. However, that does not make ProFTPd crap. Every major program has exploits now and again. NcFTPd is not nearly as widely used, which is one of the reasons it sees less exploits.

The list that you posted all seemed to be the same exploit being reported on different sites. Yes, I am aware that there have been others, but that's like saying that everyone should drop apache and go to stronghold.

-Dan

hah, no, just chroot them all, *FTPD, SSHD, nameD, httpD... etc etc : )

Sorry for only supply that many links, I figure if someone is actually interested they will do research themselves and work for their information, rather then just saying "gimmie".

Besides MotleyFool's good advice, I also contacted my provider and was informed that.

QUOTE:
Their attempts would not be succesful, if you haven't used too weak passwords. Anyways, after some minutes their hosts will be blocked by portsentry daemon.

Regards

Originally posted by cabalstudios


Balaji,

Do u mean that people can chmod lets say the /usr partition to 711?

Imran

Imran,

You are right and I stand corrected! :)

Well what I meant was that you can disable root access to FTPd and also chmod all the system sensitive files in /etc or other partitions then you are that much safer from hackers because while they can roam about they cant do much

Also I think it is a good security policy to create a group for each user [user: fool, group: fool]

Jail is another option but I am still experimenting with it so I have to admit I dont know jailing yet!

Thanks anyway and Good luck to you cactus

Cheers
Balaji

Originally posted by jambler
Neither are worth anything on a production level server. Take a look and you'll understand why. NcFTPD is better,.. but still not perfect.

NcFTPd is probably way less secure than ProFTPD if for no other reason than it's not open source. Not a single decent programmer that I know has done a code review on it for security.

Plenty have done this to ProFTPD, and they always repair the code. ProFTPD is probably 20 generations ahead of NcFTPd as far as security.

Anyway, there have still been enough exploits found, even in NcFTPd, that it's silly to run ANY thing on your machine that isn't at the latest version that has no known exploits.

You'll probably find that your opinion is in the minority. I don't want to argue with you, but if you truly believe that NcFTPd is more secure than ProFTPD, you should sign up for one of the ProFTPD mailing lists and mention that little tidbit, along with your reasons. I'd be happy to do it for you, and point everyone to this thread. Just let me know. :)