Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : FTP security issues

[mintz]

Hi All!

I am dabbling in some multiple domain hosting on my NT server. I have setup individual FTP accounts for each domain, and I noticed something unusual.

For eg. if I FTP using domain1's FTP account, I will of course be directed to domain1's web directory. But by using the Change Directory command, I can actually change the directory to any of the other domains'!

How can I restrict access such that each domain can only access its own directory during FTPing?

Thanks
Mintz

[DaveC#]

Use the NT explorer to assign correct directory security is a start

[inwks]

or if you have dedicated IP's, create a new FTP service for each IP and assign appropriate permissions.

Extenting this, each web site you host should have its own anonymous account and only that account should have access to the relevant directory. You should also stop Script.FileSystemObject access (see MS KB) to stop people accessing the server's file system using ASP scripting. Also disable parent includes (include file="../myinclude.inc") so they have to use virtuals which means they can only access includes from their own site.

If this is double dutch, pay someone who knows what they are doing to lock down your machine properly.

[mintz]

Well, I am sharing IPs for my multiple domains. Any possible solutions? On most NT hosts I see that they have the same problem, ie when I FTP using my set of userid and passwords I can easily change to the directory of other hosted domains, and am able to delete, upload files.

[inwks]

OK, lets assume that each site is hosted under d:\users on the machine, with the domain name (without the dot) as the user's directory and their username. The FTPRoot is d:\users, the wwwroot for each site is d:\users\[domain]

E.g.

http://www.domaina.com = d:\users\domaina

set it so the "Users" group has LIST access to the d:\users level only (not subdirectories). Then each user would have CHANGE to their directory. Further more, create a IUSR_[domainname] (e.g.IUSR_domaina) and assign it READ/EXECUTE rights for that part of the tree and assign it as the anonymous user for that virtual webserver. This stops people accessing parts of other user's sites in ASP.

When domaina logs in, their will default to d:\users\defaulta (a feature of the MS FTP Service). They will be able to list all other domains on the server (you need LIST access, of they cannot login) by going up one level, but if they try to access any other part of the tree, they will get ACCESS DENIED.

I highly recommend that you either buy a book on administrating an NT/2000 server, or pay someone to lock down your box for you. The quickest way to lose business in the Internet world is to have very little knowledge about basic security requirements.