hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : FTP security issues
Reply

Forum Jump

FTP security issues

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: Dec 2000
Posts: 5
Hi All!

I am dabbling in some multiple domain hosting on my NT server. I have setup individual FTP accounts for each domain, and I noticed something unusual.

For eg. if I FTP using domain1's FTP account, I will of course be directed to domain1's web directory. But by using the Change Directory command, I can actually change the directory to any of the other domains'!

How can I restrict access such that each domain can only access its own directory during FTPing?

Thanks
Mintz



Sponsored Links
  #2  
Old
Web Hosting Guru
 
Join Date: Oct 2000
Posts: 258
Use the NT explorer to assign correct directory security is a start

  #3  
Old
Junior Guru
 
Join Date: Sep 2000
Location: London, UK
Posts: 214
or if you have dedicated IP's, create a new FTP service for each IP and assign appropriate permissions.

Extenting this, each web site you host should have its own anonymous account and only that account should have access to the relevant directory. You should also stop Script.FileSystemObject access (see MS KB) to stop people accessing the server's file system using ASP scripting. Also disable parent includes (include file="../myinclude.inc") so they have to use virtuals which means they can only access includes from their own site.

If this is double dutch, pay someone who knows what they are doing to lock down your machine properly.

__________________
"Woof" said Daisy,
Poor Daisy is not so sure of
her animalility anymore.....

Sponsored Links
  #4  
Old
Newbie
 
Join Date: Dec 2000
Posts: 5
Well, I am sharing IPs for my multiple domains. Any possible solutions? On most NT hosts I see that they have the same problem, ie when I FTP using my set of userid and passwords I can easily change to the directory of other hosted domains, and am able to delete, upload files.

  #5  
Old
Junior Guru
 
Join Date: Sep 2000
Location: London, UK
Posts: 214
OK, lets assume that each site is hosted under d:\users on the machine, with the domain name (without the dot) as the user's directory and their username. The FTPRoot is d:\users, the wwwroot for each site is d:\users\[domain]

E.g.

http://www.domaina.com = d:\users\domaina

set it so the "Users" group has LIST access to the d:\users level only (not subdirectories). Then each user would have CHANGE to their directory. Further more, create a IUSR_[domainname] (e.g.IUSR_domaina) and assign it READ/EXECUTE rights for that part of the tree and assign it as the anonymous user for that virtual webserver. This stops people accessing parts of other user's sites in ASP.

When domaina logs in, their will default to d:\users\defaulta (a feature of the MS FTP Service). They will be able to list all other domains on the server (you need LIST access, of they cannot login) by going up one level, but if they try to access any other part of the tree, they will get ACCESS DENIED.

I highly recommend that you either buy a book on administrating an NT/2000 server, or pay someone to lock down your box for you. The quickest way to lose business in the Internet world is to have very little knowledge about basic security requirements.

__________________
"Woof" said Daisy,
Poor Daisy is not so sure of
her animalility anymore.....

Reply

Related posts from TheWhir.com
Title Type Date Posted
Microsoft Issues Patch for Windows Server Permissions Vulnerability Web Hosting News 2014-11-19 18:26:34
Nominet Pilot Program Hopes to Help SMBs Combat Cyber Threats with Support, Advice Web Hosting News 2014-02-07 15:12:39
Linode Mitigates DDoS Attack on Linode Manager Web Hosting News 2013-08-06 14:46:48
MSPAlliance Readies MSPWorld 2013 Conference in Orlando Web Hosting News 2013-03-15 16:24:53
Cloud Security Alliance Launches Website for Cloud-Related Legal Issues Web Hosting News 2013-02-25 11:27:00


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?