ftpd loop hole ?

Julian Stacey jhs at berklix.org
Tue Feb 24 19:58:51 PST 2004 

Hi freebsd-isp@ people, CC np at bsn.com, ewinter at ewinter.org

Has anyone else seen an exploit of standard ftpd on 4.9-RELEASE ?

Some bandwidth thief uploaded videos to my ~ftp/ for bootleggers to download.

How to stop a repeat occurence ?  There's very few people have
logins on this machine, & I trust the people, & most of them aren't even
competent to achieve an intrusion.  It was probably not an inside job.

This was my 4.9 config:

/etc/master.passwd
	ftp:*:14:5::0:0:Anonymous FTP tower.berklix:/usr1/ftp:/sbin/nologin

~ftp/passwd (not sure if file needed ?)
	#
	root:*:0:0:Charlie &:/root:/bin/csh
	toor:*:0:0:Bourne-again Superuser:/root:
	daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
	operator:*:2:5:System &:/:/sbin/nologin
	bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
	tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
	kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
	games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
	news:*:8:8:News Subsystem:/:/sbin/nologin
	man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
	ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/nonexistent
last changed to
	ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/sbin/nologin

/etc/ftpusers
	did not contain a line "ftp" (neither does /usr/src/etc/ftpusers)
	mine does now - my idea now is to split the ftpd functionality:
		- Try harder to block anon ftp writes to this machine
		  (only allow local users to ftp upload
		  ( & maybe to an mdconfig'd mini FS of just 50M or so))
		- later run a read only anon ftpd on another machine.

/etc/inetd.conf
	ftp     stream  tcp     nowait  root    /usr/libexec/ftpd    ftpd -l -l
	telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd
	shell   stream  tcp     nowait  root    /usr/libexec/rshd       rshd
	login   stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind
	ntalk   dgram   udp     wait    tty:tty /usr/libexec/ntalkd     ntalkd
	tftp    dgram   udp     wait    nobody  /usr/libexec/tftpd      tftpd -l /pub/tftp/ncd /pub/bootp /usr/X11R6/lib/X11/fonts
	finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
   I didnt have -r on ftpd because a few people on that host have genuine
   stuff to upload occasionally.

The telnet shell login are there for emergencies & the use of a
couple of cluless MS users, but people with root privs use ssh
(unless maybe on same local ethernet segment, during rescue/ upgrade periods)

/etc/hosts.equiv 
	Potential loophole to IP spoofing, so I've stripped it of
	names, & will go to ssh/shosts.equiv

/usr/local/etc/rc.d	has:
	apache.sh*
	apache.sh-dist
	cyrus_pwcheck.sh*
	cyrus_sasl1*
	saslauthd1.sh*

I haven't enabled apache for data upload, just download (& not from ftp area)

>From man ftpd I can see & have added:
 -M      Prevent anonymous users from creating directories.

~ftp was UID=ftp, 755, is now uid=0 555		(per man ftpd)
~ftp/etc & ~ftp/pub similarly checked/fixed

Anthing else I've missed ?
Would I be better using some other ftpd from ports/ rather than /usr/src ?

-
Julian Stacey.  Unix C & Net Services Consultant - Munich.  http://berklix.com
	Mail me in Ascii text/plain:  Html + Mime is dumped as Spam.
  Schnupftabak probieren:  Ihr Rauchen = mein allergischer Kopfschmerz !
  Software patents ? vampires would approve !  http://berklix.com/patents/

More information about the freebsd-isp mailing list