Hello

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Sep 6 07:01:40 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gabriel Dragffy wrote:

> Using sysinstall I enabled anonymous FTP, with uploads allowed in the
> folder /incoming. Uploading works a treat, however the files don't have
> permissions to be downloaded again (by anon user). I know I could change
> this by executing a cron job every two minutes that would chmod the
> files in /incoming. But surely there must be a far better way...? The
> FreeBSD handbook says it doesn't recommend allowing anon users to d/load
> files uploaded anonymously, however I would still like to implement this.

The idea here is to stop your FTP server being used as a warez site.  So
the script kiddies cannot upload their cracked software and dubious
copies of this that and the other and then send all their little friends
along to download that stuff from you.  Leave a mis-configured FTP
server on the net and it will be discovered and used for this purpose
within a week or so.

The best approaches are these:

  i) Don't use FTP at all.  FTP is an archaic protocol, hard to firewall
correctly and that sends passwords across the net in plain text.  The
secure version 'FTPS' is not supported by the ftpd in the base system.
Instead consider such things as SFTP (which is an SSH client which
behaves like FTP), WebDAV over HTTPS (HTTP PUT) or a form based upload
CGI script (HTTP POST), rsync over SSH. etc.

 ii) If you have to use FTP, then create individual user FTP accounts
so you have some accountability as to who is doing what.  Run the FTP
service in a chroot or jail and make sure the FTP password file is
distinct from the normal password file.

iii) If you have to provide incoming anonymous FTP then don't
automatically make any uploaded files available for download.  Task a
person with reviewing what was uploaded and then moving it into an
appropriate place in your filesystem where it can be downloaded from.
Again, be sure to run FTP chroot'ed or jailed.

	Cheers,

	Matthew

- --
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4Agy3jDkPpsZ+VYRA2V3AKCMzwid9H5W1dY2FkwVdLyZvVq31wCgjgFp
4p0qDnF185J4kqNvxxUd/nw=
=NOgu
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list