From owner-freebsd-questions@FreeBSD.ORG Thu Sep 6 14:01:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2C9416A418 for ; Thu, 6 Sep 2007 14:01:40 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 0D75A13C457 for ; Thu, 6 Sep 2007 14:01:39 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.1/8.14.1) with ESMTP id l86E1MXq040190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Sep 2007 15:01:28 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1189087288; bh=Cz8YzZYG61s7k/ TQ6edvsP/R4uXgRuPJfj983PW0iU0=; h=Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To: X-Enigmail-Version:Content-Type:Content-Transfer-Encoding:Cc: Content-Type:Date:From:In-Reply-To:Message-ID:Mime-Version: References:To; b=OyXRXYPXPrX/Ja4IckbXNFdhmkwo8zyUQ2rhZp3/jq5Vp8//R t9ZR5cWFWF38hZr7buh9q6fKWEuR0nKGpBiZA7m6Z9E9xa4MlCk3p5CbLNuzKEfuIhT Lif2ojjB97ST/AKAQffG5BsMHszU7I10JSHzqYsGJHK/dwzrvl3p/5w= Message-ID: <46E00832.9050309@infracaninophile.co.uk> Date: Thu, 06 Sep 2007 15:01:22 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.6 (X11/20070807) MIME-Version: 1.0 To: Gabriel Dragffy References: <55A4B6CD-3951-4647-BEEA-E06315431BED@dragffy.com> In-Reply-To: <55A4B6CD-3951-4647-BEEA-E06315431BED@dragffy.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [81.187.76.162]); Thu, 06 Sep 2007 15:01:28 +0100 (BST) X-Virus-Scanned: ClamAV 0.91.1/4170/Thu Sep 6 05:30:09 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,SPF_FAIL autolearn=no version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Hello X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 14:01:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Gabriel Dragffy wrote: > Using sysinstall I enabled anonymous FTP, with uploads allowed in the > folder /incoming. Uploading works a treat, however the files don't have > permissions to be downloaded again (by anon user). I know I could change > this by executing a cron job every two minutes that would chmod the > files in /incoming. But surely there must be a far better way...? The > FreeBSD handbook says it doesn't recommend allowing anon users to d/load > files uploaded anonymously, however I would still like to implement this. The idea here is to stop your FTP server being used as a warez site. So the script kiddies cannot upload their cracked software and dubious copies of this that and the other and then send all their little friends along to download that stuff from you. Leave a mis-configured FTP server on the net and it will be discovered and used for this purpose within a week or so. The best approaches are these: i) Don't use FTP at all. FTP is an archaic protocol, hard to firewall correctly and that sends passwords across the net in plain text. The secure version 'FTPS' is not supported by the ftpd in the base system. Instead consider such things as SFTP (which is an SSH client which behaves like FTP), WebDAV over HTTPS (HTTP PUT) or a form based upload CGI script (HTTP POST), rsync over SSH. etc. ii) If you have to use FTP, then create individual user FTP accounts so you have some accountability as to who is doing what. Run the FTP service in a chroot or jail and make sure the FTP password file is distinct from the normal password file. iii) If you have to provide incoming anonymous FTP then don't automatically make any uploaded files available for download. Task a person with reviewing what was uploaded and then moving it into an appropriate place in your filesystem where it can be downloaded from. Again, be sure to run FTP chroot'ed or jailed. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4Agy3jDkPpsZ+VYRA2V3AKCMzwid9H5W1dY2FkwVdLyZvVq31wCgjgFp 4p0qDnF185J4kqNvxxUd/nw= =NOgu -----END PGP SIGNATURE-----