Date: Wed, 25 Feb 2004 04:58:35 +0100 (CET) From: "Julian Stacey" <jhs@berklix.org> To: freebsd-isp@freebsd.org, jhs@berklix.com Cc: np@bsn.com Subject: ftpd loop hole ? Message-ID: <200402250358.i1P3wZeC004091@fire.jhs.private>
next in thread | raw e-mail | index | archive | help
Hi freebsd-isp@ people, CC np@bsn.com, ewinter@ewinter.org Has anyone else seen an exploit of standard ftpd on 4.9-RELEASE ? Some bandwidth thief uploaded videos to my ~ftp/ for bootleggers to download. How to stop a repeat occurence ? There's very few people have logins on this machine, & I trust the people, & most of them aren't even competent to achieve an intrusion. It was probably not an inside job. This was my 4.9 config: /etc/master.passwd ftp:*:14:5::0:0:Anonymous FTP tower.berklix:/usr1/ftp:/sbin/nologin ~ftp/passwd (not sure if file needed ?) # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin operator:*:2:5:System &:/:/sbin/nologin bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin news:*:8:8:News Subsystem:/:/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/nonexistent last changed to ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/sbin/nologin /etc/ftpusers did not contain a line "ftp" (neither does /usr/src/etc/ftpusers) mine does now - my idea now is to split the ftpd functionality: - Try harder to block anon ftp writes to this machine (only allow local users to ftp upload ( & maybe to an mdconfig'd mini FS of just 50M or so)) - later run a read only anon ftpd on another machine. /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -l telnet stream tcp nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd tftp dgram udp wait nobody /usr/libexec/tftpd tftpd -l /pub/tftp/ncd /pub/bootp /usr/X11R6/lib/X11/fonts finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s I didnt have -r on ftpd because a few people on that host have genuine stuff to upload occasionally. The telnet shell login are there for emergencies & the use of a couple of cluless MS users, but people with root privs use ssh (unless maybe on same local ethernet segment, during rescue/ upgrade periods) /etc/hosts.equiv Potential loophole to IP spoofing, so I've stripped it of names, & will go to ssh/shosts.equiv /usr/local/etc/rc.d has: apache.sh* apache.sh-dist cyrus_pwcheck.sh* cyrus_sasl1* saslauthd1.sh* I haven't enabled apache for data upload, just download (& not from ftp area) >From man ftpd I can see & have added: -M Prevent anonymous users from creating directories. ~ftp was UID=ftp, 755, is now uid=0 555 (per man ftpd) ~ftp/etc & ~ftp/pub similarly checked/fixed Anthing else I've missed ? Would I be better using some other ftpd from ports/ rather than /usr/src ? - Julian Stacey. Unix C & Net Services Consultant - Munich. http://berklix.com Mail me in Ascii text/plain: Html + Mime is dumped as Spam. Schnupftabak probieren: Ihr Rauchen = mein allergischer Kopfschmerz ! Software patents ? vampires would approve ! http://berklix.com/patents/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402250358.i1P3wZeC004091>