Date: Mon, 6 Jan 2003 06:31:29 -0800 (PST) From: "nate" <freebsd@aphroland.org> To: <questions@FreeBSD.ORG> Subject: Re: FTP incoming directory. Damned Hooligans. Message-ID: <58009.10.10.10.7.1041863489.squirrel@webmail.linuxpowered.net> In-Reply-To: <00a701c2b543$dc5ffe30$7419cdcd@ticking> References: <bulk.33404.20030105132544@hub.freebsd.org> <p05111702ba3ec12b0d4a@[192.168.1.100]> <00a701c2b543$dc5ffe30$7419cdcd@ticking>
next in thread | previous in thread | raw e-mail | index | archive | help
Adam Maas said: > Anonymous FTP right? > > The more sophisticates warez kiddies have taken to scanning networks for > anonymous ftp servers, and then loading them up with their warez/pr0n and > giving out trhe IP. Had it happen to a few customers (I work Tech Support > for Major Evil Backbone Provider). > > Next time give them logins to the box and always disable anonymous FTP. for my previous company I setup an anonymous ftp server. It was pretty locked down, it worked very well though. I used proftpd, since it had acls which overrode filesystem permissions. the anonymous user had 2 directories, which were invisible unless you knew the name(not hard to guess but still): incoming - anyone can upload, nobody can list files, nobody can download files outgoing - anyone can download, nobody can list files, nobody can upload files there was a special account that the staff used to manage the files on the system. this made it easy for them to upload a file to outgoing with this account and email the url ftp://some.ftp.server/outgoing/filename.zip or whatever, and it would download, but unless you knew the filename you couldn't get anything. This worked out better then providing accounts for each customer. The company had such a system inplace earlier and it was a total mess. Provided the employee made a sufficiently obscure filename(anything but filename.zip!) It was enough to prevent unauthorized downloads of files. and when trying to list files, the server wouldn't return an error like permission denied it would just show nothing. Never had a problem with them warez kids using it :) (that is, they never could ..) Incase your interested i trying such a configuration, this is what I used: <Anonymous ~ftp> DisplayLogin welcome.msg User ftp Group ftp UserAlias anonymous ftp MaxClients 10 DisplayLogin welcome.msg DisplayFirstChdir .message <Limit WRITE> DenyAll </Limit> <Directory incoming> <Limit LIST NLST WRITE MKD RMD RETR RNFR RNTO DELE> DenyAll </Limit> <Limit STOR> AllowAll </Limit> </Directory> <Directory outgoing> <Limit LIST NLST READ MKD RMD RNFR RNTO DELE> DenyAll </Limit> <Limit RETR> AllowAll </Limit> </Directory> </Anonymous> nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58009.10.10.10.7.1041863489.squirrel>