Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Dec 2000 03:41:38 -0600 (CST)
From:      James Wyatt <jwyatt@rwsystems.net>
To:        Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Cc:        freebsd-security@freebsd.org
Subject:   Re: which ftpd
Message-ID:  <Pine.BSF.4.10.10012010332310.42770-100000@bsdie.rwsystems.net>
In-Reply-To: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 1 Dec 2000, Christoph Kukulies wrote:
> I want to keep anonymous ftp on one of my machines but
> I'm not sure whether I should use wuftpd or the stock distributed
> ftpd. I want to have logging what users/sites are doing.
> But I want security also.
> 
> I just discovered a bunch of suspicious files and directories
> in my incoming directory:
> drwxrwx-wx root/staff        0 Nov 28 19:45 2000 incoming/
> drwxr-xr-x ftp/staff         0 Jul 31 00:04 2000 incoming/sm/
	[ ... ]
> -rw-r--r-- ftp/staff       937 Nov  7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv
> -rw-r--r-- ftp/staff  15000000 Nov  7 02:50 2000 incoming/.../ .sys/eth-mmad.r00
	[ ... ]
> I'm wondering if this was an attack or just a trial.
> 
> It seems I didn't block creating diorectories otherwise it wouldn't have
> been possible to create that but I'm wondering if this is possible
> to disallow under the stock ftpd.

I've found the stock FreeBSD FTPd really good. It offers a chrooted
account I've had to take the WUFTPd risk for before on Linux. If you
turn-up the logging you can easily catch things like this. (btw: this
looks like some warez d00dz building a nest. I've had it happen before and
there have been some FTPd holes that required writable anon-ftp to work.)
Using the FTPd xfer log, you can easily audit uploaded files and spot
things like this. You can also have an automatic process watch the log 
and move the files to a quarrantine area.

I've liked having a writable incoming directory that can be written to,
but not read. Doesn't give users warm-fuzzy of seeing their files arrive,
but reduces the bandwidth freeloaders. For fun, make a ".../README" file
asking folks not to leave warez junk. Hope this helps somehow - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10012010332310.42770-100000>