Help needed to secure ftp anonymous incoming folder - SGI

This is a discussion on Help needed to secure ftp anonymous incoming folder - SGI ; Hello, I have set up ftp as per SGI's instructions in IRIX 6.5.11. I am using the SGI ftp server. Everything works, but I have permissions problems with the incoming folder. It is already full of questionable movies... The folder's ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Help needed to secure ftp anonymous incoming folder

  1. Help needed to secure ftp anonymous incoming folder

    Hello,

    I have set up ftp as per SGI's instructions in IRIX 6.5.11. I am using
    the SGI ftp server. Everything works, but I have permissions problems
    with the incoming folder. It is already full of questionable movies...
    The folder's permissions are d_wx_wx_wt. People have been connecting
    anonymously, created a new folder in incoming, and put their stuff in
    the new folder. When a new folder is created, the permissions are the
    system's defaults (rwxrwxr_x or something like that). So how can I
    make this more secure? I would like to be able to do either one of the
    following:
    1) Change the umask of user ftp (prefered)
    2) Prevent anonymous ftp users to create folders (more drastic)

    I would appreciate any help on this, or other suggestions.

    Thanks a lot,

    John Connor.

  2. Re: Help needed to secure ftp anonymous incoming folder

    Nodrahc Technologies Inc. wrote:
    > 1) Change the umask of user ftp (prefered)
    > 2) Prevent anonymous ftp users to create folders (more drastic)


    My hint to you is to either forget about an incoming/ completely or to
    configure it that way that retrieving of files is impossible or (if your
    server software isn't capable of this) to prevent ls to show directory
    contents.

    If you don't take care of this your ftp server will soon turn into a
    warez and p0rn pit and all the hell brakes lose.

    Even if you take the steps above to tighten up your incoming/ you will
    find files uploaded by robot scripts in there every day (those scripts
    try to upload stuff and to download it again to find ftp servers with
    'open' incoming/ directories to abuse those as warez pits).


    BTW.. get yourself wu-ftpd-2.6.2-pre8.src.rpm from www.rpmfind.net,
    unpack it on some linux box (rpm2cpio < wu-ftpd-2.6.2-pre8.src.rpm |
    cpio -i -d) and transfer the source tar.bz2 to an SGI. You have to
    replace a vfork() into a fork() somewhere in the sources to make that
    thing actually compile given this configuration:

    ./configure --prefix=/usr/local --with-etc-dir=/usr/local/etc/wu-ftp
    --with-pid-dir=/var/tmp --with-log-dir=/var/adm
    --with-base-homedir=/usr/people --with-alt-homedir=/tmp
    --with-openssl-dir=/usr/freeware/lib/openssl --enable-tls
    --enable-ls --disable-numericuid

    You can also add other options (--enable-passwd or the like). This will
    build a working wu-ftpd (i never got it to work without the
    --internal-ls though, i don't know why; my chroot() seems to be OK, IRIX
    ftpd likes it but with wu-ftpd no go).

    Ah yes.. i even edited the src/Makefile and replaced -lssl -lcrypto with
    the complete pathnames to the archive library versions of ssl and crypto
    (/usr/freeware/lib32/libssl.a ..) to make a nice static binary (the
    recommended way with OpenSSL btw).

    $ ldd /usr/local/sbin/in.ftpd
    libcrypt.so => /usr/lib32/libcrypt.so
    libc.so.1 => /lib32/libc.so.1


    Set up your anon ftp chroot() like this:

    mkdir -p /ftp/etc /ftp/lib32 /ftp/bin /ftp/incoming /ftp/pub /ftp/dev

    Put /lib32/rld and /lib32/libc.so.1 into /ftp/lib32/, put /dev/zero into
    /ftp/dev/ and copy compress, gzip, tar, ls, md5sum and cksum into
    /ftp/bin (ah yes.. better mknod the /ftp/dev/zero ;-).

    Copy /etc/passwd and /etc/group into /ftp/etc (be sure to remove any
    password hashes! :-) to display user and groupnames within an ftp
    session instead of boring numeric UIDs and GIDs.

    Copy all the files needed for TLS into /usr/freeware/lib/openssl/certs/
    (i even added a link /usr/local/ssl/ to /usr/freeware/lib/openssl/) and
    configure your wu-ftpd config files in /usr/local/etc/wu-ftp/.

    Finaly add an entry (disable the given IRIX ftpd ones!) for wu-ftp
    into your /etc/inetd.conf:

    # WU-FTP
    #
    ftp stream tcp nowait root /usr/local/sbin/in.ftpd \
    in.ftpd -l -a -z authmode=server

    When you are done it will look like this:

    220 your.machine.foo FTP server ready.
    Name (your.machine.foo:rhoenie): ftp
    331 Guest login ok, send your complete e-mail address as password.
    Password: xxxxxxxx
    230 Guest login ok, access restrictions apply.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    200 PORT command successful.
    150 Opening ASCII mode data connection for directory listing.
    total 0
    drwxr-xr-x 2 root sys 76 Nov 5 12:09 bin
    drwxr-xr-x 2 root sys 17 Nov 4 11:15 dev
    drwxr-xr-x 2 root sys 31 Nov 6 10:24 etc
    drwx-wx-wt 4 ftpadm daemon 4096 Nov 1 12:33 incoming
    drwxr-xr-x 2 root sys 49 Nov 5 09:55 lib32
    drwxr-xr-x 2 root sys 109 Nov 4 23:19 msgs
    drwxr-xr-x 11 rhoenie sys 140 Nov 5 23:02 pub
    226 Transfer complete.
    ftp> quit
    221-You have transferred 0 bytes in 0 files.
    221-Total traffic for this session was 1505 bytes in 0 transfers.
    221-Thank you for using the FTP service on your.machine.foo.
    221 Goodbye.

    ... cute, eh? :-)

    --
    PGP2 Key-ID: 666R/36540865 1997-06-09 Marcus Herbert
    GPG Key-ID: 1024D/2E2DAB44 2000-01-30
    Geek-Code: GCS b O e+ h

  3. Re: Help needed to secure ftp anonymous incoming folder

    rhoenie@indigo.homeunix.org (Marcus Herbert) wrote in message news:...

    > My hint to you is to either forget about an incoming/ completely or to
    > configure it that way that retrieving of files is impossible or (if your
    > server software isn't capable of this) to prevent ls to show directory
    > contents.


    [snip...]

    > BTW.. get yourself wu-ftpd-2.6.2-pre8.src.rpm from www.rpmfind.net,
    > unpack it on some linux box (rpm2cpio < wu-ftpd-2.6.2-pre8.src.rpm |
    > cpio -i -d) and transfer the source tar.bz2 to an SGI. You have to


    [more stuff deleted]

    Thanks for your help Marcus.

    I actually installed proFTPd from the freeware disks. It is much more
    secure than the original ftp server that comes with Irix. Best of all,
    it took me no more than 10 minutes to configure the server and make it
    secure. I don't have problems with innapropriate material in my
    incoming directory anymore. I definitely recommend proFTPd to anyone
    who uses ftp on Irix, specially if you want to use anonymous uploads.

    Thanks again,

    John.

+ Reply to Thread