topic Re: FTP Login lockdown? in Operating System - HP-UX

FTP Login lockdown?

Walter Maul — Thu, 19 Oct 2000 15:08:04 GMT

Hi all! I have a customer who needs to ftp me some files, but I want to minimize the security risk as much as possible. I have created an account...and made it active home directory the place where I want the files. However, I don't want this customer to be able to view up the directory tree...so how do I limit this?

Any help with this is greatly appreciated.

Re: FTP Login lockdown?

Victor BERRIDGE — Thu, 19 Oct 2000 15:41:21 GMT

use /usr/bin/rsh as login shell:

rsh Restricted version of the POSIX or Bourne shell command
interpreter. Sets up a login name and execution
environment whose capabilities are more controlled
(restricted) than normal user shells.

Re: FTP Login lockdown?

James R. Ferguson — Thu, 19 Oct 2000 15:49:14 GMT

Peter:

Consider ftp security here too:

Setup restricted accoutns in /etc/ftpusers (see: man 4 ftpusers).

Setup /var/adm/inetd.sec hosts and IPAddresses to allow or deny access as you see fit. (see: man 4 inetd.sec).

See also this thread on 'wu-ftpd' in HP 11.x.

http://my1.itrc.hp.com/cm/QuestionAnswer/1,1150,0x47f06c96588ad4118fef0090279cd0f9,00.html

...JRF...

Re: FTP Login lockdown?

James R. Ferguson — Thu, 19 Oct 2000 16:15:21 GMT

Peter:

I would offer that this document, in addition to my previous post, will help you further: Document #A5651654.

By following the procedure in this document, a user will not have the ability to travel anywhere outsideof his home directory on the system. Setting up a bogus shell with exit 0 as the contents will cause the connection
of a user to be immediately terminated if the user attempts to telnet into the system.

Does this help you any better?

...JRF...

Re: FTP Login lockdown?

Kofi ARTHIABAH — Thu, 19 Oct 2000 16:26:52 GMT

Peter:

Would it not be better for you to fetch it from your Customer's site (and have him worry about security)? I find its more acceptable to fetch than to have someone poking around your server! my $0.02

Re: FTP Login lockdown?

James R. Ferguson — Thu, 19 Oct 2000 16:34:00 GMT

Peter:

Kofi makes a great point! I too feel the same as he does!!!

...JRF...

Re: FTP Login lockdown?

Victor BERRIDGE — Thu, 19 Oct 2000 16:39:39 GMT

A agree also,
in fact I use the for such case:
an account on driveway
http://www.driveway.com/
Where I deposit the file and share it with who has to pick it up...
HAve a look at the site, its free
Yours
Victor

Re: FTP Login lockdown?

Walter Maul — Thu, 19 Oct 2000 23:28:52 GMT

James, et. al.:

Sorry, in looking at my post I neglected to state that I'm running 10.20 on a K460. I don't think the ftpaccess solution is available to me on the 10.20 platform...is it? (If so, where?)

Thanks for your continued help.

Re: FTP Login lockdown?

James R. Ferguson — Fri, 20 Oct 2000 00:42:49 GMT

Peter:

I thought I remembered something; searched this forum and found the thread below. Pay particular note to Brian Fisher's comments. It appears that what you want will work on 10.20.

http://my1.itrc.hp.com/cm/QuestionAnswer/1,1150,0x715168c57f64d4118fee0090279cd0f9,00.html

...JRF...

Re: FTP Login lockdown?

Tim Nelson — Fri, 20 Oct 2000 20:04:06 GMT

If you really wish to do things right get a copy of ProFTP . This UNIX freeware is 1000s of times better for security and configuration. You can limit upload and downloads, restrict time of day and lock users into a chroot jail. The users do not even need unix logins which immediately disables other security risks. The software can be found at www.proftpd.net. We use it for internet ftp access to restrict clients from viewing other clients files.

Re: FTP Login lockdown?

Suhas_2 — Sun, 22 Oct 2000 03:33:57 GMT

Hi,
Pls try the following set-up
1> Create a new dummy account
2> Give /bin/false as a shell to this account
This avoids a risk of thst dummy user getting a shell in your environment.
3> Next is set-up /etc/ftpusers. Add all your users in this file, except the dummy ID that you have created.
4> Set up /etc/shells file. Put only one line in this file as /bin/false. No other line should be in this file. This adds up to the security of your system.
Pls revert if any problem. And do ot forget to award points.
Regds.....
Suhas