topic FTP User... in Operating System - HP-UX

FTP User...

gogleboy — Tue, 19 May 2009 14:43:00 GMT

TEam,

Below listed item is non-compliant to our production server so it is security problem,

Please tell me how can i fix this issue.

:FTP User account,,,: This user's password is not checked by the system password strength program.

Thanks
Nanda

Re: FTP User...

Mel Burslan — Tue, 19 May 2009 14:49:19 GMT

if you are allowing anonymous ftp to your server, there is no actual password associated with the username you specify in your /etc/password file and I am not sure which software you are using to audit your server but all of them frown upon passwordless accounts.

The only solution is to remove such access or if it is business critical that you keep it, get a written exception from the people who need this account, signed by your security team.

Re: FTP User...

George Spencer_4 — Wed, 20 May 2009 02:49:19 GMT

The answer depends to some extent on your situation. You could force a password change, or even change the password for this account. The user will then come back to you, giving you a chance to steer them in the right direction.

If the user really does require a weak password, then consider implementing the use of /etc/ftpd/ftpaccess and /etc/ftpd/ftphosts files by changing to ftpd -a in your inetd.conf. With the ftphosts file you could then restrict the login to a particular host. There are some example files mentioned in the manuals, and I have found these to be quite helpful.

Re: FTP User...

Suraj K Sankari — Wed, 20 May 2009 03:16:42 GMT

HI,
>>:FTP User account,,,: This user's password is not checked by the system password strength program

Your server is a trusted system ?
If not then convert into trusted system.

Suraj