topic Re: FTP Security issue in Operating System - HP-UX

FTP Security issue

Kong Kian Chay — Mon, 18 Dec 2000 04:17:08 GMT

Our system (HP-UX 10.20 & 11.00) allows our users to FTP & TELNET from their home to access the resources.

However, I was told by a friend that allowing FTP is a big security lax - that via FTP, users can actually flood the system with messages & get to the root a/c.

Would like to check how this is done & how to prevent it.

Re: FTP Security issue

Kofi ARTHIABAH — Mon, 18 Dec 2000 04:37:31 GMT

Kong:
If you are allowing your users out-going ftp access, then there is nothing much to worry about; however, if you are allowing them ftp access into your network/server, you have to take some precautions.

Allowing unrestricted access to any service on your server is a potential security risk. I would recommend that if you do not already have one-

1. set up your servers behind a firewall
2. consider using some form of VPN technology to allow your users to connect from home
3. get the latest security patches for all services that you are offering (and keep a close eye on bug reports as they come out)
4. Visit the excellent security related site: http://www.securityfocus.com and http://www.sans.org
for more information on exploits.

To answer your questions more specifically, there are vulnerable versions of ftp out there that can give a user root access/root shell via a buffer overflow. These kinds of attacks are generally prevented by getting the latest versions of your ftp daemon.

good luck

Re: FTP Security issue

Dan Hetzel — Mon, 18 Dec 2000 09:47:49 GMT

Hi,

Kofi is right ! ftp could be a major security issue if you leave it unrestricted.

Make sure that you have applied the latest ftp patch (PHNE_21936 for 11.0, PHNE_22057
for 10.20)

Best regards,

Dan

Re: FTP Security issue

Suhas_2 — Mon, 18 Dec 2000 15:14:50 GMT

Kong,
Frankly speaking FTP is a very nice service, but it is very dangerous too !!!. So my advice to you will be:
Allow the guys to do telnet "in"to your system and then ask them to ftp "out" to their requisite place. It will be better if you can disable ftp service.

But if you really want to continue with ftp, I would like to suggest something. First you create an account with /bin/false as its shell. Give that account rights to only a particula area on your system. Keep the account password protected (increased security). Disable ftp access for everybody else, by adding their names to /etc/ftpusers file. Keep only one entry in /etc/shells file as
/bin/false (increased security).
Hope this helps....
Suhas :-)....