HPE Community
Operating System - HP-UX
1846876 Members
2903 Online
110256 Solutions
New Discussion

FTP Security issue

 
SOLVED
Go to solution
Kong Kian Chay
Regular Advisor

‎12-17-2000 08:17 PM

‎12-17-2000 08:17 PM

FTP Security issue

Our system (HP-UX 10.20 & 11.00) allows our users to FTP & TELNET from their home to access the resources.

However, I was told by a friend that allowing FTP is a big security lax - that via FTP, users can actually flood the system with messages & get to the root a/c.

Would like to check how this is done & how to prevent it.
0 Kudos
Reply
3 REPLIES 3
Kofi ARTHIABAH
Honored Contributor

‎12-17-2000 08:37 PM

‎12-17-2000 08:37 PM

Solution

Re: FTP Security issue

Kong:
If you are allowing your users out-going ftp access, then there is nothing much to worry about; however, if you are allowing them ftp access into your network/server, you have to take some precautions.

Allowing unrestricted access to any service on your server is a potential security risk. I would recommend that if you do not already have one-

1. set up your servers behind a firewall
2. consider using some form of VPN technology to allow your users to connect from home
3. get the latest security patches for all services that you are offering (and keep a close eye on bug reports as they come out)
4. Visit the excellent security related site: http://www.securityfocus.com and http://www.sans.org
for more information on exploits.

To answer your questions more specifically, there are vulnerable versions of ftp out there that can give a user root access/root shell via a buffer overflow. These kinds of attacks are generally prevented by getting the latest versions of your ftp daemon.

good luck
nothing wrong with me that a few lines of code cannot fix!
Reply
Dan Hetzel
Honored Contributor

‎12-18-2000 01:47 AM

‎12-18-2000 01:47 AM

Re: FTP Security issue

Hi,

Kofi is right ! ftp could be a major security issue if you leave it unrestricted.

Make sure that you have applied the latest ftp patch (PHNE_21936 for 11.0, PHNE_22057
for 10.20)

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Suhas_2
Regular Advisor

‎12-18-2000 07:14 AM

‎12-18-2000 07:14 AM

Re: FTP Security issue

Kong,
Frankly speaking FTP is a very nice service, but it is very dangerous too !!!. So my advice to you will be:
Allow the guys to do telnet "in"to your system and then ask them to ftp "out" to their requisite place. It will be better if you can disable ftp service.

But if you really want to continue with ftp, I would like to suggest something. First you create an account with /bin/false as its shell. Give that account rights to only a particula area on your system. Keep the account password protected (increased security). Disable ftp access for everybody else, by adding their names to /etc/ftpusers file. Keep only one entry in /etc/shells file as
/bin/false (increased security).
Hope this helps....
Suhas :-)....
Never say "Die"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.