HPE Community
Operating System - HP-UX
1832757 Members
2962 Online
110045 Solutions
New Discussion

Re: FTP User...

 
gogleboy
Occasional Advisor

‎05-19-2009 07:43 AM

‎05-19-2009 07:43 AM

FTP User...

TEam,

Below listed item is non-compliant to our production server so it is security problem,

Please tell me how can i fix this issue.

:FTP User account,,,: This user's password is not checked by the system password strength program.

Thanks
Nanda
0 Kudos
Reply
3 REPLIES 3
Mel Burslan
Honored Contributor

‎05-19-2009 07:49 AM

‎05-19-2009 07:49 AM

Re: FTP User...

if you are allowing anonymous ftp to your server, there is no actual password associated with the username you specify in your /etc/password file and I am not sure which software you are using to audit your server but all of them frown upon passwordless accounts.

The only solution is to remove such access or if it is business critical that you keep it, get a written exception from the people who need this account, signed by your security team.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
George Spencer_4
Frequent Advisor

‎05-19-2009 07:49 PM

‎05-19-2009 07:49 PM

Re: FTP User...

The answer depends to some extent on your situation. You could force a password change, or even change the password for this account. The user will then come back to you, giving you a chance to steer them in the right direction.

If the user really does require a weak password, then consider implementing the use of /etc/ftpd/ftpaccess and /etc/ftpd/ftphosts files by changing to ftpd -a in your inetd.conf. With the ftphosts file you could then restrict the login to a particular host. There are some example files mentioned in the manuals, and I have found these to be quite helpful.
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

‎05-19-2009 08:16 PM

‎05-19-2009 08:16 PM

Re: FTP User...

HI,
>>:FTP User account,,,: This user's password is not checked by the system password strength program

Your server is a trusted system ?
If not then convert into trusted system.

Suraj
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.