|
|
Post by shinger on Feb 22, 2009 18:30:38 GMT 7
After i configured my FTP server, a friend of mine was checking for security weaknesses of his computer, he also scanned my NAS and trying to get in. Later the warned me about FTP login using User (nobody) and Password (xampp). He said he could get in to my FTP server using those i tried it my self and i also could get in.
My questions are:
1. How can i disable that user, and are there anymore security weaknesses with FTP-server (i also use PureFTPD and if that also has some security issues.
2. I have also a test apache webserver running with Mysql are there any default logins or holes?
3. If i forgot or didnt know anything else could you guys add that to it so i would know about it, and also could give me the solution to the problems.
|
|
|
|
Post by valshare on Feb 22, 2009 20:59:25 GMT 7
Hi,
you are right! I can get in with this user/password, too!
changing the password for this user didn´t help.
ALL PASSWORDS FOR THIS USER ARE ACCEPTED!
The user nobody can login, but didn´t can access any directory.
I have set the user home directory to dev/null, that helped!
But is think, this is a security leak.
Regards, Valle
|
|
|
|
Post by shinger on Feb 22, 2009 22:48:30 GMT 7
Hi, you are right! I can get in with this user/password, too! changing the password for this user didn´t help. ALL PASSWORDS FOR THIS USER ARE ACCEPTED! The user nobody can login, but didn´t can access any directory. I have set the user home directory to dev/null, that helped! But is think, this is a security leak. Regards, Valle Ive also redirected the user to a directory that he could get so its all blank if anybody uses it. But still this user must be disabled. |
|
|
|
Post by valshare on Feb 22, 2009 23:33:25 GMT 7
Hi, you are right! I can get in with this user/password, too! changing the password for this user didn´t help. ALL PASSWORDS FOR THIS USER ARE ACCEPTED! The user nobody can login, but didn´t can access any directory. I have set the user home directory to dev/null, that helped! But is think, this is a security leak. Regards, Valle Ive also redirected the user to a directory that he could get so its all blank if anybody uses it. But still this user must be disabled. If you redirect it do /dev/null, he cant login. |
|
|
|
Post by peterfu on Feb 23, 2009 0:05:55 GMT 7
|
|
|
|
Post by shinger on Feb 23, 2009 2:55:13 GMT 7
Ive installed the newest version.. and the bug is fixed thanks peter  shinger. |
|
|
|
Post by valshare on Feb 23, 2009 3:40:26 GMT 7
Hi,
thanx from me, too ;D
|
|
|
|
Post by jacky001 on Jun 8, 2011 14:04:07 GMT 7
Servers can take several measures to protect against PASV theft:
* ``PASV IP protection'': Drop the data connection if its IP address does not match the client's IP address. I recommend that all servers do this. However, this does not always stop the attack: the attacker and the client may be using the same multiuser host, or the same multiuser proxy.
* ``PASV SYN protection'': Arrange to have the operating system reject all SYNs past the first. This stops the attack: the client will not send a transfer request after its connection attempt is rejected. However, most operating systems do not support this feature. (Closing a socket as soon as accept() succeeds is inadequate: the operating system may already have accepted another connection in the background.)
* ``PASV ACK protection'': Drop the data connection if, at the time of the transfer request, there are two accepted connections on the data connection port. This does not always stop the attack: the client's data connection ACK may be lost or delayed, for example.
Most servers do not have any of these protections, so I recommend that clients avoid all use of FTP to store information or to retrieve private information.
|
|
minol
New Member
Posts: 6
|
Post by minol on Aug 8, 2011 14:08:31 GMT 7
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server. FTP users may authenticate themselves using a clear-text sign-in protocol but can connect anonymously if the server is configured to allow it.The first FTP client applications were interactive command-line tools, implementing standard commands and syntax. Graphical user interface clients have since been developed for many of the popular desktop operating systems in use today..
|
|
