After i configured my FTP server, a friend of mine was checking for security weaknesses of his computer, he also scanned my NAS and trying to get in. Later the warned me about FTP login using User (nobody) and Password (xampp). He said he could get in to my FTP server using those i tried it my self and i also could get in.
My questions are:
1. How can i disable that user, and are there anymore security weaknesses with FTP-server (i also use PureFTPD and if that also has some security issues.
2. I have also a test apache webserver running with Mysql are there any default logins or holes?
3. If i forgot or didnt know anything else could you guys add that to it so i would know about it, and also could give me the solution to the problems.
Servers can take several measures to protect against PASV theft:
* ``PASV IP protection'': Drop the data connection if its IP address does not match the client's IP address. I recommend that all servers do this. However, this does not always stop the attack: the attacker and the client may be using the same multiuser host, or the same multiuser proxy. * ``PASV SYN protection'': Arrange to have the operating system reject all SYNs past the first. This stops the attack: the client will not send a transfer request after its connection attempt is rejected. However, most operating systems do not support this feature. (Closing a socket as soon as accept() succeeds is inadequate: the operating system may already have accepted another connection in the background.) * ``PASV ACK protection'': Drop the data connection if, at the time of the transfer request, there are two accepted connections on the data connection port. This does not always stop the attack: the client's data connection ACK may be lost or delayed, for example.
Most servers do not have any of these protections, so I recommend that clients avoid all use of FTP to store information or to retrieve private information.
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server. FTP users may authenticate themselves using a clear-text sign-in protocol but can connect anonymously if the server is configured to allow it.The first FTP client applications were interactive command-line tools, implementing standard commands and syntax. Graphical user interface clients have since been developed for many of the popular desktop operating systems in use today..