.

[Question] Access to my FTP files without username?

<<

colb

Newbie
Newbie

Posts: 1

Joined: Mon Sep 05, 2011 11:52 am

Post Mon Sep 05, 2011 12:04 pm

[Question] Access to my FTP files without username?

This is just a general question, I'm not asking for a "How To" guide or anything like that. I run a website and I have been known to host files on the FTP for a very small group of people. In the near future, I'll be uploading some files that I want to restrict the access to (only legitimate users can access).

So my question is, if I disable anonymous users, is it possible for someone to download the file through my FTP without a username and password? If so, I will hold off on uploading until I find something more secure. If brute force is the only way they can access it, I may take my chances.


Again, I'm not looking for answers such as "Yes you could do it by ____ and ____." It's basically a yes or no question.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Mon Sep 05, 2011 2:05 pm

Re: [Question] Access to my FTP files without username?

Have a look at SFTP, you need to set up SSH though.

Or look at TFTP
Last edited by TheXero on Mon Sep 05, 2011 2:29 pm, edited 1 time in total.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Sep 05, 2011 5:17 pm

Re: [Question] Access to my FTP files without username?

Also, make sure the ftp server you use doesn't have any known exploits. Search exploit-db.com, securityfocus.com, packetstorm.com and google.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Sep 05, 2011 5:37 pm

Re: [Question] Access to my FTP files without username?

I'd go with SFTP over SSH as TheXero said. You can use "keys" instead of passwords then, but you have to set up users of course. Without any authentication controls of who people are, how do you expect people to be authenticated to download and upload files?  :)

You can either
A: Try to keep it secret without any authentication (bad, unless you only use it for files and check daily if anyone outside the group is using the ftp server.)
B: Use a secure method using e.g., keys instead of passwords.

Option B, is probably your best shot  ;)
I'm an InterN0T'er
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Sep 05, 2011 11:20 pm

Re: [Question] Access to my FTP files without username?

Or to have real fun look up how to do FTP + two factor authentication. Of curse I'd prefer seeing more people using either SFTP (SSH based) or FTPS (SSL based).

Mainly running ftp without some form of security is going to leak the usernames and passwords all over the net.
OSWP, Sec+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Sep 06, 2011 9:52 am

Re: [Question] Access to my FTP files without username?

Definitely another vote for SFTP, too many problems with FTP and like they all said you can use keys with SFTP.  I currently do this with my AWS instance for both remote managment and SFTP. 

It also depends on the folks who will be accessing your FTP site.  If they are not technologically savy, you may want to stick with the traditional username/password.  If they have a support person in place you can work with them to setup SFTP with keys.
Certs: GCWN
(@)Dewser
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Sep 06, 2011 12:34 pm

Re: [Question] Access to my FTP files without username?

3xban wrote:If they are not technologically savy, you may want to stick with the traditional username/password.  If they have a support person in place you can work with them to setup SFTP with keys.


I'd recommend that instead of just setting them up with a user and password, because they may not be technologically savvy, that he should create an installer / script that sets everything up for them  :)

It wouldn't take that long, but using unique keys could be a bit problematic to automate (if there's many users), though not impossible (but if you do, make damn sure you do it in a secure way hehe  ;D )

Do NOT forget to disable usage of the SSH shell / terminal (except SFTP) functionality in case you go with this, because if a user is compromised, these credentials could be used to log into an interactive terminal, where remote code execution on the server would be possible.

If they do need (SSH) terminal access, I suggest they of course run with least privileges possible and are not able to sudo unless there is a good reason. Perhaps even jail the users to their own directory without the possibility of symlinking out of there  :)

Just a few good advises you could perhaps use, it's up to you in the end of course  ;)
I'm an InterN0T'er

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software