SFTP/SSH really concerns me! Security!

[mr.wonderful]

Im running WS_FTP 8.0.3. I configured it to connect to my own site using SFTP/SSH and i was able to connect to my own site using this however i was really shocked when i clicked on the little green arrow at the top of my screen and moved out of my own webspace. Not only was i able to view the passwrd file but i was able to pretty much see a whole bunch of directories that i think should not be available to anyone using SFTP/SSH.

I was even able to download a copy of the servers password file. The following directories were displayed when i moved out of my own virtual space

/bin
/dev
/etc
/home/myhdomain
/lib
/proc
/tmp
/usr
/var
checkvirtfs

So this means all my users connecting via SFTP/SSH have been able to see all this? I realize they can see these directories even when jailed but at least they cannot download files from the server.

The point being, my account is JAILED yet i can see everthing.

[chirpy]

Welcome to server security! That's all perfectly normal.

If you couldn't read the passwd file you wouldn't be able to login. Bearing in mind, of course, that your passwords are not stored in the /etc/passwd file. They're in /etc/shadow which should be rw only to root.

One option available that helps a little with regard to viewing everyones files in /home is to use /scripts/enablefileprotect

[rs-freddo]

Don't use SSH with SFTP, I wrote a little how-to here and at ev1 forums on how to use plain old SFTP. You can't leave your own directories doing it this way (it uses SSL rahter than SSH). You don't need to give anybody shell access this way.

[chirpy]

You can't leave your own directories doing it this way

Bearing in mind that this is just one layer of security. It is still trivial to browse to all readable directories and files on the server whether you have shell or jailshell enabled or not.

[rs-freddo]

Originally posted by chirpy
Bearing in mind that this is just one layer of security. It is still trivial to browse to all readable directories and files on the server whether you have shell or jailshell enabled or not.

Nothing to do with shell, jailshell or SSH. Just pure FTP under SSL.

[chirpy]

Nothing to do with shell, jailshell or SSH. Just pure FTP under SSL.

I didn't mean to imply that my comment was to do with shell access. Don't believe for one minute that you're secure using FTP over SSL, that would be a completely false sense of security - it is still trivial as a user account holder to list all the readable files on the server, including those of others hosting on the server.

The only advantage of FTP over SSL os that your username/password/data is not sent in plain-text.

As I said, such implementations are just one security layer which might slow someone down a little, but not much.