1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help How to secure ftp + Exploits

Discussion in 'Security' started by Mor, Mar 16, 2011.

  1. Mor

    Mor New Member

    Joined:
    Feb 1, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    hey how do i secure ftp + Exploits
    of no one can hack my root and get Information of my client from in ftp

    c99 and all how i can secure that?
     
  2. JeffP.

    JeffP. Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    4
    Trophy Points:
    18
    For FTP, I would recommend the following:

    1. Log into WHM as root
    2. Click "FTP Server Configuration"
    3. The first option is labeled "TLS Encryption Support". In the dropdown menu there is an option that says "Required (Command/Data)"

    That will prevent usernames and passwords being sent over the Internet in plain text when users log into FTP.

    Additionally, avoid using insecure FTP applications like FileZilla that store your FTP usernames and passwords in plain text on your computer, and warn your users of the same.

    In regards to security in general, keep in mind that less code means less surface area to attack. So, be very careful about installing 3rd party applications on your machine, regardless of their intended purpose.
     
  3. dalem

    dalem Active Member

    Joined:
    Oct 24, 2003
    Messages:
    2,231
    Likes Received:
    4
    Trophy Points:
    38
    Location:
    SLC
    Install mod security with a good rule set
    keep 3 party scripts up2date
     
  4. Mor

    Mor New Member

    Joined:
    Feb 1, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    ok tnx ara u
     
  5. SoftDux

    SoftDux Member

    Joined:
    May 27, 2006
    Messages:
    986
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    What other free FTP clients would you actually recommend?
     
  6. padani

    padani Member

    Joined:
    Apr 7, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    AUSTRALIA
    Hi,

    Better go with sftp.
     
  7. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    It wouldn't be better to use sFTP over TLS with data and command being forced. sFTP allows users access to view / portions of the system outside their /home directory due to how it works. TLS is as secure if not more than sFTP without the inherent security issues and weaknesses that sFTP includes.
     
  8. ilihost

    ilihost New Member

    Joined:
    Jul 28, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    We use /http://www.pyxsoft.com. It scans all FTP uploads in realtime, blocking all known malware (c99,r57 and so on ).
    Also it scans all HTTP uploads blocking known and unknown scripts (perl scripts and PHP scritps)

    We are using it in our network and it have blocked hundreds of attacks.
     
  9. pnueda

    pnueda New Member

    Joined:
    Nov 12, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I arrived to a solution suitable for servers with cpanel.

    Background:
    1. When the user logs in via SFTP the authentication runs against their /home/username allowing them to have a ~/.ssh/authorized_keys file.
    2. Once authenticated they are chrooted to /chroot/username.
    3. Then the internal-sftp service is launched delivering a shell to in their home directory /home/username within the chroot.
    Their home directory will look the same to them with or without the chroot. The only difference is that if they cd out of their home directory they will see a filesystem that contains nothing else.

    It requires openssh >=4.8, which is not available in standard repositories with centos 5 + cpanel, since it takes advantage of ChrootDirectory directive.
    Centos 6 + cpanel servers run an updated version of openssh (>=5.3) so this is perfectly suitable for them.

    Solution tested on a Centos 6 server.

    1. Common steps for all accounts (just once)

    In /etc/ssh/sshd_config change to:
    # Subsystem sftp /usr/libexec/openssh/sftp-server
    Subsystem sftp internal-sftp

    Then append a new section:

    Match Group sftponly
    ChrootDirectory /chroot/%u
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

    2. Script to run once per account.

    usermod -G sftponly username
    mkdir -p /chroot/username/home/username
    chown -R root.sftponly /chroot/username
    chmod -R 750 /chroot/username

    #cosmetic section (displays user-friendly owner and group names in sftp client session)
    mkdir /chroot/username/etc
    chgrp sftponly /chroot/username/etc
    chmod 710 /chroot/username/etc
    getent passwd username > /chroot/username/etc/passwd
    echo "root:x:0:0:falso root:::" >> /chroot/username/etc/passwd
    chmod 644 /chroot/username/etc/passwd
    getent group sftponly > /chroot/username/etc/group
    getent group username >> /chroot/username/etc/group
    chmod 644 /chroot/username/etc/group
    #end cosmetic section

    echo "/home/username/public_html /chroot/username/home/username bind defaults,bind 0 0" >> /etc/fstab
    mount /chroot/username/home/username

    To-do: encapsulate in a bash shellscript with parameter <username>

    Hope you find it interesting.
     
    #9 pnueda, May 2, 2013
    Last edited: May 2, 2013

Share This Page