Securing Anonymous FTP on PureFTPD

[asterisk]

Hi,

Currently only 'Allow anonymous access to <ftp path>' is enabled under cPanel's FTP Manager.

Also public_ftp directory is owned by the cPanel account owner and belongs to the nobody group with all recursive directories having permissions 755 at most and files underneath with permissions 644.

This public_ftp directory is also viewable via http.

Write access is not needed and so it's not enabled via cPanel.

I would really be grateful for any securing tips or heads up please.

PS I have heard quite a few worries expressed about Anonymous FTP but am a little reassured that PureFTPD is a little bit more secure.

 

[chirpy]

Do you actually need it? If not, I'd suggest simply disabling it in WHM. As you say, anonymouse FTP has a history of insecurity for the simple reason that you're authenticating and allowing write access to the server for anyone which makes any vulnerabilities immediately exploitable remotely.

 

[asterisk]

Unfortunately yes I need to provide it as a service.

The good thing is I don't need to enable write access for Anonymous FTP, so all files and folders do not have write permissions for group or others.

I was wondering if this will be relatively safe.

 

[sparek-3]

If all you are going to is allow downloading then you may want to consider placing those files in a web-accessible area of your website and then directing users to that area. You can turn off Indexes to allow a file listing of files in that directory.

For example, you could upload files into:

/home/user/public_html/files

Then direct users to point their web browser to:

http://domain.com/files

You may need to edit and/or place an .htaccess file in the /home/user/public_html/files directory with:

Options -Indexes

so that users will see a file listing.

Further, if you only want specific users to see these files, you can enable directory protection on that directory through the control panel and either create multiple username and password combinations or create a single username and password and release that information only to users who you want to access this area.

 

[asterisk]

Thanks for the idea. I have both HTTP and FTP enabled for files to be pulled off the server as part of requirements.

I am looking to secure Anonymous FTP as much as possible and would appreciate any countermeasures taken to avoid any hanky panky done by anonymous FTP users while utilising the service.