The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing Anonymous FTP on PureFTPD

Discussion in 'General Discussion' started by asterisk, Apr 7, 2006.

  1. asterisk

    asterisk Well-Known Member

    Joined:
    Nov 11, 2005
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Currently only 'Allow anonymous access to <ftp path>' is enabled under cPanel's FTP Manager.

    Also public_ftp directory is owned by the cPanel account owner and belongs to the nobody group with all recursive directories having permissions 755 at most and files underneath with permissions 644.

    This public_ftp directory is also viewable via http.

    Write access is not needed and so it's not enabled via cPanel.

    I would really be grateful for any securing tips or heads up please.

    PS I have heard quite a few worries expressed about Anonymous FTP but am a little reassured that PureFTPD is a little bit more secure.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Do you actually need it? If not, I'd suggest simply disabling it in WHM. As you say, anonymouse FTP has a history of insecurity for the simple reason that you're authenticating and allowing write access to the server for anyone which makes any vulnerabilities immediately exploitable remotely.
     
  3. asterisk

    asterisk Well-Known Member

    Joined:
    Nov 11, 2005
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Unfortunately yes I need to provide it as a service.

    The good thing is I don't need to enable write access for Anonymous FTP, so all files and folders do not have write permissions for group or others.

    I was wondering if this will be relatively safe.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If all you are going to is allow downloading then you may want to consider placing those files in a web-accessible area of your website and then directing users to that area. You can turn off Indexes to allow a file listing of files in that directory.

    For example, you could upload files into:

    /home/user/public_html/files

    Then direct users to point their web browser to:

    http://domain.com/files

    You may need to edit and/or place an .htaccess file in the /home/user/public_html/files directory with:

    Options -Indexes

    so that users will see a file listing.

    Further, if you only want specific users to see these files, you can enable directory protection on that directory through the control panel and either create multiple username and password combinations or create a single username and password and release that information only to users who you want to access this area.
     
  5. asterisk

    asterisk Well-Known Member

    Joined:
    Nov 11, 2005
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the idea. I have both HTTP and FTP enabled for files to be pulled off the server as part of requirements.

    I am looking to secure Anonymous FTP as much as possible and would appreciate any countermeasures taken to avoid any hanky panky done by anonymous FTP users while utilising the service. :)
     
Loading...

Share This Page