Information from an FTP violation this weekend
Adam Rothschild
asr at latency.net
Wed Apr 25 22:42:44 UTC 2001
On Wed, Apr 25, 2001 at 02:17:52PM -0700, Roger Marquis wrote:
> I think the point was (inadvertently made) that this site
> (209.123.52.40, NAC-NETBLK02, nac.net, running NEPTUNE Microsoft
> FTP) has a security problem.
Yeah, I'd say:
% telnet 209.123.52.40 21
[...]
220 NEPTUNE Microsoft FTP Service (Version 5.0).
Looks like the compromised (?) machine belongs to a NAC customer; have
you tried contacting this customer offline?
> It is not standard practice to have listable AND writable directories
> on anonymous ftp servers.
I'm not sure what standard practice dictates, but I'd hope the norm
isn't to run FTP at all for such things.
> If customers need to upload files they should also have individual
> directories under an unreadable directory tree i.e.,
>
> /upload/a9-ns/custX
> /upload/0igm19/custY
> ...
Why not have them ssh/scp over the data, possibly using a sufficiently
tight configuration that only allows a given RSA/DSA key to execute
what's absolutely necessary, or something? Or for the severely
stubborn and clue-impaired, use a https-based web upload tool?
Need I mention why clear text file transfers of sensitive data are bad?
:-)
-adam
More information about the NANOG
mailing list