Portal Home > Knowledgebase > Articles Database > Serious security hole in my VPS (FTP) How do I fix this problem?
Serious security hole in my VPS (FTP) How do I fix this problem?
| Posted by Mac Write, 07-07-2007, 02:41 AM |
| After reading an article on command line FTP, I FTP'd to my VPS and was shocked out much access someone without logging in (and Anonymous FTP is off) has. I am running cPanel Release on CentOS 4 and Virtuozzo 3. How can I improve server security without giving any SSH access? I was all ready to use WebDav over SSL but then it doesn't allow you to change permisisons. Security is my #1 priority. My friend who I host says his clients like FTP and FTP is a standard service.
Would FTP with SSL be more secure, or still pose the same problems with sniffers and people connecting and being able to do something? Can I force FTP over SSL while not having cPanel over-ride my settings wiht an update?
What can I do to solve this major security hole? Next on my list is forcing POPs and IMAPs, authentication for SMTP and even SSL SMTP. Then only SMTP incomg 25 and HHTP port 80 would be none secure, but everything mostly secure.
Thanks.
|
| Posted by foobic, 07-07-2007, 04:13 AM |
| Exactly what access do they have? With anonymous login disabled visitors should see nothing without a valid login.
|
| Posted by Linuxsurgeon, 07-07-2007, 11:22 AM |
| which ftp service are you using on the server ? proftp or pureftp
|
| Posted by Mac Write, 07-07-2007, 02:10 PM |
| PureFTP. For someone to get a command prompt on my FTP server without logging in is all that a hacker skiled enough needs.
|
| Posted by Linuxsurgeon, 07-07-2007, 02:37 PM |
| In /etc/pureftpd.conf change the values as below.
An then restart your ftp service.
|
| Posted by Mac Write, 07-07-2007, 03:30 PM |
| What will those settings change? My friend says that his clients want FTP (uh did he ask them?) and is saying I am looking for excuses to get rid of FTP. I put security before connivence. He says any other host offers FTP. Everyone else on my private server prefers security.
|
| Posted by Linuxsurgeon, 07-08-2007, 02:41 AM |
| Ok, let me explain the options first.
ChrootEveryone means Cage in every user in his home directory
AnonymousOnly - Don't allow authenticated users - have a public anonymous FTP only
NoAnonymous - Disallow anonymous connections. Only allow authenticated users
You can check the file /etc/pureftpd.conf for more options and everything explained in the file itself.
Almost all host offers ftp and I don't think it affect security if properly configured.
|
| Posted by kerplunk, 07-08-2007, 04:30 AM |
| I would suggest disabling FTP altogether and using SFTP to login. (SFTP is already installed with SSH and it is more secure than FTP.)
|
| Posted by Mac Write, 07-08-2007, 10:29 AM |
| Oh boy do I want to use SFTP, but
1. it gives SSH access (a no no)
2. since I run SSH on a different port for protect against scanning, that opens that up.
My friends clients aren't very techy. Now how can I run scp on a different port away from SSH, and my problems would be solved (without breaking cPanel and being able to give all new cPanel users access to it).
|
| Posted by foobic, 07-08-2007, 07:07 PM |
| Sounds like you want to give users the scponly shell. You would have to tell them which port ssh is running on but that's hardly top secret (anyone can find it with a port-scan).
But this is my thought: You're hosting a reseller who can create client accounts. Each client can freely upload insecure or malicious scripts (php/perl/bash shell/python...) and run them on your server. But you're worried because anyone can connect to your ftp server and see a login prompt... I agree with the importance of security but your priorities seem a bit strange.
|
| Posted by Mac Write, 07-08-2007, 11:04 PM |
| It's my friend who host a couple clients wth basic basic sites. I only do Friends and Family Hosting. At the time I was switching from him running a Co-lo server. So he had to host about 5 clients.
I am seAttling on the idea of RSSH. How doan select via I install it, so it is a shell I can select with WHM, and set as dfefault for all new accounts? As for the port, its a XX,XXX high number port, would a hacker scan all 65K of ports per IP, unless you needed that exact server?
|
| Posted by plumsauce, 07-09-2007, 02:59 AM |
| It's all automated. They don't care.
Now, if you have settled on ssh, I would recommend requiring authentication by password *and* certificate.
To stop reading all kinds of useless logs about failed login attempts, set the firewall rules to only allow traffic from your client ip ranges.
|
| Posted by Mac Write, 07-09-2007, 01:12 PM |
| I don't read the logs. We are all on dynamic IP's and (now for examle) I am away and still need access. I don't follow the vert requirement. You mean SSH Keys, or an SSL cert?
|
| Posted by plumsauce, 07-09-2007, 04:49 PM |
| ssh keys, which uses a form of private ssl certs. self generated, so there is no cost involved anyways.
Or, some cert companies will actually issue personal certs for free.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
