[lug] Is anon ftp upload really bad?
peter-lists at hutnick.com
Wed Apr 24 15:31:34 MDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday 24 April 2002 02:26 pm, John Hernandez wrote:
> I'll concede that if you actively monitor and take the many necessary
> precautions, anonymous ftp upload can be made relatively safe. Adding
> a proper authentication layer can only make it safer, and as a bonus,
> it keeps the kiddies from wasting your time with love.exe.
> Perhaps the word "urge" in my previous message was too strong. It's
> more of a recommendation. Has anyone else played with the S/Key OTP
> stuff? In the days before ssh was a common tool, I recall setting up a
> telnet proxy in this manner.
> > Can you give any rational reason for this?
> > I ran a server like this for well over a year with no ill effects.
My config was ProFTPD with one directory that allowed uploads. The entire ftp
"site" was on its own partition (to keep me from DOSing myself as much as to
prevent others from doing it to me!). The upload directory did not appear in
"ls" when connected to my server. You could cd to it, but it would not give
any listing in that dir. Even if you knew the name of the file you could not
"get" it. All uploaded files were naturally owned by the (generic) FTP user,
and had innocuous permissions applied on file creation.
I used to to let people send me files without having to do ridiculous email
attachments. Worked great. If it were any more complicated than it was it
wouldn't have gotten used. I DO NOT do FTP other than anon.
I would urge others to use anon uploads (in a safe and sane way) over
cleartext authenticated FTP any day of the week.
The fact is, ANY poorly configured network daemon is a risk. This isn't any
more true of anonymous FTP uploads than any other. My config was a hell of a
lot better than Red Hat 6.2 with FTP enabled out of the box!
/"\ ASCII Ribbon campaign against HTML e-mail
X Get my PGP key at http://hutnick.com/pgp
/ \ 6128 5651 6F23 EC17 6EBD 737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the LUG