Security Basics mailing list archives
Re: FTP security question...
From: khayes () eastbay com
Date: Tue, 19 Nov 2002 07:38:03 -0800
Given there is a certain amount of risk involved whenever you permit any anonymous access to any server or device on your network. However, maintaining the FTP in a DMZ and making sure that local security is set properly on the local host (FTPD) is a solid start. Limiting the number of personal accounts on the system, delete user accounts that no longer need to have access , enforce regular password changes and most importantly never put any sensitive information on the FTP. Always assume the information on the server is being viewed by someone who has no business on your system. If someone wants to do remote file transfers, make them use a VPN connection or an SSH connection (during which they can use 'scp' to copy the files between systems). Ken Hayes Network Administrator Eastbay / Footlocker.com Wausau, WI Offices (715) 261-9573 khayes () eastbay com To: <security-basics () lists securityfocus com> cc: "Mike Cain" Subject: FTP security question... <mikec () lpinsurance com> 11/13/2002 09:08 AM Please respond to mikec I just came to work at a new company, and I have been doing the standard auditing and such to see where the company stands from a security point of view. Nothing looks as if its been compromised in the past, which should keep me from having to rebuild anything, but one thing I noticed on my SSS scan of the outside interface on our proxy server, was that Anonymous FTP is allowed. I know that's a no-no, but I looked closer, and found that the FTP root was locked down. Meaning if I log in anon, I cant mkdir, etc. What are the issues with that type of setup? Known security risks? Thanks in advance. PS yes, I am searching google as we speak with little to no effect.. Mike C CCNA/CCNP/MCSE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
Current thread:
- RE: FTP security question... The Crocodile (Nov 16)
- <Possible follow-ups>
- Re: FTP security question... phani (Nov 16)
- Re: FTP security question... khayes (Nov 22)