How to Block FTP users from see all the way to root

10 posts / 0 new
Topic locked
Last post
#1 Thu, 02/17/2011 - 19:57
katir

How to Block FTP users from see all the way to root

I am trying to tighten up security on the box in as many ways as I can.

i just discovered that any FTP user for any site can see all the way to root. he can read any file, but he cannot edit it or save it back. How to we "jail in" the FTP user so that he can only see files in

/home/myDomain/

and nothing below

/home/ #should no see other users here or other user virtual domains here.

or worse

/ # he can see files all the way to root.

Thu, 02/17/2011 - 20:15
andreychek

Howdy,

You can jail FTP users by clicking Limits and Validation -> FTP Directory Restrictions, and setting a directory restriction within that screen.

Remember though that the jail only applies to FTP users... a user with read access to a file can find other ways to access it. For example, if they were to upload a file manager into their web space, they could browse files on the server that way.

-Eric

Thu, 02/17/2011 - 21:30
helpmin

The user could also write/use a php script to scan the home directories, right?

Thu, 02/17/2011 - 21:52
andreychek

Any web-based code the user writes or uploads would have access to files on the filesystem outside the users home directory, if that user happens to have rights to be able to read the file.

Now, by default, that doesn't include files in home directories belonging to other users... but it all comes down to what permissions the files and dirs are set to.

-Eric

Thu, 02/17/2011 - 21:55
helpmin

Exactly, which means that the user would be able to see which other domains are hosted.

Thu, 02/17/2011 - 22:16
andreychek

Sure, but what domains are hosted on a server isn't a secret. For example, sites like these show all domains that are associated with any given IP address:

http://domainsbyip.com/

http://www.domaintools.com/research/reverse-ip/

So, you can find out that information without even having an account on the server :-)

-Eric

Fri, 02/18/2011 - 02:38
helpmin

Understand, just wanted to add some additional information for the OP :-)

Of course the php scripts could also read other configuration files that are typically readable for "all" in a typical Linux installation.

Fri, 02/18/2011 - 11:25
ronald
ronald's picture

However, knowing what domains are hosted on a server, isnt the same as knowing what usernames are being used. Which is 50% of data you need to have to do some bad stuff.
By having malicious people wondering through the box, they can obtain this information often more easily than necessary.

Unfortunately, you can t stop the really bad guys totally. But you can make it much harder for them and make it at the same time impossible for regular users.

There are testfiles available to test the safety on the box, like c999shell. But never let this script on your box ever.

Fri, 02/18/2011 - 14:10
helpmin

I don't see the "much harder" part here :-) If you ask me it is still very easy for a "bad guy" (who wouldn't do this manually anyway) ... It is a little bit "security through obscurity", lol.

Sat, 02/19/2011 - 17:16
Locutus

Username is not (necessarily) equal to home directory name. I e.g. use different names for those two.

And indeed, wanting to keep usernames secret is "security by obscurity". The password is the secret part. The username does not have to be, if the password is sufficiently secure.

Topic locked