This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

security vulnerability

6 posts / 0 new

Topic locked

Last post

#1 Mon, 05/04/2015 - 08:43

obus18

security vulnerability

When creating a virtual host, the FTP server was enabled (port 21), if you log in using the credentials of SFTP (port 22) virtualhost, you can see the entire server tree ! Can you address this security vulnerability in your installation script? thank you

(Translation with Google)

#2 Mon, 05/04/2015 - 09:45

andreychek

Howdy,

You may want to review the section of the documentation here titled "How can I prevent FTP Users from Browsing the Entire Filesystem?":

https://www.virtualmin.com/documentation/security/faq

#3 Mon, 05/04/2015 - 10:29

obus18

Yes, I know that and I always does but if you put port 22 to port 21 pace, you have access to the whole server

#4 Mon, 05/04/2015 - 12:43

obus18

In Webmin, System, Users & groups, /bin/false

#5 Tue, 05/05/2015 - 09:16

Rhandy

Read this:

https://www.digitalocean.com/community/tutorials/how-to-configure-proftp...

sudo nano /etc/proftpd/proftpd.conf

JAIL THE USER IN HOME DIR Remove the # from in front of the DefaultRoot parameter to uncomment it:

DefaultRoot ~

#6 Tue, 05/05/2015 - 10:09

obus18

I always do, despite that one can visualize the whole server

Topic locked