Re: [expert] ftpd question
I'm Flattered... to say the least. James On Mon, 22 Jul 2002 11:55:46 -0400 Randy Kramer <[EMAIL PROTECTED]> wrote: > James, > > I have taken the liberty of quoting this post on WikiLearn, at: > > http://twiki.org/cgi-bin/preview/Wikilearn/ChrootJail > > Please see: > > http://twiki.org/cgi-bin/view/Wikilearn/QuotedEmailsLetter > > regards, > Randy Kramer > > James wrote: > > In the past script kiddies have used some of the original > > capabilities of ftp to login, and take over computers. ie > > ftp up a program(root-kit, etc) then login to the ftp > > directory compile it and run it. When you chroot the program > > root gets set to the directory the user is in. As far as > > they are concerned there exists nothing higher on the > > directory tree than where they are This means that if they > > do manage to exploit something the damage they can do is > > limited to the "jail" that they are in. Other advantages > > include, but not limited to, > > > > 1. They can only use utilities that exist in that chroot jail > > ie ls ps etc are local and any changes made to them aren't > > going to affect the box as a whole. 2. Nib Nosers can't poke > > around your box and find your secret stash of Britney Spears > > photo's 3. breaking out of the jail is one more line of > > defense. > > > > These are but a few reasons why programs get chrooted. Chroot > > is also useful if you have rebooted without running lilo > > first. It allows you to boot from a rescue disk, mount the > > HDD and run lilo as if your root was the mount point instead > > of the real / > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
James, I have taken the liberty of quoting this post on WikiLearn, at: http://twiki.org/cgi-bin/preview/Wikilearn/ChrootJail Please see: http://twiki.org/cgi-bin/view/Wikilearn/QuotedEmailsLetter regards, Randy Kramer James wrote: > In the past script kiddies have used some of the original capabilities > of ftp to login, and take over computers. ie ftp up a program > (root-kit, etc) then login to the ftp directory compile it and run it. > When you chroot the program root gets set to the directory the user is > in. As far as they are concerned there exists nothing higher on the > directory tree than where they are This means that if they do manage to > exploit something the damage they can do is limited to the "jail" that > they are in. Other advantages include, but not limited to, > > 1. They can only use utilities that exist in that chroot jail ie ls ps > etc are local and any changes made to them aren't going to affect the > box as a whole. 2. Nib Nosers can't poke around your box and find your > secret stash of Britney Spears photo's 3. breaking out of the jail is > one more line of defense. > > These are but a few reasons why programs get chrooted. Chroot is also > useful if you have rebooted without running lilo first. It allows you > to boot from a rescue disk, mount the HDD and run lilo as if your root > was the mount point instead of the real / Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Sat, 06 Jul 2002 17:41:05 -0400 daRcmaTTeR <[EMAIL PROTECTED]> said with temporary authority > James wrote: > > On Fri, 5 Jul 2002 09:58:36 -0400 (EDT) > > daRcmaTTeR <[EMAIL PROTECTED]> said with temporary > > authority > > > > > >>On Fri, 5 Jul 2002, Bill Davidson wrote: > >> > >> > >>>On Thu, 04 Jul 2002 23:40:43 -0400 > >>>daRcmaTTeR <[EMAIL PROTECTED]> wrote: > >>> > >>> > James wrote: > > >Dark, > > If I am ever fool enough to say my box is totally secure, > > then you can just slap me silly and call me Larry Elison, > > 'cause surely I'm a fool too. > > > >James > > > > James, > > that indeed _is_ the double-edged blade that we all dance with > isn't it. Our systems are only as secure as we take the time to > learn and get things worked out. > >>> > >>>And yet you still have to balance that out with getting something > >>>useful done with your machine. > >>> > >>>Bill > >> > >>O heavens! thats the easy part. Unreal Tournament run real nice on > >>my system. ;) > > > > > > Security and Productivity are by definition opposite poles on the > > bar magnet of life. Ask anyone who's trying to fight msec... > > *grin* > > > > James > > > > O see...now THERE is a miserable thing that is driving me nuts on my > system right now. I'm ready to pull out my friggin hair over the > permissions misery that i've been dealing with the last few weeks. > > -- My cure was simple rpm -e msec. Since it's behind the firewall... I can be a little sloppy on this one. James > daRcmaTTeR > -- > Registered Linux User 182496 > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
James wrote: > On Fri, 5 Jul 2002 09:58:36 -0400 (EDT) > daRcmaTTeR <[EMAIL PROTECTED]> said with temporary authority > > >>On Fri, 5 Jul 2002, Bill Davidson wrote: >> >> >>>On Thu, 04 Jul 2002 23:40:43 -0400 >>>daRcmaTTeR <[EMAIL PROTECTED]> wrote: >>> >>> James wrote: >Dark, > If I am ever fool enough to say my box is totally secure, > then you can just slap me silly and call me Larry Elison, > 'cause surely I'm a fool too. > >James > James, that indeed _is_ the double-edged blade that we all dance with isn't it. Our systems are only as secure as we take the time to learn and get things worked out. >>> >>>And yet you still have to balance that out with getting something >>>useful done with your machine. >>> >>>Bill >> >>O heavens! thats the easy part. Unreal Tournament run real nice on my >>system. ;) > > > Security and Productivity are by definition opposite poles on the bar > magnet of life. Ask anyone who's trying to fight msec... *grin* > > James > O see...now THERE is a miserable thing that is driving me nuts on my system right now. I'm ready to pull out my friggin hair over the permissions misery that i've been dealing with the last few weeks. -- daRcmaTTeR -- Registered Linux User 182496 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
daRcmaTTeR wrote: >> >> Haha, Yes spawn of Satan who wishes to corrupt me to the Darkside! >> >> :P >> >> Femme >> > > Femme, > > it's nice here on the dark side. lots of interesting people to talk to > and you don't have the license nazi's threatening to beat down yer door > and take your stuff because you haven't purchased the latest version of > their crapware. > Heh believe me I'm getting there slowly but surely. Femme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Fri, 5 Jul 2002 09:58:36 -0400 (EDT) daRcmaTTeR <[EMAIL PROTECTED]> said with temporary authority > On Fri, 5 Jul 2002, Bill Davidson wrote: > > > On Thu, 04 Jul 2002 23:40:43 -0400 > > daRcmaTTeR <[EMAIL PROTECTED]> wrote: > > > > > James wrote: > > > > Dark, > > > >If I am ever fool enough to say my box is totally secure, > > > >then you can just slap me silly and call me Larry Elison, > > > >'cause surely I'm a fool too. > > > > > > > > James > > > > > > > > > > James, > > > > > > that indeed _is_ the double-edged blade that we all dance with > > > isn't it. Our systems are only as secure as we take the time to > > > learn and get things worked out. > > > > And yet you still have to balance that out with getting something > > useful done with your machine. > > > > Bill > > O heavens! thats the easy part. Unreal Tournament run real nice on my > system. ;) Security and Productivity are by definition opposite poles on the bar magnet of life. Ask anyone who's trying to fight msec... *grin* James Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Fri, 5 Jul 2002, Bill Davidson wrote: > On Thu, 04 Jul 2002 23:40:43 -0400 > daRcmaTTeR <[EMAIL PROTECTED]> wrote: > > > James wrote: > > > Dark, > > >If I am ever fool enough to say my box is totally secure, then you > > > can just slap me silly and call me Larry Elison, 'cause surely I'm a > > > fool too. > > > > > > James > > > > > > > James, > > > > that indeed _is_ the double-edged blade that we all dance with isn't it. > > Our systems are only as secure as we take the time to learn and get > > things worked out. > > And yet you still have to balance that out with getting something useful done with >your machine. > > Bill O heavens! thats the easy part. Unreal Tournament run real nice on my system. ;) -- daRmaTTeR R L U: #186492 When ever people annoy me I remember, "Vengence is mine saith the Lord." My prayer is, "...here am I Lord...send me!" Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Thu, 04 Jul 2002 10:26:06 -0400 daRcmaTTeR <[EMAIL PROTECTED]> said with temporary authority > FemmeFatale wrote: > > daRcmaTTeR wrote: > > > > > >> And I love the fact that it chroot, (jails) things by default, so > >> there isn't any hair-pulling to get that taken care of. > >> > > sounds like a cool ftp file program. stupid question: why is > > chroot a good thing? > > > > Jail? Scuse me i'm slow today :) > > > > No problem Femme...we all have out slow days. I'll try as best I can > to articulate to you in my limited understanding of *chroot* and why > it's a good thing. > > Chroot is good because as the connections come in to the ftp server > they are literally jailed to the ftp server's file system. /var/ftp > They can enter that part of the machines file system and can't get out > to go anywhere else on the machine's file system. > > Many times for certain services one must take care of this process for > one's self, however, this happens by default with this FTP server. > Which makes it very desirable for people like myself who don't have > the time, or at present, a complete enough knowledge base to properly > secure their FTP server the way it should be. Mind you, that doesn't > mean the system itself is unsecure, rather I've still got a *bit* to > learn as far as REALLY securing an FTP server as best as that can be > done. > > -- > daRcmaTTeR > -- > Registered Linux User 182496 > Dark, If I am ever fool enough to say my box is totally secure, then you can just slap me silly and call me Larry Elison, 'cause surely I'm a fool too. James > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
FemmeFatale wrote: > > > > Thx :) Interesting bit of reading. :) > > Must try this someday myself if only as an exercise. > > Femme > Try it, you might like it :-) drjung -- J. Craig Woods UNIX/NT Network/System Administration http://www.trismegistus.net Character is built upon the debris of despair --Emerson Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
daRcmaTTeR wrote: > Chroot is good because as the connections come in to the ftp server they > are literally jailed to the ftp server's file system. /var/ftp They can > enter that part of the machines file system and can't get out to go > anywhere else on the machine's file system. > > Many times for certain services one must take care of this process for > one's self, however, this happens by default with this FTP server. Which > makes it very desirable for people like myself who don't have the time, > or at present, a complete enough knowledge base to properly secure their > FTP server the way it should be. Mind you, that doesn't mean the system > itself is unsecure, rather I've still got a *bit* to learn as far as > REALLY securing an FTP server as best as that can be done. > Thx :) Interesting bit of reading. :) Must try this someday myself if only as an exercise. Femme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
FemmeFatale wrote: > daRcmaTTeR wrote: > > >> And I love the fact that it chroot, (jails) things by default, so >> there isn't any hair-pulling to get that taken care of. >> > sounds like a cool ftp file program. stupid question: why is chroot a > good thing? > > Jail? Scuse me i'm slow today :) > No problem Femme...we all have out slow days. I'll try as best I can to articulate to you in my limited understanding of *chroot* and why it's a good thing. Chroot is good because as the connections come in to the ftp server they are literally jailed to the ftp server's file system. /var/ftp They can enter that part of the machines file system and can't get out to go anywhere else on the machine's file system. Many times for certain services one must take care of this process for one's self, however, this happens by default with this FTP server. Which makes it very desirable for people like myself who don't have the time, or at present, a complete enough knowledge base to properly secure their FTP server the way it should be. Mind you, that doesn't mean the system itself is unsecure, rather I've still got a *bit* to learn as far as REALLY securing an FTP server as best as that can be done. -- daRcmaTTeR -- Registered Linux User 182496 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
James wrote: > On Mon, 01 Jul 2002 00:10:46 -0600 > FemmeFatale <[EMAIL PROTECTED]> said with temporary authority >sounds like a cool ftp file program. stupid question: why is chroot >>a good thing? >> >>Jail? Scuse me i'm slow today :) > > Femme, > These are but a few reasons why programs get chrooted. Chroot is also > useful if you have rebooted without running lilo first. It allows you > to boot from a rescue disk, mount the HDD and run lilo as if your root > was the mount point instead of the real / > > James > Thx James, your concise & clear explanation did very well. I'd read about chroot before but it didn't strike me as all that important a command or one to come back to later. Don't remember which now. I shall have to investigate this now further being paranoid sort that I am. ;) Besides, my porn's valuable to me! -- Femme Good Decisions You boss Made: "We'll do as you suggest and go with Linux. I've always liked that character from Peanuts." - Source: Dilbert Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Mon, 01 Jul 2002 00:10:46 -0600 FemmeFatale <[EMAIL PROTECTED]> said with temporary authority > daRcmaTTeR wrote: > > > And I love the fact that it chroot, (jails) things by default, so > > there isn't any hair-pulling to get that taken care of. > > > sounds like a cool ftp file program. stupid question: why is chroot > a good thing? > > Jail? Scuse me i'm slow today :) > > -- > Femme > > Good Decisions You boss Made: > > "We'll do as you suggest and go with Linux. I've always liked that > character from Peanuts." > > - Source: Dilbert Femme, In the past script kiddies have used some of the original capabilities of ftp to login, and take over computers. ie ftp up a program (root-kit, etc) then login to the ftp directory compile it and run it. When you chroot the program root gets set to the directory the user is in. As far as they are concerned there exists nothing higher on the directory tree than where they are This means that if they do manage to exploit something the damage they can do is limited to the "jail" that they are in. Other advantages include, but not limited to, 1. They can only use utilities that exist in that chroot jail ie ls ps etc are local and any changes made to them aren't going to affect the box as a whole. 2. Nib Nosers can't poke around your box and find your secret stash of Britney Spears photo's 3. breaking out of the jail is one more line of defense. These are but a few reasons why programs get chrooted. Chroot is also useful if you have rebooted without running lilo first. It allows you to boot from a rescue disk, mount the HDD and run lilo as if your root was the mount point instead of the real / James > > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
daRcmaTTeR wrote: > And I love the fact that it chroot, (jails) things by default, so there > isn't any hair-pulling to get that taken care of. > sounds like a cool ftp file program. stupid question: why is chroot a good thing? Jail? Scuse me i'm slow today :) -- Femme Good Decisions You boss Made: "We'll do as you suggest and go with Linux. I've always liked that character from Peanuts." - Source: Dilbert Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
logic7 wrote: > does this apply to ProFTPD as well, or should I switch to PureFTP? > Proftpd is quite a nice server, but so far what I've read about Pureftpd it is much superior to Proftpd in security. I'd say we're both better off with Pureftpd, but I'll be damned if'n I kin figure out just how to configure for individual users apart from anonymous users. So far, I've noticed that Pure uses PAM for authentication which is awesome because you don't have to muck about with users permissions if they're already on your system. AND, if you need to add another user its spelled out rather clearly in the "virtual users" README setup. The part I'm a bit unclear on is how, without creating *new* users, we can setup "other" filesystems to make accessible to the ftp server without having to create a user that is connected to it. And I love the fact that it chroot, (jails) things by default, so there isn't any hair-pulling to get that taken care of. -- daRcmaTTeR -- Registered Linux User 182496 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
Lyvim Xaphir wrote: > On Sun, 2002-06-30 at 18:33, logic7 wrote: > >>I've just set up my ftp server with real logins only. What I would like to >>have is whenever someone logs in, they don't see their home directory. >>Instead, I want all users to share a common directory. I cannot seem to find >>info on this anywhere, anyone know how this is done? >> > > > >>From the PureFTP "README.Virtual-Users" file: > > > VIRTUAL USERS > > > Since release 0.99.2, Pure-FTPd supports virtual users. > > Virtual users is a simple mechanism to store a list of users, with their > password, name, uid, directory, etc. It's just like /etc/passwd. But > it's not /etc/passwd. It's a different file, only for FTP. > > It means that you can easily create FTP-only accounts without messing > your system accounts. > > Additionnaly, virtual users files can store individual quotas, ratios, > bandwidth, etc. System accounts can't do this. > > Thousands of virtual users can share the same system user, as long as > they all are chrooted, and they have their own home directory. > > So a good thing to do before using virtual users is to create a system > user for this. Of course, you can use any existing account like "nobody" > (but not root), but it's better to have a dedicated account. > > Let's create an "ftpgroup" group and an "ftpuser" user. > > Linux/OpenBSD : > > groupadd ftpgroup > useradd -g ftpgroup -d /dev/null -s /etc ftpuser > > Then, all maintenance of virtual users can be made with the "pure-pw" > command. You can also edit the files by hand if you want. > > Files storing virtual users have one line per user. These lines have the > following syntax : > > :: bandwidth> number of connections>::: IPs>::: IPs>: > > Fields can be left empty (exceptions: account, password, uid, gid, home > directory) . > > Passwords are compatible with the hashing function used in /etc/passwd > or /etc/master.passwd . They are crypto hashed with blowfish, md5, > multiple-des and simple des, in this order, according to what your > system has support fort. > _ > > > RTFM on Pureftp and you got it licked. > > > HTH, LX > LX, I'm a little corn-fused about the FM for Pureftpd. I thought I'd read something about it having config files for users and dir's like those of Proftpd, which are apache-like in the way they're laid out. However, I've so far found *not* to be so. So, I'm a bit at a loss as to how all this is supposed to happen. -- daRcmaTTeR -- Registered Linux User 182496 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
does this apply to ProFTPD as well, or should I switch to PureFTP? - Original Message - From: "Lyvim Xaphir" <[EMAIL PROTECTED]> To: "ExpertMandrake-List" <[EMAIL PROTECTED]> Sent: Sunday, June 30, 2002 7:03 PM Subject: Re: [expert] ftpd question > On Sun, 2002-06-30 at 18:33, logic7 wrote: > > I've just set up my ftp server with real logins only. What I would like to > > have is whenever someone logs in, they don't see their home directory. > > Instead, I want all users to share a common directory. I cannot seem to find > > info on this anywhere, anyone know how this is done? > > > > > From the PureFTP "README.Virtual-Users" file: > > > VIRTUAL USERS > > > Since release 0.99.2, Pure-FTPd supports virtual users. > > Virtual users is a simple mechanism to store a list of users, with their > password, name, uid, directory, etc. It's just like /etc/passwd. But > it's not /etc/passwd. It's a different file, only for FTP. > > It means that you can easily create FTP-only accounts without messing > your system accounts. > > Additionnaly, virtual users files can store individual quotas, ratios, > bandwidth, etc. System accounts can't do this. > > Thousands of virtual users can share the same system user, as long as > they all are chrooted, and they have their own home directory. > > So a good thing to do before using virtual users is to create a system > user for this. Of course, you can use any existing account like "nobody" > (but not root), but it's better to have a dedicated account. > > Let's create an "ftpgroup" group and an "ftpuser" user. > > Linux/OpenBSD : > > groupadd ftpgroup > useradd -g ftpgroup -d /dev/null -s /etc ftpuser > > Then, all maintenance of virtual users can be made with the "pure-pw" > command. You can also edit the files by hand if you want. > > Files storing virtual users have one line per user. These lines have the > following syntax : > > :: bandwidth> number of connections>::: IPs>::: IPs>: > > Fields can be left empty (exceptions: account, password, uid, gid, home > directory) . > > Passwords are compatible with the hashing function used in /etc/passwd > or /etc/master.passwd . They are crypto hashed with blowfish, md5, > multiple-des and simple des, in this order, according to what your > system has support fort. > _ > > > RTFM on Pureftp and you got it licked. > > > HTH, LX > > > > > > -- > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] ftpd question
On Sun, 2002-06-30 at 18:33, logic7 wrote:
> I've just set up my ftp server with real logins only. What I would like to
> have is whenever someone logs in, they don't see their home directory.
> Instead, I want all users to share a common directory. I cannot seem to find
> info on this anywhere, anyone know how this is done?
>
>From the PureFTP "README.Virtual-Users" file:
VIRTUAL USERS
Since release 0.99.2, Pure-FTPd supports virtual users.
Virtual users is a simple mechanism to store a list of users, with their
password, name, uid, directory, etc. It's just like /etc/passwd. But
it's not /etc/passwd. It's a different file, only for FTP.
It means that you can easily create FTP-only accounts without messing
your system accounts.
Additionnaly, virtual users files can store individual quotas, ratios,
bandwidth, etc. System accounts can't do this.
Thousands of virtual users can share the same system user, as long as
they all are chrooted, and they have their own home directory.
So a good thing to do before using virtual users is to create a system
user for this. Of course, you can use any existing account like "nobody"
(but not root), but it's better to have a dedicated account.
Let's create an "ftpgroup" group and an "ftpuser" user.
Linux/OpenBSD :
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
Then, all maintenance of virtual users can be made with the "pure-pw"
command. You can also edit the files by hand if you want.
Files storing virtual users have one line per user. These lines have the
following syntax :
:
Fields can be left empty (exceptions: account, password, uid, gid, home
directory) .
Passwords are compatible with the hashing function used in /etc/passwd
or /etc/master.passwd . They are crypto hashed with blowfish, md5,
multiple-des and simple des, in this order, according to what your
system has support fort.
_
RTFM on Pureftp and you got it licked.
HTH, LX
--
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
[expert] ftpd question
I've just set up my ftp server with real logins only. What I would like to have is whenever someone logs in, they don't see their home directory. Instead, I want all users to share a common directory. I cannot seem to find info on this anywhere, anyone know how this is done? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
