[wplug] Anonymous FTP and hidden files (security problem?)
Jonathan S Billings
billings at negate.org
Wed Sep 10 12:44:19 EDT 2003
On Wed, 2003-09-10 at 11:30, Albert E. Whale, CISSP wrote:
> Jonathan S. Billings wrote:
>
> >
> > On Wednesday, Sep 10, 2003, at 09:25 America/New_York, Albert E.
> > Whale, CISSP wrote:
> >
> >> These files are primarily intended to be used for Users with SHELL
> >> Access. Tftp - aka Anonymous FTP, should not get Shell Access
> >> (IMHO). Removal should not break your system, but rather improve
> >> your Security.
> >
> >
> > I just wanted to note that 'tftp' and 'ftp' are two completetely
> > different protocols, and that 'tftp' isn't also known as anonymous ftp.
>
> Agreed, but in this situation, if his directory contents are all that's
> there, there is no difference.
Well, here's a difference, FTP uses TCP, on port 21 and 20 (when not in
passive mode), and TFTP uses UDP, on port 69. I don't mean to belabor
the point, but I see little reason to confuse the issue by bringing up a
completely different protocol.
> While you do have a little configuration
> control over the anonymous ftp application, I have never seen them given
> more access than RO on most directories, there have been an occasional
> Anonymous Write Directory. However, I do not see this as a Safe Practice.
I believe my point was that you shouldn't confuse TFTP and FTP servers.
While they might sound the same, the methods used to secure them are
different. TFTP has no authentication of any form, while FTP can be
authenticated, or anonymous. Also, TFTP doesn't give you a directory
structure to look at as a client, so it's possible for you to set up a
writeable directory, and drop files into it, without random clients
knowing about it. Of course, this isn't perfectly safe, anyone sniffing
traffic could figure it out.
--
Jonathan S Billings <billings at negate.org>
TSFNKP, President and Chief Lackey
More information about the wplug
mailing list