TechSpot

Ftp security

By robert33tn
Oct 21, 2006
  1. we have an ftp thru our webhost company and the people are still geting in and hacking our website about everyday is there a way to secure our ftp and files from this end. its getting on our last nerve having to redo a site because of these people.
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    ftp security: there aint any :knock:

    if you're getting hacked via ftp, then you have a trivial password and they
    are running a dictionary scan or a cracking tool against you.

    good password:
    • 8 or more characters
    • not a normal word-- combination of chars and digits
    • contains at least one digit
    • one or more Upper Case chars
    • one or more of (#$%^&*_+=)

    create a contraction of two words, separated per the above; eg Xyz1-9Zyx

    *IF* it were your own host, you could use the SSH ftp feature and instead of
    passwords you would use a pub/priv key system. You might ask if the host
    company will support SSH, but don't be surprised if they say no.
     
  3. robert33tn

    robert33tn TS Rookie Topic Starter

    well i havent been using basic passwords ive using and online windows password maker that does random passwords and we have redone our passwords over and over again.now is there away to go in thru the the index page and hack it that way and change the stuff.
     
  4. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    check your permissions on every directory and file.

    an HTTP / FTP server should have file settings 644 or 755
    (as seen from a Linux ls -l ) eg;
    Code:
    ls -l
    -rw-r--r--  1 apache websrvr 15 Sep 20  2005 test
    
    644 = rw-r--r--
    755 = rwxr-xr-x

    what you must avoid is r**r**rw*

    directories should be 755 everywhere (rwxr-xr-x)
     
  5. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    btw: what makes you sure that FTP is the culprit? it's highly likely that your
    HTTP server is poorly configured and allows PUT, POST or cross-domain scripting.

    what is the server environment (platform, OS, and webserver)?
     
  6. smore9648

    smore9648 TS Rookie Posts: 697

    I recommend implementing a much stronger password policy.

    Use passwords that require numbers, upper and lowercase letters, and special characters.

    Do no use anything that is found in the dictionary either.

    Example of what not to use Chistmas23

    Example of what to use <V821#BNur>!
     
  7. smore9648

    smore9648 TS Rookie Posts: 697

    You need to configure your group and local policies as well
     
  8. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    V821#BNur is typical of a random password :)
     
  9. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    *if* and only if it's an IIS server :(
     
  10. smore9648

    smore9648 TS Rookie Posts: 697


    This is the whole password <V821#BNur>!:wave:
     
  11. smore9648

    smore9648 TS Rookie Posts: 697

    Sorry, my mentality is geared around my work. I know everyone is not like mine.
    Its my fault of always assuming everyone wants to be like me:D :D
     
  12. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    I have to agree.. Instead of FTP, make sure that other things are secure. Yes, it is very possible to hack your server through the web service. Especially if you have IIS..

    - Do you have any active content on the server? PHP? ASP?. If it is a ready-made product, check for any security issues and update. If it's something custom, have it audited. PHP is a gaping security hole unless you take a lot of care writing the code.

    - Check your firewall (or set up one if you haven't yet!). Make sure you are blocking everything but the services that actually need to be accessible from outside. You should allow only the bare minimum. If some services are accessed from only some locations, then make the firewall rules accordingly.

    - Check for security updates: Apache (or IIS or whatever), MySQL (or MSSQL or whatever), your FTP server software, pretty much everything running on the server should be updated.

    - Consider using SSH and SFTP instead of plain FTP. It's a bit trickier to get it running under Windows, but you gain a lot of security.

    - Since it is a Windows server (and it has been compromised), you could have some malware installed and running there. Make a thorough virus and spyware scan, or even better, format and reinstall.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...