[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

FTP upload security

Hi everyone.  I need to create an FTP upload facility for people using my website.  I only wish for them to upload text files which will then be copied to the correct area on my website to be processed.

What I need to know is if setting the FTP directory to CHMOD 666 would be enough to stop people uploading and executing malicious code.  I believe there is no way to theoretically stop people uploading anything they wish as they could upload it with a .txt filename and change once uploaded.

I can run a Cron Script that deletes unwanted files every few minutes, but that may give them long enough to upload and execute something on my server that is unwanted.  I do not want to have a Cron running every minute because of the additional server load.

So, would making the directory none executable be enough, although I imagine they could just CHMOD the files they uploaded to executable.

Google offers a service like the one I wish to use on uploads.google.com via their google products facility.  How do they do this and maintain security.

Some of the files that could be uploaded would far exceed the server limit of 8mb so I cannot offer this via a HTML form upload.

Does anyone have any ideas how to create an FTP upload system that is secure and wont compromise my server.

Many thanks

Steve
0
ParadyneDesigns
Asked:
ParadyneDesigns
1 Solution
 
ravenplCommented:
> Google offers a service like the one I wish to use on uploads.google.com via their google products facility.  How do they do this and maintain security.
Good question ;)

> I only wish for them to upload text files which will then be copied
Can You verify content of such file before copying? If it's undesired, then simply delete instead of copying. You can either use Your own check-script or use linux' file utility
file /etc/passwd
man file

> I believe there is no way to theoretically stop people uploading anything they wish as they could upload it with a .txt filename and change once uploaded.
You can deny rename operation via ftp, but then linux does not care about file exts.

> So, would making the directory none executable be enough
if directory is not executeable, then one can;'t enter it - therefore can't upload. To save file to dir the has to be at least -wx for the writer.

> although I imagine they could just CHMOD the files they uploaded to executable.
Again, ftp server may deny such operation.

> Does anyone have any ideas how to create an FTP upload system that is secure and wont compromise my server.
Try give mode details on how You imagine the whole process should work like.
0
 
ygouthamCommented:
normally ftp files come and sit only with a 666 permission.  it does not add the executable bit at all.  even the vsftpd conf file that we have acts as a mask (which is a negative mask to reduce the options from 666).

2.  you cannot run a chmod through an ftp interface.  you can only send / receive files.  so an executable file or not, i would not worry too much about it.

3.  a text file like a bash script would still look innocent with text file contents but can do just about anything short of wonderful

4.  all users can be made simple by belonging only a simple ftpuser group which is not authorised to any other function on the system.
    you can consider a chroot jail for every user where they can have only their files
    you can also give a no login shell thereby disabling login through telnet / ssh.  
    almost most of us have been managing a ftp server.  i am yet to come across an instance of a malicious file execution through the ftp upload route.
0
 
ParadyneDesignsAuthor Commented:
Hi again.

Both answers are extremely helpful and I am very interested in the part 4 answer of ygoutham's reply.  Is there anywhere that I can find more info on adding a chroot jail and changing ftp settings.  Curently I do all my server admin via cpanel and I am assuming changes like these need to be done directly to a file on my server.

I am relieved and assured by the final comment that malicious file executions via ftp is indeed unlikely.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ParadyneDesignsAuthor Commented:
I have done some research now on FTP and what the commands are but I am still at a loss as to how to implement section 4 of ygoutham's reply.

If someone could let me know which file on my server/account I need to modify to achieve the exact specifications mention in section 4 of the above reply, then I could certainly allocate points and close this task.

What I need is an ftp usergroup that has limit functions, implementation of a chroot jail and a no login shell.  That sounds absolutely perfect but I have no idea what file or what commands I need to add to make any of this possible.

Cheers
0
 
ParadyneDesignsAuthor Commented:
For the record, my server is running pure-ftpd (but I can switch to proftpd).

I have been looking at my pure_ftpd.conf as I imagine this is the file that I will need to modify.  However, surely modifying this file will effect the operation of all ftp on the server when I just want it to modify the operation of the ftp on one of my accounts.
0
 
ygouthamCommented:
when you add users you can specify a no login for them

useradd -s /bin/false -r /some/home/directory   -g ftp_user_group_here SOME_USER_NAME

this adds a user without any login functionality and belonging only to the ftp_user_group_here

http://www.howtoforge.com/pureftpd_mysql_virtual_hosting_p2

this page gives information on the chroot jail part.
#### quote from page ####
Then create the file /etc/pure-ftpd/conf/ChrootEveryone which simply contains the string yes:
#### end quote ####
0
 
ParadyneDesignsAuthor Commented:
Hi again

I still have problems with this.  Firstly, I want the users to be created via php so I am not sure how that useradd command will work in this scenario.  I will have an area on my site that says "create FTP" with a box for username and password.

The how to forge page was interesting but I am not sure relevant in my case.  I have a dedicated server and my etc/pure-ftpd directory does not contain a /db directory or a /conf directory.  I just a have a list of IP addresses as links (which when clicked on take me to the public_ftp folder for that account).  I also have no database table that contains records of ftp users.

At the end of the day all I am really trying to achieve is allowing my users to upload a text file that could be up to 20mb in size.  Preferably it would be via a form on the website where they can upload, but it seems that php is incapable of not timing out or handling anything over 8mb.

I tried creating a flash upload system but the fact I would need to pass sensitive data using a GET command (i.e. using actionscript) ended that idea.

I am sure your solution is perfectly feasible, just I do not understand how to implement this on my server and for the life of me I cannot find any "how to" pages on the internet regarding the basics of FTP servers and the pure ftpd website is a complete waste of space.
0
 
ParadyneDesignsAuthor Commented:
I have flicked over to proftpd which seems much much easier to work with.  I can see the group, I can see where the users are being stored and I can see how to add users.

The proftpd.conf file is also far easier to understand as it seperates each virtual host so that I can add my more protected approach only to this domain and not effect the other accounts.

Now I can see how this all works and how it all fits into the scope of my project I am definitely happy to accept solutions.

Many thanks
0
 
ascrayCommented:
Can anyone address these concerns as applies to vsftpd?
0
 
ygouthamCommented:
as it applies to VSFTPD???

VSFTP does not let the executable bit to be set.  it can at best be a rw-rw-rw- permission only.  I still do not understand the remote execution through the FTP route.  What exactly are the concerns that you would like to get addressed?

Goutham
0
 
ygouthamCommented:
If i understand it correctly, the file upload size can be set in the php.ini file in /etc/ directory.  that can be used to upload larger chunks of data (say 30 MB or so) assuming that the internet connection is capable enough of uploading the same within the timeout window specified.  

The very same php can be used to set the permissions on the file, move it to an appropriate directory, etc.  is that the concern that you are asking about?

G
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now