How to restrict access to our server!

Hi all,

Simple question (least I think!), I have vsftpd running on a fedora server and I roughly know enough to set it up and get it going but have found out now in Internet Explorer 7, if you browse it and log in successfully, you see a list of all the folders on the system:

02/11/2008 05:01AM      Directory bin
06/15/2007 12:00AM      Directory boot
01/04/2008 09:20AM      Directory dev
02/11/2008 05:01AM      Directory etc
07/17/2007 12:00AM      Directory home
02/11/2008 05:01AM      Directory lib
06/15/2007 12:00AM      Directory lost+found
06/15/2007 12:00AM      Directory media
01/04/2008 09:20AM      Directory misc
04/17/2007 12:00AM      Directory mnt
01/04/2008 09:20AM      Directory net
04/17/2007 12:00AM      Directory opt
01/04/2008 09:19AM      Directory proc

And if you click the links, you can actually download the files!!

How can i stop this from happening? Is it a setting in the smb.conf file?

Thanks in advance
Steve
stevemarsh99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

michofreihaCommented:
The web browser is not asking for a username and password?
0
omarfaridCommented:
You need to look into /etc/vsftpd.conf for the below parameters and set them if not set:

anonymous_enable=YES
chroot_list_enable=YES
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevemarsh99Author Commented:
Thank you very much. Fast and accurate.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

stevemarsh99Author Commented:
Hold on....when I have made these two changes, you are no longer given the option to enter a username a password.  (in IE7) it logs you straight in and you can only see PUB entry.  And through windows explorer you are now unable to log in as anyone :(
0
omarfaridCommented:
You may change

anonymous_enable=NO
0
stevemarsh99Author Commented:
i have changed that and you still couldnt log in
0
omarfaridCommented:
Did you restart vsftpd?
0
stevemarsh99Author Commented:
Yes
0
omarfaridCommented:
If you remove both entries, does it solve your problem?
0
stevemarsh99Author Commented:
If I change anoymous access back to NO (how it was) and comment out the CHROOT one, it works but I still have the original problem
0
stevemarsh99Author Commented:
Anything?
0
omarfaridCommented:
I am trying to download vsftpd to my system and see how to do it.

Let me be clear about your requirement. You want to:

- Allow ftp with user name and password only (no quest login)
- Allow the user to browse but not download
- Strict the user to home dir
0
stevemarsh99Author Commented:
Sorry maybe I was not as clear as I should have been.

My situation is this....currenty, when people log in to our server through WINDOWS explorer they get prompted with a username and password.  They authenticate and they see the folders they are supposed to.  Great.  But if they use INTERNET explorer they are prompted with a username and password to which they fill in correctly, they login and then see a list of folders in the C:\.  If they are curious, they click on the links and they are able to browse freely into other peoples directories and see/download the content in these folders!

I am simply trying to stop this scenerio from happening in internet explorer.  Also if you log in successfully in firefox, you see the correct folders, but there is a link to "Go up a directory", if you keep clicking you can get to the root of C:\ again.

I just want to stop people seeing anything other than their area.

Thanks for you time so far.
0
stevemarsh99Author Commented:
Sorry, I forgot to show you what they see in IE7 if they log in successfully:

02/11/2008 05:01AM      Directory bin
06/15/2007 12:00AM      Directory boot
01/04/2008 09:20AM      Directory dev
02/11/2008 05:01AM      Directory etc
07/17/2007 12:00AM      Directory home
02/11/2008 05:01AM      Directory lib
06/15/2007 12:00AM      Directory lost+found
06/15/2007 12:00AM      Directory media
01/04/2008 09:20AM      Directory misc
04/17/2007 12:00AM      Directory mnt
01/04/2008 09:20AM      Directory net
04/17/2007 12:00AM      Directory opt
01/04/2008 09:19AM      Directory proc
02/11/2008 02:50PM      Directory root
02/11/2008 05:01AM      Directory sbin
06/15/2007 12:00AM      Directory selinux
06/15/2007 12:00AM      Directory srv
01/04/2008 09:19AM      Directory sys
02/11/2008 02:52PM      Directory tmp
06/20/2007 12:00AM      Directory usr
06/15/2007 12:00AM      Directory var

0
omarfaridCommented:
I tried the following option and it is working:

chroot_local_user=YES
0
stevemarsh99Author Commented:
Right, this is my actual vsftpd.conf file, please look and suggest:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=500
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=KHL FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

hide_file={*.bash_logout,.bash_profile,.bashrd}

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

#pasv_enable=YES
#pasv_promiscuous=NO
#port_enable=NO
#port_promiscuous=NO
pasv_max_port=65534
pasv_min_port=49152

pasv_address=195.11.216.182
0
omarfaridCommented:
Sorry, but I was away from my computer for the whole day.

I checked you conf file and here my comments:

- the option below is not added to your conf file to stop browsing others directories

chroot_local_user=YES

- the option below is not known to me, you may comment (by adding # before the option)

userlist_enable=YES

- the option below may be commented  (by adding # before the option)

chroot_list_enable=NO

- if you do noy want to allow guest / anonymous ftp login then change

anonymous_enable=YES

to

anonymous_enable=NO

Why do you keep referring to C:\ in your postings? Are you running vsftpd on Linux or Windows?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.