stevemarsh99
asked on
How to restrict access to our server!
Hi all,
Simple question (least I think!), I have vsftpd running on a fedora server and I roughly know enough to set it up and get it going but have found out now in Internet Explorer 7, if you browse it and log in successfully, you see a list of all the folders on the system:
02/11/2008 05:01AM Directory bin
06/15/2007 12:00AM Directory boot
01/04/2008 09:20AM Directory dev
02/11/2008 05:01AM Directory etc
07/17/2007 12:00AM Directory home
02/11/2008 05:01AM Directory lib
06/15/2007 12:00AM Directory lost+found
06/15/2007 12:00AM Directory media
01/04/2008 09:20AM Directory misc
04/17/2007 12:00AM Directory mnt
01/04/2008 09:20AM Directory net
04/17/2007 12:00AM Directory opt
01/04/2008 09:19AM Directory proc
And if you click the links, you can actually download the files!!
How can i stop this from happening? Is it a setting in the smb.conf file?
Thanks in advance
Steve
Simple question (least I think!), I have vsftpd running on a fedora server and I roughly know enough to set it up and get it going but have found out now in Internet Explorer 7, if you browse it and log in successfully, you see a list of all the folders on the system:
02/11/2008 05:01AM Directory bin
06/15/2007 12:00AM Directory boot
01/04/2008 09:20AM Directory dev
02/11/2008 05:01AM Directory etc
07/17/2007 12:00AM Directory home
02/11/2008 05:01AM Directory lib
06/15/2007 12:00AM Directory lost+found
06/15/2007 12:00AM Directory media
01/04/2008 09:20AM Directory misc
04/17/2007 12:00AM Directory mnt
01/04/2008 09:20AM Directory net
04/17/2007 12:00AM Directory opt
01/04/2008 09:19AM Directory proc
And if you click the links, you can actually download the files!!
How can i stop this from happening? Is it a setting in the smb.conf file?
Thanks in advance
Steve
The web browser is not asking for a username and password?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. Fast and accurate.
ASKER
Hold on....when I have made these two changes, you are no longer given the option to enter a username a password. (in IE7) it logs you straight in and you can only see PUB entry. And through windows explorer you are now unable to log in as anyone :(
You may change
anonymous_enable=NO
anonymous_enable=NO
ASKER
i have changed that and you still couldnt log in
Did you restart vsftpd?
ASKER
Yes
If you remove both entries, does it solve your problem?
ASKER
If I change anoymous access back to NO (how it was) and comment out the CHROOT one, it works but I still have the original problem
ASKER
Anything?
I am trying to download vsftpd to my system and see how to do it.
Let me be clear about your requirement. You want to:
- Allow ftp with user name and password only (no quest login)
- Allow the user to browse but not download
- Strict the user to home dir
Let me be clear about your requirement. You want to:
- Allow ftp with user name and password only (no quest login)
- Allow the user to browse but not download
- Strict the user to home dir
ASKER
Sorry maybe I was not as clear as I should have been.
My situation is this....currenty, when people log in to our server through WINDOWS explorer they get prompted with a username and password. They authenticate and they see the folders they are supposed to. Great. But if they use INTERNET explorer they are prompted with a username and password to which they fill in correctly, they login and then see a list of folders in the C:\. If they are curious, they click on the links and they are able to browse freely into other peoples directories and see/download the content in these folders!
I am simply trying to stop this scenerio from happening in internet explorer. Also if you log in successfully in firefox, you see the correct folders, but there is a link to "Go up a directory", if you keep clicking you can get to the root of C:\ again.
I just want to stop people seeing anything other than their area.
Thanks for you time so far.
My situation is this....currenty, when people log in to our server through WINDOWS explorer they get prompted with a username and password. They authenticate and they see the folders they are supposed to. Great. But if they use INTERNET explorer they are prompted with a username and password to which they fill in correctly, they login and then see a list of folders in the C:\. If they are curious, they click on the links and they are able to browse freely into other peoples directories and see/download the content in these folders!
I am simply trying to stop this scenerio from happening in internet explorer. Also if you log in successfully in firefox, you see the correct folders, but there is a link to "Go up a directory", if you keep clicking you can get to the root of C:\ again.
I just want to stop people seeing anything other than their area.
Thanks for you time so far.
ASKER
Sorry, I forgot to show you what they see in IE7 if they log in successfully:
02/11/2008 05:01AM Directory bin
06/15/2007 12:00AM Directory boot
01/04/2008 09:20AM Directory dev
02/11/2008 05:01AM Directory etc
07/17/2007 12:00AM Directory home
02/11/2008 05:01AM Directory lib
06/15/2007 12:00AM Directory lost+found
06/15/2007 12:00AM Directory media
01/04/2008 09:20AM Directory misc
04/17/2007 12:00AM Directory mnt
01/04/2008 09:20AM Directory net
04/17/2007 12:00AM Directory opt
01/04/2008 09:19AM Directory proc
02/11/2008 02:50PM Directory root
02/11/2008 05:01AM Directory sbin
06/15/2007 12:00AM Directory selinux
06/15/2007 12:00AM Directory srv
01/04/2008 09:19AM Directory sys
02/11/2008 02:52PM Directory tmp
06/20/2007 12:00AM Directory usr
06/15/2007 12:00AM Directory var
02/11/2008 05:01AM Directory bin
06/15/2007 12:00AM Directory boot
01/04/2008 09:20AM Directory dev
02/11/2008 05:01AM Directory etc
07/17/2007 12:00AM Directory home
02/11/2008 05:01AM Directory lib
06/15/2007 12:00AM Directory lost+found
06/15/2007 12:00AM Directory media
01/04/2008 09:20AM Directory misc
04/17/2007 12:00AM Directory mnt
01/04/2008 09:20AM Directory net
04/17/2007 12:00AM Directory opt
01/04/2008 09:19AM Directory proc
02/11/2008 02:50PM Directory root
02/11/2008 05:01AM Directory sbin
06/15/2007 12:00AM Directory selinux
06/15/2007 12:00AM Directory srv
01/04/2008 09:19AM Directory sys
02/11/2008 02:52PM Directory tmp
06/20/2007 12:00AM Directory usr
06/15/2007 12:00AM Directory var
I tried the following option and it is working:
chroot_local_user=YES
chroot_local_user=YES
ASKER
Right, this is my actual vsftpd.conf file, please look and suggest:
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=Y ES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsf tpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=50 0
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=KHL FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vs ftpd/banne d_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsf tpd/chroot _list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
hide_file={*.bash_logout,. bash_profi le,.bashrd }
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#pasv_enable=YES
#pasv_promiscuous=NO
#port_enable=NO
#port_promiscuous=NO
pasv_max_port=65534
pasv_min_port=49152
pasv_address=195.11.216.18 2
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=Y
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsf
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=50
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=KHL FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vs
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsf
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
hide_file={*.bash_logout,.
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#pasv_enable=YES
#pasv_promiscuous=NO
#port_enable=NO
#port_promiscuous=NO
pasv_max_port=65534
pasv_min_port=49152
pasv_address=195.11.216.18
Sorry, but I was away from my computer for the whole day.
I checked you conf file and here my comments:
- the option below is not added to your conf file to stop browsing others directories
chroot_local_user=YES
- the option below is not known to me, you may comment (by adding # before the option)
userlist_enable=YES
- the option below may be commented (by adding # before the option)
chroot_list_enable=NO
- if you do noy want to allow guest / anonymous ftp login then change
anonymous_enable=YES
to
anonymous_enable=NO
Why do you keep referring to C:\ in your postings? Are you running vsftpd on Linux or Windows?
I checked you conf file and here my comments:
- the option below is not added to your conf file to stop browsing others directories
chroot_local_user=YES
- the option below is not known to me, you may comment (by adding # before the option)
userlist_enable=YES
- the option below may be commented (by adding # before the option)
chroot_list_enable=NO
- if you do noy want to allow guest / anonymous ftp login then change
anonymous_enable=YES
to
anonymous_enable=NO
Why do you keep referring to C:\ in your postings? Are you running vsftpd on Linux or Windows?