Link to home
Start Free TrialLog in
Avatar of Jeffreym17
Jeffreym17

asked on

How to block third party access to my website ftp?

I have used many reputed hosting company and have noticed that if you just type in something like ftp://yourdomain@yourdomain.com in explorer address bar then a pop up opens up giving out the username 100% accurate. Now I think this is a threat to any website since the hacker just needs to guess the password and he can get in. Now can I do something that rejects this and other similar attempts by any body trying to play some mischief with my websites?
Avatar of Kaffiend
Kaffiend
Flag of United States of America image

FTP has been known for a while as notoriously insecure.

Some things you can do:
Don't use FTP - there are other more secure ways, for example, Sharepoint is good unless you are dealing with very large files (Sharepoint supports uploading/downloading large files, but to me is not quite as friendly as FTP) Sharepoint supports SSL-encrypted authentication as well

If you have to use FTP, get a third-party FTP solution, which supports encryption, password authentication, and timeouts/lockouts after a certain number of wrong password attempts.

To lock things down even further, make separate accounts to use only for FTP, so even if someone manages to guess their way in, all they can do is steal company secrets on your FTP site (not that anybody would actually post company secrets on an FTP server, would they?)
That's a misunderstanding.

The popup displays only the username that you yourself have given.
"ftp://anyname@mydomain.com" is defined as an address type containing a username. So IE assumes that you wish to connect using 'anyname' as a login.

Try it yourself. Instead of using yourdomain@yourdomain.com, use a phantasy name that does not correspond to any ftp username on your site. It will displayed to you nonetheless.

By no means can FTP client software ever find out a valid username on a server just by itself.
Avatar of Jeffreym17
Jeffreym17

ASKER

Everybody out there, thanks for your comments but please can you put some more inputs on the following: and I intend this only as an example nothing more, try typing ftp://xyz@godaddy.com  and you get the following message in a pop-up "windows cannot access this folder.....bla bla bla.... and the connection to the server was reset." I think almost all big time websites like yahoo and google etc have this message displayed. Whats this? Is this some kind of security and if yes how can it be achieved?
Everybody out there, thanks for your comments but please can you put some more inputs on the following: and I intend this only as an example nothing more, try typing ftp://xyz@godaddy.com  and you get the following message in a pop-up "windows cannot access this folder.....bla bla bla.... and the connection to the server was reset." I think almost all big time websites like yahoo and google etc have this message displayed. Whats this? Is this some kind of security and if yes how can it be achieved?
The popup you get is an IExplorer message. In other browsers you get an error page stating that no connection is possible.

In the case of Google and Yahoo the explanation is simple: ftp.google.com and ftp.yahoo.com simply do not exist.

In the case of ftp.godaddy.com, connecting via browser seems to be blocked. When you FTP to them directly, you get:

ftp> open ftp.godaddy.com
Connection established with corpftp-v01.prod.mesa1.secureserver.net
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 07:05. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (corpftp-v01.prod.mesa1.secureserver.net:(none)):

So there is some kind of access restriction. I presume they use .htaccess and block the user agent strings of the most common web browsers like this, for instance:

BrowserMatchNoCase Mozilla firefox
Order Deny,Allow
Deny from env=firefox

(Read more about this here: http://www.thesitewizard.com/apache/block-bots-with-htaccess.shtml)


But look at the opposite side as well. Type, for instance:
ftp://ftp.microsoft.com
- and you end up right inside of their server structure.


Locking out web browsers from your ftp site is kind of useless, because most people use FTP clients anyway when they want to connect (like Filezilla, google for it, it's free; there is also a fine Firefox extension called FireFTP).

If you are concerned about the security of your website, there are two things that you can do:
- choose strong passwords only: 8-10 characters, mix of upper and lower case, numbers and non-alphanumeric
- make sure the PHP/MySQL applications you use are safe and always up-to-date: most script kiddies who like to deface sites get in through security holes in the software used by the site, not through ftp.
If you type ftp://abcdef@yourdomain.com in the address bar, the authentication username password window will appear with abcdef as username.

If you type ftp://123456@yourdomain.com in the address bar, the authentication username password window will appear with 123456 as username.  
In nutshell, what will appear in the authentication window will be what you type.
 
 
Hi - torimar, I got you but do you mean that if I use proper usernames and passwords a mix of what you said above.... then even doing ftp from the browser is safe by all means?
ASKER CERTIFIED SOLUTION
Avatar of torimar
torimar
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for your continuous support... all the best