Solved

How to block third party access to my website ftp?

Posted on 2008-10-31
9
562 Views
Last Modified: 2012-05-05
I have used many reputed hosting company and have noticed that if you just type in something like ftp://yourdomain@yourdomain.com in explorer address bar then a pop up opens up giving out the username 100% accurate. Now I think this is a threat to any website since the hacker just needs to guess the password and he can get in. Now can I do something that rejects this and other similar attempts by any body trying to play some mischief with my websites?
0
Comment
Question by:Jeffreym17
9 Comments
 
LVL 14

Expert Comment

by:Kaffiend
Comment Utility
FTP has been known for a while as notoriously insecure.

Some things you can do:
Don't use FTP - there are other more secure ways, for example, Sharepoint is good unless you are dealing with very large files (Sharepoint supports uploading/downloading large files, but to me is not quite as friendly as FTP) Sharepoint supports SSL-encrypted authentication as well

If you have to use FTP, get a third-party FTP solution, which supports encryption, password authentication, and timeouts/lockouts after a certain number of wrong password attempts.

To lock things down even further, make separate accounts to use only for FTP, so even if someone manages to guess their way in, all they can do is steal company secrets on your FTP site (not that anybody would actually post company secrets on an FTP server, would they?)
0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
That's a misunderstanding.

The popup displays only the username that you yourself have given.
"ftp://anyname@mydomain.com" is defined as an address type containing a username. So IE assumes that you wish to connect using 'anyname' as a login.

Try it yourself. Instead of using yourdomain@yourdomain.com, use a phantasy name that does not correspond to any ftp username on your site. It will displayed to you nonetheless.

By no means can FTP client software ever find out a valid username on a server just by itself.
0
 

Author Comment

by:Jeffreym17
Comment Utility
Everybody out there, thanks for your comments but please can you put some more inputs on the following: and I intend this only as an example nothing more, try typing ftp://xyz@godaddy.com  and you get the following message in a pop-up "windows cannot access this folder.....bla bla bla.... and the connection to the server was reset." I think almost all big time websites like yahoo and google etc have this message displayed. Whats this? Is this some kind of security and if yes how can it be achieved?
0
 

Author Comment

by:Jeffreym17
Comment Utility
Everybody out there, thanks for your comments but please can you put some more inputs on the following: and I intend this only as an example nothing more, try typing ftp://xyz@godaddy.com  and you get the following message in a pop-up "windows cannot access this folder.....bla bla bla.... and the connection to the server was reset." I think almost all big time websites like yahoo and google etc have this message displayed. Whats this? Is this some kind of security and if yes how can it be achieved?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 35

Expert Comment

by:torimar
Comment Utility
The popup you get is an IExplorer message. In other browsers you get an error page stating that no connection is possible.

In the case of Google and Yahoo the explanation is simple: ftp.google.com and ftp.yahoo.com simply do not exist.

In the case of ftp.godaddy.com, connecting via browser seems to be blocked. When you FTP to them directly, you get:

ftp> open ftp.godaddy.com
Connection established with corpftp-v01.prod.mesa1.secureserver.net
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 07:05. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (corpftp-v01.prod.mesa1.secureserver.net:(none)):

So there is some kind of access restriction. I presume they use .htaccess and block the user agent strings of the most common web browsers like this, for instance:

BrowserMatchNoCase Mozilla firefox
Order Deny,Allow
Deny from env=firefox

(Read more about this here: http://www.thesitewizard.com/apache/block-bots-with-htaccess.shtml)


But look at the opposite side as well. Type, for instance:
ftp://ftp.microsoft.com
- and you end up right inside of their server structure.


Locking out web browsers from your ftp site is kind of useless, because most people use FTP clients anyway when they want to connect (like Filezilla, google for it, it's free; there is also a fine Firefox extension called FireFTP).

If you are concerned about the security of your website, there are two things that you can do:
- choose strong passwords only: 8-10 characters, mix of upper and lower case, numbers and non-alphanumeric
- make sure the PHP/MySQL applications you use are safe and always up-to-date: most script kiddies who like to deface sites get in through security holes in the software used by the site, not through ftp.
0
 
LVL 1

Expert Comment

by:technodeborah
Comment Utility
If you type ftp://abcdef@yourdomain.com in the address bar, the authentication username password window will appear with abcdef as username.

If you type ftp://123456@yourdomain.com in the address bar, the authentication username password window will appear with 123456 as username.  
In nutshell, what will appear in the authentication window will be what you type.
 
 
0
 

Author Comment

by:Jeffreym17
Comment Utility
Hi - torimar, I got you but do you mean that if I use proper usernames and passwords a mix of what you said above.... then even doing ftp from the browser is safe by all means?
0
 
LVL 35

Accepted Solution

by:
torimar earned 250 total points
Comment Utility
Yes, if you don't use an easily guessable username and a secure password, then you are as safe from the FTP side as you can be.

However, don't use FTP while connected to a public hotspot or a LAN/WLAN that is not trustworthy, because that's where a malicious person intent on doing so could sniff your unencrypted login details from the network traffic.
If you need to use FTP in such locations, check with your host whether they offer SSL/TLS. If they do, enable it.
But then you will have to use proper FTP client software because browsers don't yet offer SSL services.
0
 

Author Closing Comment

by:Jeffreym17
Comment Utility
Thanks for your continuous support... all the best
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now