RARS - Bank of Useful Information

Avoiding ftp server attacks in Linux RedHat

From Adrian Friday

This message is really for anyone who has a linux box which is visible through the firewall via ftp (although in principle, I see no reason why this isn't a generic attack).

As many of you may know one of my servers' disks unexpectedly filled, with the resulting chaos that many people couldn't submit their Com120 coursework (at least not straightforwardly). In investigating this, I found that someone (a team of hackers presumably, particularly using cable modems in the netherlands) had been using the 'incoming' folder of my ftp server to store ripped off software. By default I think the incoming folder is world writeable and may even be readable (if you know the name of what you're looking for, as you can't list the contents - no problem in a world of URLs).

The upshot of all this was that they'd filled over 46% of my disc (all remaining space) with their junk.

So, my advice:

If your server is reachable from outside, then it's worth a check to see if anyone's been attacking it (on linux there should be stuff in the /var/log/xferlog from clients you don't recognise.
Check ~ftp/incoming for files (particularly 'space tests' as they look to see if there are quota restrictions 1kbtest, 1Mbtest etc.)
Do you use ftp at all on your server? If not, comment it out of inetd.conf.
My personal recommendation is to use SSH2 anyway which has scp2 (secure shell and secure copy respectively), this gives you encrypted terminal logins and copy facilities, and effectively replaces telnet, rsh, rlogin and rcp (comment these out of inetd.conf also). This is good standard practice because it's laughably easy to snoop usernames/ passwords from telnet/ ftp sessions.

Good clients for windows are tera term pro + ttssh and SSHWin (full ssh2 compliance) in \\central_soft\site\Win.NT\SSH (site licensed, I believe). If you have a Mac then try http://www.macssh.com/ (still looking for the copy client to go with it).

Follow up info:

As Cath very reasonably points out (thanks Cath): it is possible to remove support for anonymous users on your FTP server (usually /etc/ftpaccess). You can also normally specify what constitutes a 'local' versus a 'global' user and restrict based on this classification. Removing 'incoming' (or other world writeable folders) should also help, if this is never used on your system.