[olug] vsftpd - only allow anonymous upload

Jeff Hinrichs jlh at dundeemt.com
Tue Aug 12 00:21:20 UTC 2003 

Carl Lundstedt wrote:
>>It appears that I've met my goal.
>>
>>Follow Up: Now that I've got it working, does anyone
>>A) see a flaw in my set up?
>>B) know of a better/easier way to accomplish the same?
>>
>>Thanks,
>>Jeff
>>
> 
> Do you care about overwrites?  
Yes, they should fail
> Does this prevent overwrites?  
Yes.
> Can anonymous download a "known" filename?  Can I delete a "known" file
> (i.e. one that was just uploaded)?
No and No
> If you prevent overwrites, then someone who REALLY wanted to could
> compile a list of "failures" and download/delete them (or just have a
> list of what's there, which is what you said you didn't want).
Yes, someone could compile a list of failures.  But they are unable to 
get/rm them.
> Can Anonymous mkdir?  Would that directory be readable?
No, mkdir is not allowed by anonymous
> I'm curious as to why you want to do this, but I understand if you don't
> feel like saying...
I can give a general reply.  Say that you were setting up a cataloging 
system for electronic documents for a number of geographically diverse 
offices. These documents are uploaded by dumb devices that only speak ftp.

Now I know that ftp is not a secure channel but the value of the data is 
as a collection and not the individual pieces that create it.  So a man 
in the middle, or sniffer attack would require the hacker to need the 
space and bandwidth to collect these pieces over time.  The real 
interest would be getting access to the collection or a portion of the 
collection.  By not allowing anonymous to list/get/rm/mkdir I can cut 
off an avenue of data collection.  Also, the ftp service doesn't allow 
users to logon to it, only anonymous connections are allowed.  This way 
I don't send even a smattering of info to an attacker.

I also use hosts.allow to limit access to known IPs.

The final obvious vector is a DOS by trying to swamp the machine with 
bogus data.  I have a cron job that inspects the upload directory and 
does away with files that are not of the correct type, or are the right 
type but above the predefined maxsize, or too many uploads from a given 
IP and finally monitors free space and takes drastic measures. i.e. 
shuts down the ftp service.

I hate being forced in to using ftp but most device manufacturers think 
ftp is the be all end all of open communications.  What I'd give to find 
  something that uses scp or such but they don't exist in the market 
segment I work with.  So I was trying to create the most secure, given 
the available resources, method of uploading files to a central area.

FYI, the ftp directory is not the final destination of the files but 
more of a rest stop.

-Jeff
p.s. If anyone sees something I've overlooked, I'd be greatful if you 
point it out.  I know there are a lot of smart people on the list and 
I'm always willing to learn a new trick :)

More information about the OLUG mailing list