Loading ...
Sorry, an error occurred while loading the content.

How vulnerable is setting up anonymous read-only ftp access to my LS?

Expand Messages
  • born_daniel
    Hi all, I know FTP is not secure at all and suffers many vulnerabilities but how much risk am I exposing my LS (and its data) to, by allowing anonymous
    Message 1 of 4 , Oct 7, 2005
    View Source
    • 0 Attachment
      Hi all,

      I know FTP is not secure at all and suffers many vulnerabilities but
      how much risk am I exposing my LS (and its data) to, by allowing
      anonymous read-only access to a separate shared folder?

      Still using root-hacked 1.44 on LS I (for now) :-)

      Thanks,
      Daniel
    • James Stewart
      ... It is not as bad as you think. Just remember that nothing is encrypted. This means never try to log in across the internet using a user name and password
      Message 2 of 4 , Oct 10, 2005
      View Source
      • 0 Attachment
        --- In LinkStation_General@yahoogroups.com, "born_daniel"
        <born_daniel@y...> wrote:
        >
        > Hi all,
        >
        > I know FTP is not secure at all and suffers many vulnerabilities but
        > how much risk am I exposing my LS (and its data) to, by allowing
        > anonymous read-only access to a separate shared folder?
        >
        > Still using root-hacked 1.44 on LS I (for now) :-)
        >
        > Thanks,
        > Daniel
        >

        It is not as bad as you think. Just remember that nothing is
        encrypted. This means never try to log in across the internet using a
        user name and password that you don't mind being totally public
        (remember your web browser might cache then use a user/password pair
        that you didn't intend it to at times). Don't send or receive any
        data using FTP that you don't mind being totally public. Then make
        sure that the "ftp" and "anonymous" logins will not be allowed shell
        access or access to anything other services you don't want the public
        into.

        I forgot what version of ProFTP the LS uses by default. It is
        probably an older version and might have some security issues. You
        might research this a bit and see if there were ever any known
        exploits of any of these security issues.
      • born_daniel
        Well, my understanding of most ftp exploits is that you send a binary file containing executable code and then you end up being able to execute that code
        Message 3 of 4 , Oct 11, 2005
        View Source
        • 0 Attachment
          Well, my understanding of most ftp exploits is that you send a
          binary file containing executable code and then you end up being
          able to execute that code somehow.

          If I use a read-only, anonymous account setup for public data (such
          as family pictures or hosting files to be accessed from discussion
          forums by supplying a link to these files), it shouldn't be very
          risky. My only concern is about my other shares under /mnt that I
          didn't allow access to the ftp server, can they be read or written
          to by some ftp exploit?

          The version of ftp appears to be wu-ftp 2.6.1 and there are talks
          about vulnerabilities of this version but I wasn't able to find any
          details about what they are and what they allow...

          Thanks,
          Daniel

          --- In LinkStation_General@yahoogroups.com, "James Stewart"
          <wartstew@y...> wrote:
          >
          > --- In LinkStation_General@yahoogroups.com, "born_daniel"
          > <born_daniel@y...> wrote:
          > >
          > > Hi all,
          > >
          > > I know FTP is not secure at all and suffers many vulnerabilities
          but
          > > how much risk am I exposing my LS (and its data) to, by allowing
          > > anonymous read-only access to a separate shared folder?
          > >
          > > Still using root-hacked 1.44 on LS I (for now) :-)
          > >
          > > Thanks,
          > > Daniel
          > >
          >
          > It is not as bad as you think. Just remember that nothing is
          > encrypted. This means never try to log in across the internet
          using a
          > user name and password that you don't mind being totally public
          > (remember your web browser might cache then use a user/password
          pair
          > that you didn't intend it to at times). Don't send or receive any
          > data using FTP that you don't mind being totally public. Then make
          > sure that the "ftp" and "anonymous" logins will not be allowed
          shell
          > access or access to anything other services you don't want the
          public
          > into.
          >
          > I forgot what version of ProFTP the LS uses by default. It is
          > probably an older version and might have some security issues. You
          > might research this a bit and see if there were ever any known
          > exploits of any of these security issues.
          >
        • James Stewart
          ... Yes. If you allow people to send you stuff there is always a possibility they will then find a way to execute it. Often using some other unrelated
          Message 4 of 4 , Oct 12, 2005
          View Source
          • 0 Attachment
            --- In LinkStation_General@yahoogroups.com, "born_daniel"
            <born_daniel@y...> wrote:
            >
            > Well, my understanding of most ftp exploits is that you send a
            > binary file containing executable code and then you end up being
            > able to execute that code somehow.

            Yes. If you allow people to send you stuff there is always a
            possibility they will then find a way to execute it. Often using
            some other unrelated exploit you might have.

            > The version of ftp appears to be wu-ftp 2.6.1 and there are talks
            > about vulnerabilities of this version but I wasn't able to find
            > any details about what they are and what they allow...

            I never used the original OS on my LS long enough to figure this
            out, but there were two ftp servers installed on the LS, wu-ftp and
            proftp. I never quite understood which one got used for what, but
            assumed the one was used over the other when you enabled "anonymous
            FTP" on the LS's Web Interface.

            > Thanks,
            > Daniel
            >
            > --- In LinkStation_General@yahoogroups.com, "James Stewart"
            > <wartstew@y...> wrote:
            > >
            > > --- In LinkStation_General@yahoogroups.com, "born_daniel"
            > > <born_daniel@y...> wrote:
            > > >
            > > > Hi all,
            > > >
            > > > I know FTP is not secure at all and suffers many
            vulnerabilities
            > but
            > > > how much risk am I exposing my LS (and its data) to, by
            allowing
            > > > anonymous read-only access to a separate shared folder?
            > > >
            > > > Still using root-hacked 1.44 on LS I (for now) :-)
            > > >
            > > > Thanks,
            > > > Daniel
            > > >
            > >
            > > It is not as bad as you think. Just remember that nothing is
            > > encrypted. This means never try to log in across the internet
            > using a
            > > user name and password that you don't mind being totally public
            > > (remember your web browser might cache then use a user/password
            > pair
            > > that you didn't intend it to at times). Don't send or receive
            any
            > > data using FTP that you don't mind being totally public. Then
            make
            > > sure that the "ftp" and "anonymous" logins will not be allowed
            > shell
            > > access or access to anything other services you don't want the
            > public
            > > into.
            > >
            > > I forgot what version of ProFTP the LS uses by default. It is
            > > probably an older version and might have some security issues.
            You
            > > might research this a bit and see if there were ever any known
            > > exploits of any of these security issues.
            > >
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.