Re: anonymous-ftp cracked
On 13-Sep-2001 Joe Greco wrote: | Ted: I've been watching this one because I've HAD to allow uploads to | incoming because of a need for such a place article submissions from | our | Tech mag website from 175+ countries. | | Your tips for monitoring (like the script for a daily listing of the | directory) are so simple and obvious it put a smile on my face. Thanks! | LUV | this list! | | Assuming you're using wuftpd: Assuming you're using -current: You could also try lukemftpd, and use the 'maxfilesize' and 'rateget' configuration settings. See http://people.freebsd.org/~mikeh/diffs/lukemftpd/ for instructions for connecting it to the build. Mike -- Mike Heffner mheffner@[acm.]vt.edu Blacksburg, VA [EMAIL PROTECTED] PGP signature
Re: anonymous-ftp cracked
[broken quoting fixed] Kory Hamzeh [EMAIL PROTECTED] wrote: Ted Mittelstaedt wrote: I've had a bit of experience with this sort of thing and I have to say that nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it - and I mean every day, preferably several times a day. [...] Yup, I had some jerk constantly fill up the filesystem of the ftp directory until I finally disabled all uploads. The ethics of some people just amazes me. If you absolutely need to have an anonymous upload directory, it is probably a good idea to disable ls and read-permission in that directory. That way people can upload things, but they can neither list nor download them without prior operator intervention. Regards Oliver -- Oliver Fromme, secnetix GmbH Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. All that we see or seem is just a dream within a dream (E. A. Poe) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: anonymous-ftp cracked
On Thu, Sep 13, 2001 at 12:13:08PM -0300, Rik van Riel wrote: On Wed, 12 Sep 2001, Ted Mittelstaedt wrote: nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it Some ftp daemons have the option to automatically email the admins every time a file gets uploaded. Yes. NcFPTd (which has a version for FreeBSD) allows one to do this. It also has many other configuration options that I consider mandatory for anonymous ftp servers -- esp. ones with an incoming directory. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
RE: anonymous-ftp cracked
Ted: I've been watching this one because I've HAD to allow uploads to incoming because of a need for such a place article submissions from our Tech mag website from 175+ countries. Your tips for monitoring (like the script for a daily listing of the directory) are so simple and obvious it put a smile on my face. Thanks! LUV this list! At 09:28 PM 9.12.2001 -0700, Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Giorgos Keramidas Another common thing done in writable incoming/ directories is to create a file of fixed size, say 100 Mb, and use vnconfig to mount this file as the incoming/ directory of an FTP server. Then there's only about 100 Mb of space available in your incoming/ and nobody can store tons of data in there, wasting your disk space until disks are full. Hi Uli and Giorgos, I've had a bit of experience with this sort of thing and I have to say that nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it - and I mean every day, preferably several times a day. 100MB is plenty of space for some jerk to upload his collection of Sally SpreadEagle in all her silicon glory. If that happens your going to find every bit of outbound bandwidth you have completely saturated. If your unlucky enough to have your FTP server at an ISP you may find yourself fined heavily (ie: overage charges) Some people have a little script that runs out of cron and diffs the output of ls against the previous run and e-mails the maintainer when new files show up, others simply check by eye. Whatever works for you is fine, but don't think that you can just put out public storage for anyone to use as they see fit and just ignore it anymore. Ted Mittelstaedt [EMAIL PROTECTED] Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: anonymous-ftp cracked
On Thu, 13 Sep 2001 09:08:17 EST, [EMAIL PROTECTED] wrote: Your tips for monitoring (like the script for a daily listing of the directory) are so simple and obvious it put a smile on my face. Thanks! LUV this list! Since the damage of a cross-post is mostly done, I'm surprised nobody bothered to point out that, since you're already running -CURRENT (irrespective of whether it's a suitable platform for you to use), you may as well take advantage of the new -o and -O write-only mode options to ftpd. In your case, you probably want -O, write-only mode for anonymous users only. There's no substitute for reading the documentation that accompanies the software you use. Ciao, Sheldon. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
RE: anonymous-ftp cracked
On Wed, 12 Sep 2001, Ted Mittelstaedt wrote: nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it Some ftp daemons have the option to automatically email the admins every time a file gets uploaded. 100MB is plenty of space for some jerk to upload his collection of Sally SpreadEagle in all her silicon glory. If that happens your going to find every bit of outbound bandwidth you have completely saturated. That's what per-directory bandwidth limitations are for. If your /incoming needs to be usable for articles, you could just limit it to something like 2 kB/s per user. That's enough for legitimate articles, but for warez and porn it becomes effectively write-only. The only real problem is that people tend to upload the most worthless crap, so nothing interesting ever shows up in the 'harvesting' area. cheers, Rik -- IA64: a worthy successor to the i860. http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: anonymous-ftp cracked
From: P. U. (Uli) Kruppa [EMAIL PROTECTED] Subject: anonymous-ftp cracked Date: Wed, Sep 12, 2001 at 05:52:23PM +0200 I am running -CURRENT (ok - though I do not know anything about computers) Why are you running -CURRENT? Users that are running -CURRENT are expected to be able to track relatively simple problems like this one, without asking tons of questions. And this is not a problem of -CURRENT but of ftpd setup :-/ and just found about about 624 MB trash in my /var/ftp - this is my anonymous-ftp -directory. It was disposed in a sub-directory ../incoming/tagged/byDj-krok . You have not been cracked. Somebody just uses your writable /incoming directory to store their data. Since they *do* have write access in there, this is a legitimate use of your FTP server. What can I do (besides deleting this stuff)? Do not allow write access in /var/ftp/incoming ? Another common thing done in writable incoming/ directories is to create a file of fixed size, say 100 Mb, and use vnconfig to mount this file as the incoming/ directory of an FTP server. Then there's only about 100 Mb of space available in your incoming/ and nobody can store tons of data in there, wasting your disk space until disks are full. -giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
RE: anonymous-ftp cracked
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Giorgos Keramidas Another common thing done in writable incoming/ directories is to create a file of fixed size, say 100 Mb, and use vnconfig to mount this file as the incoming/ directory of an FTP server. Then there's only about 100 Mb of space available in your incoming/ and nobody can store tons of data in there, wasting your disk space until disks are full. Hi Uli and Giorgos, I've had a bit of experience with this sort of thing and I have to say that nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it - and I mean every day, preferably several times a day. 100MB is plenty of space for some jerk to upload his collection of Sally SpreadEagle in all her silicon glory. If that happens your going to find every bit of outbound bandwidth you have completely saturated. If your unlucky enough to have your FTP server at an ISP you may find yourself fined heavily (ie: overage charges) Some people have a little script that runs out of cron and diffs the output of ls against the previous run and e-mails the maintainer when new files show up, others simply check by eye. Whatever works for you is fine, but don't think that you can just put out public storage for anyone to use as they see fit and just ignore it anymore. Ted Mittelstaedt [EMAIL PROTECTED] Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
RE: anonymous-ftp cracked
Yup, I had some jerk constantly fill up the filesystem of the ftp directory until I finally disabled all uploads. The ethics of some people just amazes me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ted Mittelstaedt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Giorgos Keramidas Another common thing done in writable incoming/ directories is to create a file of fixed size, say 100 Mb, and use vnconfig to mount this file as the incoming/ directory of an FTP server. Then there's only about 100 Mb of space available in your incoming/ and nobody can store tons of data in there, wasting your disk space until disks are full. Hi Uli and Giorgos, I've had a bit of experience with this sort of thing and I have to say that nobody should be running an open FTP server that allows uploading to anyone unless they are willing to take the time to monitor it - and I mean every day, preferably several times a day. 100MB is plenty of space for some jerk to upload his collection of Sally SpreadEagle in all her silicon glory. If that happens your going to find every bit of outbound bandwidth you have completely saturated. If your unlucky enough to have your FTP server at an ISP you may find yourself fined heavily (ie: overage charges) Some people have a little script that runs out of cron and diffs the output of ls against the previous run and e-mails the maintainer when new files show up, others simply check by eye. Whatever works for you is fine, but don't think that you can just put out public storage for anyone to use as they see fit and just ignore it anymore. Ted Mittelstaedt To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: anonymous-ftp cracked
This doesn't indicate that you were cracked if it was anonymous FTP. You may have been scanned for open ports, and it appears that they took advantage of your FTP being open. Set up logging via the inetd.conf line (man ftpd for options). Then you can at least use ipf or ipfw to ban the domains that were involved. P. U. (Uli) Kruppa wrote: Hi, sorry for cross-mailing two lists! I am running -CURRENT (ok - though I do not know anything about computers) and just found about about 624 MB trash in my /var/ftp - this is my anonymous-ftp -directory. It was disposed in a sub-directory ../incoming/tagged/byDj-krok . What can I do (besides deleting this stuff)? Uli. jim -- ET has one helluva sense of humor! He's always anal-probing right-wing schizos! POWER TO THE PEOPLE! _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message