Sign in to follow this  
Followers 0
crizk

FTP Vulnerabilities?

5 posts in this topic

First post here, you guys seem like a cool bunch, so here goes: my main line of work is web design... security has never been beyond a basic understanding of mine. Lately my clients have been asking more and more about security... they hear things on the news, and get email articles talking about information theft, destruction, etc.

So they ask me, "Chris, is my information on my website safe?"

I always of course say yes... but then I think about it... what if it's not as safe as Im assuming? Some of these people have sensitive information on their websites, usually protected by an .htaccess file.

My main concern is with FTP security--mostly because given FTP access, .htaccess goes out the window. Lately the logs have shown bruteforce/dictionary attacks on one of my clients' FTP in particular. I only know what these are because I looked it up... and as far as I know, nothing has been compromised due to strong passwords. But here are my questions:

1. What are the most common ways FTPs are "hacked?"

2. Here's one of the most confusing things to me: The many failed login attempts on my client used two different usernames that were unique (i.e. not admin, etc.) so how the heck did the intruder even know to use these usernames at all? (Excluding the possibility that it was an inside job...)

3. What can I do to add additional security measures to my clients' FTPs?

4. Where would be a good place to start with auditing my clients' servers? After a few Google searches, the BackTrack distro seems to be popular.

I would appreciate the input. I would like to offer additional tiers of service to my clients, because not only would if give them more peace of mind, but heck, I can charge extra :D

Edited by crizk
0

Share this post


Link to post
Share on other sites

FTP is vulnerable and antiquated. The fact that it does everything (including send passwords) in cleartext is enough to scare you into switching to SSH and SFTP. Most FTP daemons have been around quite long, have a checkered vulnerability past and are generally considered a security risk. Most FTP clients now also support SFTP as well, and even if your clients must switch to another FTP client, that's not such a big deal. There is no practical reason why anyone should be running an FTP daemon in 2008.

Usernames can be grabbed from a number of places. Email addresses and home directories on web servers are a good place. If it's a targeted attack, then they can come from literally anywhere.

Set a date for shutting down all FTP daemons and migrate everyone to OpenSSH and SFTP. I'm sure the server runs OpenSSH anyway, so all you're really doing is duplicating something another daemon already provides. Since passwords can still be stolen, encourage your users to use public key authentication instead. It's a small setup step that will actually save your clients a step while logging in.

As for checking your logs, this can be pretty easy. I'm not sure what your log files look like, but in general grep is your friend. Grep your logs for unsuccessful logins. Brute force bots should be easy to spot, use a firewall (either iptables on the machine for a separate firewall, depending on how the servers are set up) to block these hosts. You'll also see a number of attempts from random hosts, small probes for default passwords and exploits. These can be safely ignored if you have no default passwords and your ftp daemon is up to date.

Next, grep your logs for successful login attempts. Go back as far as you can and establish a pattern of IP addresses for your clients. You'll notice that generally they only log in from 1 or maybe 2 IP addresses. Anything out of the ordinary will pop out at you, but don't freak out. Maybe they just did some work from their friend's house, or changed ISPs or something.

Depending on how much your FTPD logs, you'll also want to check out how your clients are using the ftp daemon. Most of the time, they'll just be uploading from a directory on their computer, updating the whole site at once or maybe just one file at a time. Anyone doing any excessive browsing via FTP, downloading files that potentially contain database passwords, uploading large binary files, etc are suspicious and should be checked out further.

You can also run password cracking software on your own passwd files. Doing this weeds out anyone who's used a particularly weak password before any brute force program can get lucky. If everyone is using strong passwords and you have some sort of countermeasure set up (such as firewalling the IP addresses brute force programs are using), then brute force is not a problem.

Anyway, it's late (actually, it's quite early), so I hope that made sense. I'll give this another read tomorrow and see if I have anything to add.

Edit: Oh, I did forget to mention one thing. Most web sites are probably not defaced via FTP. People scanning and exploiting FTP sites are probably looking for warez dumps, not to deface web sites. The web site's code (PHP, ASP, etc) is usually to blame. Maybe offer a service to audit their code for SQL Injection, Cross-Site Scripting, Cross-site Request Forgery, etc to help protect against this. But, as a service provider, this is generally something out of your hands and up to the client to do on their own. It's not your fault if they upload shoddy code.

Also, watch for anyone whose bandwidth spikes. They either got slashdotted or someone is using their site as a warez dump. This is a bad thing, and worth your time to spot and stop.

0

Share this post


Link to post
Share on other sites
1. What are the most common ways FTPs are "hacked?"

FTP is a protocol. There is no need to "hack" it, since, by default, everything is transmitted in plaintext.

2. Here's one of the most confusing things to me: The many failed login attempts on my client used two different usernames that were unique (i.e. not admin, etc.) so how the heck did the intruder even know to use these usernames at all? (Excluding the possibility that it was an inside job...)

You don't give us enough information to tell. It could really be anything, from breaking into your server, through eavesdropping the connection to breaking into his machine.

3. What can I do to add additional security measures to my clients' FTPs?

Don't use just FTP. Instead, use FTP over SSL or SFTP. Anything that provides good encryption and authentication.

4. Where would be a good place to start with auditing my clients' servers? After a few Google searches, the BackTrack distro seems to be popular.

A good place to start would be to learn about software and OS security and how different kind of flaws and exploits work. If you don't have time to invest into this, you can hire an auditor, who will test your servers and report on their level of security. Of course this is going to take money, so choose your own path.

0

Share this post


Link to post
Share on other sites

I would only use FTP for files that were meant to be public, as everything is sent out unencrypted, even the passwords. Someone on the same network as you with a packet sniffer such as wireshark could easily intercept the passwords or the files being sent.

0

Share this post


Link to post
Share on other sites

sftp is the way forward but until you can move them over to a new piece of ftp daemon software, simply moving the ftp port to a 'weird' and unstandard number will cut down on random noobs rattling you doors with ftp-bots

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0