The Dangers of Anonymous FTP
Anonymous FTP allows visitors to gain access to your content, giving them the ability to upload and download files from your site. This is quite similar to perating your own FTP server. While the protocol has its advantages, the disadvantages are for more detrimental. Anonymous FTP sites are notoriously known for being abused for the transferring of illegal files. They also provide a way for hackers to gain access to your data through mis-configuration. This article will discuss the vulnerabilities of anonymous FTP and what can be done about it.
Security Issues
When enabling anonymous FTP, you are essentially giving any and all visitors the freedom to access your upload directory, as well as any directory that has been configured for public read and write permissions. Because anyone can upload and download files to and from your website, it is vital that you restrict anonymous FTP access by setting the appropriate permissions. This ensures that anonymous users will not have access to your existing files and directories.
Your Responsibilities
As a website owner, it is your responsibility for all the files that are downloaded and uploaded to your domain. This includes the files you upload along with those uploaded by anonymous FTP users. Without taking the proper precautions, you could easily become the victim of a warez site. This type of site is typically used by hackers for trading pirated copies of illegal software applications. You may ask, “what does that have to do with me?” Well, since the website is in your name, all the repercussions fall back on you. If your website becomes the trading medium for illegal software, it may be you that is hit with a lawsuit when the programmer or software companies finds out their application is being traded for free.
Simple Solutions
Several web hosting companies do not offer anonymous FTP for the simple fact that it is a security risk. If your host does, here are a few tips that will help keep you protected:
1. Make sure FTP server does not have a SITE EXEC command. This is crucial as some older versions of FTP allow anyone to gain Shell Access via port 21.
2. Check and make sure anonymous users can’t log in and write files or directories to your main directory. If anyone can log in anonymously and create files such as .forward or .rhosts, an intruder can gain instant access.
3. Be sure that FTP doesn’t own any of your files or directories. If so, an intruder could possibly replace them with infected versions.
4. If you’re spooked by the concept of anonymous FTP, set up HTTP links for your visitors and take them directly to the content you want them to access.
No related posts.
2 Responses to “The Dangers of Anonymous FTP”
I know this page has been up for a year, so maybe you don't care, and I DON'T mean to insult you, but I'm a writer and I have some suggestion as to how the writing on this page could be clearer and doesn't drive editor types to suicide. (Please pardon my spelling errors — I think it's a problem with my keyboard, not to mention brain fuzz. The purpose of my message here is not to tell you that there are spelling errors, but that [I believe] there are grammar — and therefore understability — problems.)
Comment made on November 9th, 2010 at 10:13 pmYou wrote "Anonymous FTP sites are notoriously known for being abused for the transferring of illegal files". Did you mean "Anonymous FTP sites are norotiously known for being abused for the illegal transferring of files"? If you did mean "transferring of illegal files" did you mean inserting malware on someone's computer?
Under "Security issues", you say "Because anyone can upload and download files to and from your website, …". Aren't they able to upload files (from) and download files (to) your entire computer, not just the Web site?
Under "Your Responsibilities", you say "As a website owner, it is your responsibility for all the files that are downloaded and uploaded to your domain." I think you mean "As a website owner, you are responsible for all the files that aer downloaded and uploaded to your domain."
Same paragraph, "warez" should be in quotes. It's not a household word yet. Or did you mean "wares"? Or "Juarez"?
Otherwise this is a good place for info on the dangers of FTP, although I personally would have liked some concepts to be explained, like if you're not using Unix, where I do know how to set up FTP, how do you set up FTP for a WIndows server? How do you get to the settings area? Do you need special FTP SW?
It would be nice if this comment box would hold more text.
Thank you & good luck.
ruby2zdy
Oh dear. Now I need to edit my comments.
Comment made on November 9th, 2010 at 10:26 pmI wrote " I have some suggestion as to how the writing on this page could be clearer and doesn't drive editor types to suicide". I should have said "I have some suggestions as to how the writing on this page could be clearer and not drive editor types to suicide". When I said "could be" I set up the grammar to require the subjunctive ("not drive") rather than the present tense ("doesn't drive"). I know — nobody knows what the subjunctive is any more, but it has a function, and makes the writing sound more professional.
Where I said "the dangers of FTP" I should have said "the dangers of anonymous FTP". At least I think that's what I should have said. Are there dangers associated with configured FTP (requiring username & password, an account, etc.)?
And for plain old home computer users (cable, dialup, and — I suspect worse — satellite), how can they set up their FTP program in the different OS's? When I bought this computer, last June, the installers had configured FTP to be anonymous(!!!!!!). Fortunately, I knew that was really stupid. But most people wouldn't.
Thanks again,
ruby2zdy
Leave a Comment