December 6th, 2004, 01:12 AM
i was just wornding about anonymous FTP say i set up an FTP server and i had anonymous logins enabled how would some one login anonymously and also would i be able to control what an anonymous user has access to.
December 6th, 2004, 01:33 AM
Depending on the server and the OS there's usually an allow anonymous logon variable (either text in a config, or a checkbox in the software)... you can turn it on through there.. then it's just username anonymous... password whatever (usually it'll say use your email address.. but as far as i knwo that's more for tracking than anything else)...
As far as controlling it.. it'll either limit the anon access to the default pub directory.. or it'll have another variable you can change..
If you are going to run something like this and ask for advice then you definately need to know which OS you're going to use and which software you are going to run....
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
December 6th, 2004, 01:52 AM
There is a configuration option somewhere to allow most ftp daemons, when forking a new incarnation of themselves, to chroot() the new process to the home directory of the user connecting to it. An anonymous user could be chrooted to /home/ftp/pub, for example. This would make /home/ftp/pub appear to be the root of the filesystem to any anonymous user connecting via FTP. I'm not sure how to do it though, and it depends on which ftp program you are using.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
December 6th, 2004, 02:31 AM
Thank you for your information it has helped me a lot.
December 6th, 2004, 10:34 PM
Anonymous logins is a feature on most, if not all, ftp daemons and is one recommended to be off, unless completely secured in a variety of ways. As already mentioned, chroot'ing all logins into their either home directory (for actual users) and into a locked directory for anonymous logins, that's the first thing to do.
This prevents things like this:
Copying old-style /etc/passwd files. The ones using crypt()'d passwords which is incredibly easy to break.
Seeing data that you don't want anonymous (and therefore, unknown) users to see.
Just to name a few.
A good ftp daemon that I (ab)use is VSFtpd (Very Secure FTP Daemon?) and can be located here for further information and the like.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
December 7th, 2004, 12:14 PM
thank you i will be looking into VSftpd.