Current Time: 15:26:04 EST
 

Extra features for FTP security

Posted In: Awesome! — Jun 30th, 2009 at 3:11 pm EST by IX: Customer Relations

Incident Description:

Hello

In the past year or so, we have encountered quite a few hacking attempts of our servers. Customer data has been sometimes changed, and although most of the times we were able to clean the files, or restore the hacked sites, sometimes we weren’t capable of doing that. And that of course affected you.

After a long period where I read every ftp log and every httpd log available on servers, I came to the conclusion there are 2 main ways a hacker is currently able to get to a customer files:

  • via cross-site scripting, taking advantage of poor written customer php scripts, or of outdated php applications like Joomla, osCommerce, and other like this
  • via ftp, either after a brute-force attack where they managed to crack weak passwords (and I couldn’t stress enough how important is to have a strong password for your FTP accounts), or via other means (there are viruses out there and malware that will steal your ftp password, and for that matter all other passwords, like on-line banking passwords and such)

While I cannot do much about scripts that aren’t written well, and except for begging you to keep your php apps updated there’s no reasonable way to enforce it, I can help you with the FTP part. Our sysadmin team has built and implemented an extra module on our servers that will allow you to say “only this ip and this ip and this ip can upload files via ftp in my account”, or, for instance “this ip and this ip can NEVER upload files via ftp” (Or you can do nothing, and everything will remain as it is now). I have tested this module and it seems to work just fine, but I am not comfortable of releasing it before I can do some more extensive testing. I need you (our valued customer) to lend me a hand and help me test it.

If you’re interested in testing it, please comment on this post and I will personally contact you via email (so make sure you fill in the “email” field of the comment section with a valid email address), and I will explain what and how to test it. Oh, and one more thing… this feature is currently available only for linux plans.

Waiting to hear from you…
/tibi

posted in Awesome! by IX: Customer Relations

12 Comments to "Extra features for FTP security"

Tue, June 30th, 2009

KeithMcD says:

Tiberiu,

I’ll go ahead and help test this module – sounds interesting. I only use a few IPs to ever connect via ftp.

Thanks,
Keith

Sat, July 4th, 2009

scienceguy says:

I *definitely* want to help test a more secure http://ftp...

“only this ip and this ip and this ip can upload files via ftp in my account”

That solution could work for me I’ve been burned. I have a Linux plan.

Mon, July 6th, 2009

Chris Widmer says:

Hi, I’m interested in testing your FTP restriction module.

Also, if you want any testers for the upcoming FTPS (FTP-over-SSL), you mentioned in the IX Blog, let me know. I’d love to test.
http://blog.ixwebhosting.com/2009/06/how-will-we-blow-you-away-exactly-part-1-of-3/#IDComment26342491

Thanks,
-CW

Thu, July 9th, 2009

pckabeer says:

Hi ,

I am interested in testing this feature.

Thanks.
-Pck

Wed, July 15th, 2009

Jeff Alexander says:

You need to add malware to your bullet points on how ftp credentials are getting stolen.

Slashdot ran a story about malware acting as a TCP sniffer on your own machine. So when you login into your site via ftp even though it is highly unlikely that anyone in between will be able to sniff out your plaintext passwords, your own machine is able to and send it off to the malware writer.

You really need to add either ftp over ssh or ftp over ssl and turn off simple ftp.

Your linux hosting appears to me running ProFTPD and they have an ssh module….

-Jeff Alexander

Wed, July 15th, 2009

Tiberiu says:

Jeff,

I read slashdot 3 times a day. I am aware of the article. To get back to your concers, there are other reasons for which I don’t want to enable ftp over ssh just yet. However, we are working for ftp over ssl, which is going to be implemented in the following couple of weeks.

Wed, July 15th, 2009

Jeff Alexander says:

I forgot to link to the slashdot story in my comment:

http://it.slashdot.org/story/09/07/13/142210/RIPFTP?from=rss

Wed, July 15th, 2009

John says:

I agree with Jeff. FTP uses passwords sent in plain text. It is possible for someone to intercept your traffic and see your FTP username and password.

SFTP is the only secure way to transfer your files. A strong password sent in clear text is worthless.

Ip Addresses and Mac Addresses are not fool proof ways of identifing a person.

Wed, July 15th, 2009

Tiberiu says:

John, as I said before, I agree with both of you. We are working on ftps (not sftp!), but meanwhile you can restrict on who can access your ftp account. See my latest post on this blog.

And mac addresses cannot be used to identify anybody, unless that person is on the same network with the server. which in your case will not happen.

Tue, July 21st, 2009

recraig2 says:

How can we keep our php programs updated when your File manager does not unpack anything larger than 2M???????

Ftp is unbearably slow when uploading the thousands of folders and files in a Joomla pack (sometimes 24 hours or more and it still messes up… incomplete files, files missing…).

I have tried and tried and am THIS close to giving up on IX !!!

I appreciate your attempts to secure an unsecured service. However, isn’t it a day late and dollar short?

Sun, July 26th, 2009

Rick says:

You speak about cross-site scripting exploits introduced by programs like Joomla. While it’s true that Joomla has experienced a lot of security issues and published a lot of updates, the version of Joomla you yourself offer in the EasyApps section of cpanel is v1.5.2 and yet the latest version of Joomla is 1.5.13 – eleven versions higher that the one you are offering to your customers.

Some years ago my old PHPNuke web site was hacked (mysql injection) and it was my fault for not keeping it updated. After I switched to Joomla I keep it updated faithfully.

Whose fault would it be if one of your customers installed the old version of Joomla on Cpanel EasyApps and the site was hacked? I would say it was the customer’s fault but then again, you offered it to them. I would recommend keeping up with the versions or removing the option to install the program.

Mon, August 17th, 2009

Ralph Navarro says:

You said “To get back to your concerns, there are other reasons for which I don’t want to enable ftp over ssh just yet. However, we are working for ftp over ssl, which is going to be implemented in the following couple of weeks.”

What are the reasons that you have chosen ftps instead of sftp?

As a suggestion, how about implementing ssh and allowing us to do rsync over ssh (or use an rsync daemon). Security would be the best and there would be no limit on transfers. Also, if the connection went down, the transfer could be restarted without resending files that had been received successfully.

 
© 2011 IX Web Hosting.