[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOLUTION--Re: need help with anon FTP access via a web browser
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: SOLUTION--Re: need help with anon FTP access via a web browser
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Wed, 28 Aug 2002 22:27:28 -0700
On Wed, Aug 28, 2002 at 11:19:48PM -0400, Mark Besonen wrote:
> Yes, I recognize the dangers of anonymous write access, but if
> you ratchet down the FTP account quota to 100 megs, that
> certainly helps to discourage abuse. And by setting permissions
> at 333 on this writeable directory, well, you can obscure the
> contents of it even though people can still write to it. Yes, I
> know that if you know the fully qualified name/path to an
> uploaded file you can still get to it, but the 333 permissions
> at least prevent casual browsers from stumbling across uploads.
> Since I don't expect this writeable directory to be used much
> anyways, a simple cron script to mail a message when the
> directory content changes will also help to keep me informed of
> possible abuse.
> If I've missed something major in my assessment above, I'd love
> to hear about it. After all, I'm still learning probably like
> most of the rest of you.
Unfortunately, there's one kind of scenario I don't think you've
fully thought through. Pardon me if I pick an emotionally-charged
Consider: a child pornographer discovers your open server, puts
his latest photo shoot in a zip file on it, and advertises it on
USENET. What are you going to tell the FBI when they question you
about it? What are you going to tell your boss? The scenario works
the same with pirated software, Al Queda training materials,
Mr. Ross already mentioned NiftyTelnet, which sounds like it
should be just fine, even for your patron. Here are some other
suggestions for your particular situation:
o Forget the 'Net. If she's got a Zip drive or some such, have
her copy the files to a disk and put a stamp on it.
o She's got a Mac. These photos will eventually be published.
Doesn't Apple have a service that lets you upload photos to
one of their Web sites? If not, other companies do. The fees
are generally modest and the sites are designed just for folks
o Use email. So what if it takes 30% longer? Just have her
send you ten megabytes before she leaves for the day. You'll
have the whole thing in a week.
o Create a simple file upload CGI that lets people upload
files but not download them. This opens you to a DOS attack,
but it's probably not a show-stopper of a vulnerability.
o If you must use FTP, don't permit anonymous uploads. As
I mentioned earlier, the broswers support password
authentication, though I don't remember the exact URL
syntax. Passwords can be sniffed, but it raises the bar
significantly. Also, run a cron job every minute to move files
out of the FTP area into some secure location; this permits
uploads but severly restricts the possibility of downloads. A
moderately sophisticated attacker could bounce files off of
you, but that's about it.
o What may be the ideal solution: contact somebody in the IT
department of the college nearest her. Hire that person, or
just promise a tour of American historical sites, tickets to
the Boston Symphony, etc., the next time the person is on the
Hmm...that brings up a thought: what country is she in? There may
be somebody on this list nearby who'd be willing to help. Or, if
you want to pay all my expenses, I'd probably be willing to waive
my normal fees....
[demime 0.98d removed an attachment of type application/pgp-signature]
Visit your host, monkey.org