|
PureBytes Links
Trading Reference Links
|
Colin West wrote:
>I'm trying to improve ftp security at www.traders2traders.com
><http://www.traders2traders.com> , and I'd appreciate some
>suggestions. For example, if "the world" has directory-create and
>file-write permissions, what file types should be prevented from
>being upload?
Good heavens DON'T do that! I run an FTP area also. If you give
the world such permissions, you will run into no end of headaches
from "warez" types who will use your FTP site as a temporary dumping
ground for CDs full of pirated applications.
For example, I logged in one morning to find someone had uploaded
the entire Windows NT installation distribution in my FTP area.
Another time somebody dumped about 50 megabytes of their pirated
collection on me. If your provider enforces disk quotas, the
pirates will rapidly exceed it with world-write access to your FTP
area. Guaranteed!
Many software pirates network with each other, and they continually
look for open FTP sites as convenient areas for swapping their
warez. Once someone finds out, the news spreads like wildfire.
On the plus side, you might get some interesting software, although
you won't know what's been done to it.
I recommend you do what I did:
I ended up denying all anonymous write permissions in everything
except one directory. In that one incoming directory, it's
write-only. You can upload to it, but you can't view the contents
or download from it. Anytime someone uploads something to it, I
notice. If there's no accompanying text file (or e-mail) explaining
what to do with the upload, it gets deleted.
This is how some Aminet and some large shareware-submission networks
work. You upload your thing, and you upload a text file with
the same root name. The text file has a predetermined format,
containing the submitter's name, description of the upload, category
to place it in, etc. That way a properly-formatted submission can
be dealt with automatically by software, requiring little or no
human intervention.
My incoming area is at ftp://ftp.unicorn.us.com/pub/incoming/ -- but
my provider is doing away with all FTP access next week. I have to
convert my site to HTTP downloads.
>I've considered using a web-based file uploader, but it's not as
>flexible as an ftp client, and I don't want to introduce a "have
>to learn something new" to make use of what is essentially an ftp
>resource.
If it's more secure, then do it. You *cannot* control your incoming
ftp area by denying certain file types. All a pirate/hacker has to
do is bundle up the warez in a zip file, and your site is vulnerable
again.
--
,|___ Alex Matulich -- alex@xxxxxxxxxxxxxx
// +__> Director of Research and Development
// \
//___) Unicorn Research Corporation -- http://unicorn.us.com
|