[ale] FTP-only

attriel attriel at d20boards.net
Wed Jan 1 17:13:30 EST 2003


OK, so, I remember waaaay back when i started with slack in 95 there were
tricks where people would use someone's FTP to get into the server via
shell-overloads and the like, so it was always advised to not give them
real shells, but rather fake ones, like /bin/none or something ...

Then it turned out that that really wasn't a good idea, b/c there were an
all new set of fakes they could do to turn /dev/null or such into a root
bash ... But i don't remember what the real solution was to that, since
most of my FTP's also had shell access (well, they had shells and so I
gave them FTP for uploading) ...

Now, I'm installing a new server for web serving, but at this point most
of the people using it DON'T get shells anymore (executive decisions are
so much fun :) SO!  I need to know those tricks again.  How do I make an
FTP setup secure ?  I'm thinking about doing SFTP, but I'm not 100% sure
that all the people using the system could handle it (specifically, my
parents :o)

So, failing the SFTP option, what's the way of making like wu secure?  And
which is easier to secure/less "exploit-y"?  wu? pro? something else?

thanks for the help folks!

--attriel


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list