| View previous topic :: View next topic |
| Author |
Message |
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
 Posted: Sat Dec 29, 2007 8:23 am Post subject: FTP Server - like pro use (with many accounts and security) |
 |
|
Hi i am using abyss x2, hi to all forum...
I need FTP Server - like pro use (with many accounts and security for uploading scripts)
I need something to check if that uploading will not going to upload when run (the script) something at root or other directory!
i need this tool to have low price... and free it's ok too....
I want to use it for my webhosting server and for my clients - because on that i am saying i m using email and first i am cheching them before upload them at my server... :-(
(sorry for the bad english)
Thanx in advance |
|
| Back to top |
  |
 |
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sat Dec 29, 2007 1:44 pm Post subject: |
|
|
I recommend FileZilla FTP Server. Its free. You can find it by Googling for FileZilla FTP Server.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
 |
|
gsownsby
-
Joined: 03 Jun 2003
Posts: 71
Location: Chattanooga, TN USA
|
| Posted: Sun Dec 30, 2007 3:19 pm Post subject: |
|
|
Serv-U FTP Server is a commercial but affordable FTP Server. Have used for years with consistently good results. My clients and I use it just about every day.
http://www.serv-u.com/ |
|
| Back to top |
|
|
puertoblack2003
-
Joined: 08 Oct 2006
Posts: 87
|
| Posted: Sun Dec 30, 2007 7:58 pm Post subject: |
|
|
i'm not to happy with any of these programs..when i had fillezilla i noticed in the log that they were trying to gain access using brute force so i took it off.
just curious anyone using these programs where there server hacked into using brute force?? |
|
| Back to top |
|
|
Moxxnixx
-
Joined: 21 Jun 2003
Posts: 1226
Location: Florida
|
| Posted: Sun Dec 30, 2007 10:47 pm Post subject: |
|
|
| puertoblack2003 wrote: | | ..when i had fillezilla i noticed in the log that they were trying to gain access using brute force so i took it off. |
In FileZilla, you can ban IPs after a set number of failed login attempts.
This is the case with most FTP servers.
There are no security vulnerabilities in FileZilla that I'm aware of.
Your security is only as good as the password you choose. ;) |
|
| Back to top |
|
|
gsownsby
-
Joined: 03 Jun 2003
Posts: 71
Location: Chattanooga, TN USA
|
| Posted: Mon Dec 31, 2007 4:07 am Post subject: |
|
|
| I am not aware of any successful brute force attacks with Serv-U FTP Server. IP banning is an available function of this software too. |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 9:52 am Post subject: |
|
|
I need FTP Server - like pro use (with many accounts and security for uploading scripts)
I need something to check if that uploading script will not going to upload when run (the script) something at root or other directory!
....For example...
the user1 login with password normally
then uploads script1.asp
that when browsing it from any browser will delete or destroy some files at my webserver ! |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Wed Jan 09, 2008 9:55 am Post subject: |
|
|
FTP servers won't do this. Its up to the server's scripting language to stop this sort of script from running. All FTP does is allow you to upload and manage files on the server.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 10:32 am Post subject: |
|
|
| do anyone have to suggest something to stop the users using other directories with their script ? |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Wed Jan 09, 2008 10:34 am Post subject: |
|
|
| cyberd wrote: | | do anyone have to suggest something to stop the users using other directories with their script ? |
The scripting language will have a configuration to stop this. For example php has base_dir which you can set in the php.ini. safe_mode also helps stop users running malicious functions but it doesn't stop everything.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 11:01 am Post subject: |
|
|
Maybe you didn't understand me...
I have a server...
Users are a type of clients have their own webpages and they have knowledge of ftp/web servers.
I want to stop using other directories throught Map Server (fso commands) etc... at my server i give php / asp / html - and DSN - MYSQL (in different directories) - the client select the language that he want to work own site...
sorry for bad english :-( |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Wed Jan 09, 2008 11:03 am Post subject: |
|
|
I'm afraid I don't understand you, no.
FTP servers allow the uploading of files to specific directories only. They don't stop filetypes being uploaded or bad scripts being uploaded.
Thats about all I can say to be honest unless you can explain better.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 11:30 am Post subject: |
|
|
1st) Leave from the Ftp Server topic...
2nd) my problem as you said are the scripts that may be uploaded from users... how i can prevents my server run them when trying to use other directory (upper directory from user)...
how i have the directories:
data
mdbs
mysql
sqlfiles
inetpub
.....userwebpage1
.....userwebpage2
.....userwebpage3
.....wwwroot
when userwebpage1 script runs may have commands that trying to see native path of my system...
do you understand ?
Thanx in advance... |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Wed Jan 09, 2008 11:32 am Post subject: |
|
|
| cyberd wrote: | 1st) Leave from the Ftp Server topic...
2nd) my problem as you said are the scripts that may be uploaded from users... how i can prevents my server run them when trying to use other directory (upper directory from user)...
how i have the directories:
data
mdbs
mysql
sqlfiles
inetpub
.....userwebpage1
.....userwebpage2
.....userwebpage3
.....wwwroot
when userwebpage1 script runs may have commands that trying to see native path of my system...
do you understand ?
Thanx in advance... |
Like I said in a previous post, it is down to the configuration of the scripting language to prevent this by (in php) using something like base_dir.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 11:35 am Post subject: |
|
|
Do you know acctually what is that i am going to put in php ?
and what about asp ?
if u know ofcourse... |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Wed Jan 09, 2008 11:37 am Post subject: |
|
|
| cyberd wrote: | Do you know acctually what is that i am going to put in php ?
and what about asp ?
if u know ofcourse... |
Having never used ASP I can't advise on that one but in PHP you can start by using base_dir in the php.ini. You will either need a seperate installation of php for each user or you can use the switch command in the abyss config (which I have no idea how to do but it will be something like 'php-cgi.exe -switch base_dir_name' or similar). Turning on safe_mode in the php.ini will prevent the users using commands like system() and shell_exec(), which can be dangerous to the system.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Wed Jan 09, 2008 11:41 am Post subject: |
|
|
Thanx AbyssUnderground
do anyone else knows about ASP what to do... ? |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Wed Jan 09, 2008 9:24 pm Post subject: |
|
|
| cyberd wrote: | Thanx AbyssUnderground
do anyone else knows about ASP what to do... ? |
The solution is to run Abyss Web Server in a user account which has no permission to see the directories in your system that you want to hide. This is doable using the Windows Explorer file permission dialogs.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
cyberd
-
Joined: 29 Dec 2007
Posts: 8
|
| Posted: Thu Jan 10, 2008 8:51 am Post subject: |
|
|
@aprelium:
i don't think that is a suitable solution...
because:
webmaster that have folder webpage1 could see the other webmaster's folder webpage2 too and will have the ability to use server commands with asp code to delete files at webpage2...
Giving InetPub to Internet Public gives to all users access to each other folders
I already have to other directories administrator/password authenication only and uncecked Internet Public....
Sorry i have Greek Windows xp pro so.. i don;t remember exactly the en windows xp pro.. |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon Jan 14, 2008 5:23 pm Post subject: |
|
|
cyberd,
We now better understand your requirements. Having such a setup is not yet possible and will probably be provided as a new feature in the next major release.
Right now, all the web sites files have to be readable by the same user account which is used to run Abyss Web Server.
Still, we have developed a small tool to limit the execution of a CGI application/interpreter using Windows permissions. This may be a solution for you. Please contact us for more information.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
|
