User level feature control

[kevinb]

With the increase of malware attacks on desktop systems I would like to see the following.

1) User should be able to disable/enable from the Control Panel FTP, POP3, IMAP, SMTP

My main concern is with FTP. Many websites just don't use it regularly and is becoming an increased attack vector. Using fail2ban etc doesn't help if the attacker has a valid password. This would tie in with my second request regarding two factor authentication support. A User could enable/disable the service with a OTP as needed.

Thanks,

Kevin

 

[chatwizrd]

I dont understand what this has to do with desktop computers at all. How do you suggest we even begin disabling these things on a per user basis? Do you understand how these services work in a hosted environment?

 

[kevinb]

I dont understand what this has to do with desktop computers at all. How do you suggest we even begin disabling these things on a per user basis? Do you understand how these services work in a hosted environment?

Malware on desktop PC's are going after ftp and ssh login credentials. We have had numerous webhosting customers have their websites infected via ftp over the past 3 months. I have installed numerous system level safe guards but ftp being disabled for the user, and enabled only when they need it is the strongest option.

I see no reason that the User level account could not turn on/off FTP as this functionality is already in DA at the Admin/Reseller level. I'm not suggesting on a per virtual user basis but on a per User Level basis.

Kevin

 

[zEitEr]

I have installed numerous system level safe guards but ftp being disabled for the user, and enabled only when they need it is the strongest option.

Two simple solutions:

1. Switch FTP to sFTP.
2. Use .ftpaccess if you run ProFTPd to disable FTP (also a plugin can be written for managing it).

 

[kevinb]

Two simple solutions:

1. Switch FTP to sFTP.
2. Use .ftpaccess if you run ProFTPd to disable FTP (also a plugin can be written for managing it).

1. That won't work as the malware has the password.
2. .ftpaccess is proftpd only and doesn't support pure-ftpd.

zEitEr I appreciate your comments but the last thing I'm looking for is a plugin. The ability to disable ftp is already in the admin/reseller level. I would like the support to be built in within Directadmin.

It is crucial that DA work on mitigating the threats as they evolve. Last year it was brute force detection, the malware/threats have evolved since then. I'm looking at the attack vectors of compromised sites and being able to shutdown ftp when not in use would go a long way.

 

[zEitEr]

That won't work as the malware has the password

I'd really like to get some names of such a malware which supports sFTP. If there exists any, we might need to start worry about it.

The ability to disable ftp is already in the admin/reseller level.

Where do you see that? I did not find anything of that kind in my copy of Directadmin.

"Disabling FTP" for a user would mean: either removing all FTP accounts from password file, or making them "inactive" by suspending passwords.

I appreciate your comments but the last thing I'm looking for is a plugin.

OK, you've got a choice at least. As I don't work for JBMC Software and I'm not their choice-maker, I can not help you with the feature. So I wish you good luck and be patient.

 

[kevinb]

You were right in regards to disabling ftp, I had remembered it incorrectly.

It looks like all the information is in /etc/proftpd.passwd. The system passwords aren't used for ftp. Both pureftp and proftpd support /etc/ftpusers which would disable ftp for that user. The on/off could be to add/remove the users from the /etc/ftpusers file.

The malware aren't sniffing passwords, they are grabbing them from the ftp config files, email or keyboard input. Here is a decent thread on it http://forum.filezilla-project.org/viewtopic.php?f=1&t=11003

 

[LawsHosting]

The malware aren't sniffing passwords, they are grabbing them from the ftp config files, email or keyboard input. Here is a decent thread on it http://forum.filezilla-project.org/viewtopic.php?f=1&t=11003

Well, if they (filezilla) store passwords as plain in a text file, well, xml file, go figure...

 

[kevinb]

Well, if they (filezilla) store passwords as plain in a text file, well, xml file, go figure...

Peter,

The ftp programs you can encrypt with a master password are no better. The password logger grabs the password and then decrypts the file.

I would blame it on users not being careful but with the number of zero day exploits, even careful people are being hit.

At the end of the day webhosts are the one's helping clean up the mess.

Kevin

 

[zEitEr]

The ftp programs you can encrypt with a master password are no better. The password logger grabs the password and then decrypts the file.

If this is the case, then disabled FTP account will never help you to protect sites from being hacked. Directadmin password can also be grabbed as well as POP/IMAP credentials.

Most known to me attacks on the sites are made through (F)CKEditor and other similar wysiwyg editors, which are parts of Joomla, WP, Drupal CMS, and contain bugs some of them allow guests to upload any files even with PHP extensions. I really doubt that nowadays sites are hacked manually. These are bots who discovers vulnerable versions of (F)CKEditor in Internet, and soon as a bot finds such a site, it alerts if configured so a human, who owns the bot net.

Note, I'm not an expert on hacking attacks, that's only my recent experience of investigating and fixing the related issues.

 

[LawsHosting]

At the end of the day webhosts are the one's helping clean up the mess.

Which, isn't technically our job to do, the clients have a responsibility too - "Hey Mr/Ms Smith, we have disabled your account as your machine is affected, clean it and protect it" - no time for that.

We/TV/News/etc educate people with scam attacks, yet people still get scammed.