[thelist] FTP Security

Anthony Baratta Anthony at Baratta.com
Sat Oct 21 19:03:58 CDT 2000

Harlow Pinson wrote:
> This question came up regarding web server FTP security.
> When establishing an FTP connection, it appears that the
> username and password are sent as clear-text. Apparently, this
> clear-text can be snooped without too much difficulty.
> Am I misunderstanding this?  Are using such design tools like
> Dreamweaver a significant risk to site security?  Any ideas about
> dealing with this?

Yes and No. In order to sniff passwords, One: you need to be somewhere in the route
of the connection AND you need to be on the "same segment" of the network, if the ISP
uses switched hubs. What this means is that sniffing passwords is not as easy as it

Also, do your accounts have telnet AND ftp access? If not, then FTP only access is
not appealing to most hackers. Most want to root a box or abscond with an account
they can dump warez to. Of the boxes I've help close up after hacks, most of them
were FTP warez dumps or setup for DOS zombies. And these boxes were hacked from
security holes in the OS and web services, not from sniffing passwords.

If you are really concerned, make sure your FTP accounts are FTP only. Drop telnet
and use ssh. Use string passwords for root, database accounts and other user
accounts. Remove all services and accounts not in use. Lastly, make sure your
directory security is up to date, e.g. only those accounts that need it, have access
to web content and system files.

Security is not just protecting your passwords.

Anthony Baratta
KeyBoard Jockeys
                    South Park Speaks Version 3 is here!!!
                              Powered by Tsunami

More information about the thelist mailing list