Serv-u anti-overflow power attack Solution setting method _win Server

Objective:
Everyone should have not forgotten three years ago in the serv-u5.004 version of all versions of the "Serv-u Ftpmdtm command buffer Overflow" and "Serv-u FTP Server List command long-l parameter remote buffer overflow" bar, This loophole makes many server administrators sit uneasily, also let many large sites, even the Telecom Class Server fell ... With the introduction of the new version of Serv-u, the leak is no longer exist, although the overflow does not exist, but the hacker will never stop, so along with the serv-u5.0 to 6.0 of hackers commonly used local elevation of privilege defects. (Note: The most common is such as Webshell+su right, I entered the "serv-u" keyword, search results "Baidu, find the relevant page about 34,000, spents 0.001 seconds") Therefore, to solve the security problems of serv-u imminent.

Serv-u right though strictly speaking this should not be regarded as a major loophole in serv-u, but as long as the improper configuration of the administrator will have serious consequences; The following leebolin to explain how the security configuration serv-u, to ensure that the serv-u even the security of the server, with me. " Go,go,go ... "(recently CS Play more, Xi Hee:P)

Serv-u anti-overflow Power attack solution Solution text:

First, you know that Liunx systems and UNIX systems are more important than Windows security because Linux and UNIX system services do not use root permissions, but use a separate user with a lower privilege, such as a Web service that uses the nobody user. The serv-u is run as system by default, and system's built-in account has full operational permissions on the computer, so if an attacker exploits a vulnerability in the SERV-U program and obtains the executable shell, then he will be free to control any directory in the operating system.

Second, we know according to one of the explanation why Serv-u right and overflow attack terrible reason, then how can we prevent this kind of attack to happen? The answer is the bottom serv-u running permissions and control Serv-u "ACLS" accessible directory ... All right, let's take it one step at a while.

Third, serv-u Security configuration
1, first please maintain the latest version of the Serv-u (currently 6.4 ...). Then when installing serv-u, try not to choose the default installation directory, such as I will serv-u installed in D:/pro_leebolin ^_^/serv-u#$2008$/... (because such a complex directory name can prevent hacker guessing)

2, then will serv-u cancel the execution of Mdtm command, modify serv-u FTP banner and open a good serv-u ftp log saved to the non-system disk, log select Record good serv-u named with those commands and DLLs, and set a strong local admin password for serv-u (because of the serv-u default administrator: Localadministrator, default password: #l @ $ak #.lk;0@p caused, hehe $_$), You can also choose to save the Serv-u FTP account information to the registry, not in the Serv-u directory of the INI, this is more secure.

3, we open "Computer Management" to create a new user serv-uadmin, set a good password. The user is exited from the Users group without joining any groups. and cancel in the user's Terminal Services Profile option to allow you to log on to the Terminal server. and prohibit Serv-uadmin user's local landing. Enter Control Panel-> Administrative Tools-> Local Security Policy-> Local policy-> User Rights Assignment-> refused to log in locally. (Note: This user we will take it as our Serv-u service account, hehe) [AD ^_^: The edge of the technology ghosts, creating a server security Myth! Genesis Network Technology Foresight, the achievements of the Internet revolution Pioneer! Server security Discussion area [S.S.D.A]]

4, start running "services.msc" open the service Manager of Win, find the Serv-u FTP server Serv-u services; Open the Login dialog box. The current default is the local System account. We modified it to the Serv-uadmin user we created in 3 and entered the password.

5, the following work is to set the Serv-u run and FTP directory ACLs permissions:
The ①c:/documents and Settings/serv-uadmin directory joins the Serv-uadmin permission, allowing read and write.

②d:/pro_leebolin ^_^/serv-u#$2008$/serv-u installation directory to join the Serv-uadmin permissions, allow read and run. (If the account is selected to save in the INI file, here will need to add changes and delete permissions, because the deletion of the FTP account needs to be deleted right before, otherwise can not add or delete ftp account yo ^_^)

③ if the Serv-u account chooses to have a registry. Run Regedt32.exe and open Registry Editor. Locate the [Hkey_local_machine/software/cat Soft] branch. Right click on the above, select permissions, then point to Advanced, cancel allow inheritable permissions of the parent to propagate to the object and all child objects, delete all accounts except admins. Add only the list of permissions for the Serv-uadmin account to this subkey, and give Full Control permissions. (If you select the account information saved in the INI file, you can skip this step.) ）

④ now to set up the Web directory ACLs, such as the total directory of my virtual host e:/leebolin$ (%; Then we will add this Web directory to the Serv-uadmin account permissions, so that FTP can visit our web directory upload download, ah. Since Serv-u does not run with system, it is OK to only retain admins and Serv-uadmin permissions here. )

⑥ if it is a asp/php/html script, the Web directory only needs admins & Serv-uadmin & Iusr_xx (where the iusr_xx refers to the anonymous single user account of the site ...). About site security with ASP. NET Security please refer to my previous article: "FSO Security hidden Trouble Solution", "ASP Trojan Webshell Security Solutions", "ASP." NET Trojan Horse and Webshell security solution, "Server security check ten elements")

Four, so far, our serv-u has simply done to prevent the right to overflow. Why, then? Because can often remote overflow overflow words, are through a shell and further hacking, and our current serv-u is not running with system, so even if the execution of overflow finger, also can not get anything ... It is not necessary for me to explain the claim: because our serv-uadmin does not have any system-level ACLs access rights.

V. Today's serv-u anti-overflow power attack solution for everyone to introduce here, you see here, you will?

PostScript: In fact, the server, the security of the system is a whole concept; it is possible that one of your other little oversights can make your site, or even the server, fall. Therefore, the security strategy must take the road of prevention, any small place can not be sloppy, today on the safety of serv-u configuration tips for everyone to introduce here ... Other aspects of server Security Configuration experience we'll see you in the next article.:-) (Note: Because I talents, if there is a mistake in the article is inevitable, but also please reader forgive me!) in order to stimulate, if you have a better way, please do not forget in the service forum ^0^, first thanks!

About this article copyright: the copyright of this article [Server security discussion area] with [the author] in common with all, you can reprint arbitrarily, but must keep the article integrity and information sources and author information links, but do not welcome the reprint of the removal of this copyright information.

About the author of this article: Lee Paolin/leebolin Senior System engineer, professional network security advisor. has successfully for many large and medium-sized enterprises, ISP service providers provide a complete network security solutions. Especially good at the overall network security program design, large-scale network engineering planning, as well as providing a complete range of server series security overall solutions. [S.S.D.A server security Discussion area] Www.31896.net e-mail:bolin.lee#gmail.com qq:24460394 You have any suggestions and questions about this article can write or QQ online and the author to communicate; Or go to the forum to discuss with the author!