SERV-U Security Configuration

By ShiDao

As a classic FTP server software, SERV-U has been used by most administrators, its simple installation and configuration and the powerful management functions of the humanization has been praised by administrators. However, as the number of users increases, the security issues of the software are gradually exposed.
The first is the SERV-U site chmod vulnerability and Serv-u mdtm vulnerability, that is, using an account can easily get SYSTEM permissions. The second is the local overflow vulnerability of Serv-u, that is, Serv-U has a default Management User (username: localadministrator, password: #|@$ ak #. | k; 0 @ p) Anyone who can access the local port 43958 can add or delete accounts and execute any internal or external commands at will.
At this time, people began to pay attention to the security of SERV-U, and take some related measures, such as modifying the SERV-U Management port, account and password. However, the modified content is retained in the servudaemon.exe file. Therefore, after downloading it, you can easily obtain the modified port, account, and password using a hexadecimal editing software such as UltraEdit.
From the SERV-U6.0.0.2, the software has a login password function, so that if you add a management password, and set more properly, the SERV-U will be more secure than the original. Now let's get started with the SERV-U setup tour, using version is SERV-U 6.0.0.2.
The old saying has cloud, thousands of feet of the station began with the ground, set the security of the SERV-U from the installation began. This article is mainly to write SERV-U security settings, so don't spend too much effort to introduce the installation, just to mention the key points.
By default, SERV-U is installed in the C:/Program Files/Serv-U directory. We 'd better change it. For example, change to D:/u89327850mx8utu432X $ UY32x211936890co7v23x1t3 (figure 1). If the installation drive letter WEB user cannot browse, it is difficult for him to guess the installation path. After installation, a shortcut will be generated on the desktop and the Start menu. We recommend that you delete the shortcut because it is generally not used. Maybe you have to ask, how should you enter the SERV-U settings interface? In fact, it is very simple, double-click the Tray Monitor icon in the right corner of the taskbar to start the SERV-U management interface.

 

Figure 1: Modify the installed directory
 
Only the first two items can be selected during installation, and the following two are descriptions and online help files. (See figure 2)

 

Figure 2: select the first two items during installation
 
Is the name of the folder in the generated Start Menu group, it is recommended to change to a name that is not like the SERV-U, or delete the folder. (See figure 3)

 

Figure 3: change the name of the folder in the Start Menu group after installation
 
After the installation is complete, a wizard will appear asking you to create a domain and an account. Click here to Cancel the wizard. The accounts generated by using the wizard may cause some problems. Therefore, you can create a domain and an account manually. (See figure 4)

 

Figure 4: click Cancel to Cancel the wizard
 
Then click the option before Start automatically (system service), then click the Start Server button below to add the SERV-U to the system service, so that you can Start with the system, do not need to Start each time. (See figure 5)

 

 

 

Figure 5: Add SERV-U to service
 
Next we will see the 6 interface. Click Set/Change Password to Set a Password.

 

Figure 6: click Set/Change Password to Set the Password
 
The page 7 is displayed. Because it was used for the first time, there is no password, that is, the original password is empty. You do not need to enter characters in the old password. Simply enter the same password in the New password and Repeat new password and click OK. We recommend that you set a complex password to prevent brute force password cracking. It doesn't matter if you remember it. Just remove and save the localsetuppasswordpattern line in servudaemon.ini, and then run servuadmin.exe again, you won't be prompted to enter the password to log on.

 

Figure 7: password setting and change page
 
The next is the time to set the security of the SERV-U. First, create a WINDOWS Account SSERVU, And the password must be complex enough. Remember the password. If you can't remember it, save it in a file temporarily and use it later. (See figure 8)

 

 

Figure 8: Create a WINDOWS Account
 
After creating an account, double-click the created user to edit user attributes and delete the USERS Group from "affiliated.

 

Figure 9: deleting a USERS group from the affiliated directory
 
Remove the "Allow logon to Terminal Server (W)" option from the "terminal service configuration file" option, and then click OK to continue our settings. (See figure 10)

 

Figure 10: Cancel "Allow logon to Terminal Server"
 
Here we have created an account to set the account in the service. Now we need to use the account we just created. The password has not been forgotten and will be used soon.
Find "service" in the management tool of the Start menu and click open. Right-click "Serv-u ftp Server Service" and select "continue.
Click "Log on" To Go To The Logon account selection page. Select the system account name you just created, and enter the password of the account twice below (the one you just remembered), click "application", and click "OK" again, complete service settings. (See figure 11)

 

Figure 12: Saving the FTP user password to the Registry
 
Open the Registry to test the corresponding permissions, otherwise the SERV-U cannot be started. Enter regedt32 in "start"> "run" to continue.
Find the [HKEY_LOCAL_MACHINE/SOFTWARE/Cat Soft] branch. Right-click the item above, select the permission, and click Advanced. Cancel the permission to allow the inherited permissions of the parent item to be propagated to the object and all sub-objects, including those explicitly defined here. Click "Apply" to continue, delete all accounts. Click "OK" again to continue. The dialog box "you have rejected all users to access Cat Soft" is displayed. No one can access Cat Soft and only the owner can change the permissions. Do you want to continue ?", Click "yes" to continue. Click the Add button to add the created SSERVU account to the permission list of the sub-key and grant full control permissions. The Registry has been set up. But you cannot restart the SERV-U because the installation directory is not set yet.
Now let's set it up. Only your management account and SSERVU account are retained, and all permissions except full control are granted. (See figure 13)

 

Figure 13: SERV-U installation directory permission settings
 
Now, restart the Serv-u ftp Server Service in the service. Of course, it is not completely set up yet. Your FTP user still cannot log on because you do not have the permission, so you need to set the directory permission. <