Wednesday, July 21, 2010

.ftpaccess files and ftp hacking

A number of my sites have been hacked recently. Lots of dodgy links have been hidden in the html behind the scenes, only visible when you look at 'view source'.

The main vulnerabilities in the approach I use to managing websites comes from FTP (or so I am finding out) though I also use php 'includes' sometimes, which is another no-no.

Anyhow, my provider, 34sp has come up with a suggestion for resellers to protect their FTP uploads. This seemed like a reasonable idea but has not worked out that well for me, so here's my take on how to adapt their approach.

Despite having an .ftpaccess file in place, a charity site I run has again found itself with lots of dodgy hidden links in its pages. I suspect the problem may be because I created the .ftpaccess file using Dreamweaver 4 with the wrong Line Feed characters - these files apparently MUST have a Unix line feed or they will not work.

I have another problem though. With these .ftpaccess files we are advised to use the enum range if we are not on a static IP address. This seemed reasonable but my ISP's enum ranges seem to change with great frequency so this whole approach is not going to be very reliable for me.

So, I've been wishing I could just turn OFF ftp access until I need it. And that is what I have decided to do, like this.

1. Create an .ftpaccess file as above but leaving only 'Deny all' in the file, no other valid IP addresses and put it in the appropriate directories (httpdocs, httpsdocs and cgi-bin)

2. Using Plesk file manager, change the permissions on the .ftpaccess file to what I think is called 644 or rw- r-- r-- (which seems to be generally recommended for .htaccess files as a secure permission setting)

3. If I want to FTP to the site I first go in to Plesk file manager and move the .ftpaccess file to a special purpose built directory called ftp-off

4. Do whatever FTPing I need to do

5. Go back into Plesk and move the .ftpaccess file into httpdocs (I move the file rather than rename it to retain the permissions settings)

This is a rather belt and braces approach but as far as I can tell it locks off FTP so that only the person with Plesk access can use it.

Now, none of my customers do any FTPing for themselves. But, if they did perhaps the solution would be to allow to allow them access through siteadmin.