Ftp Anonymous Enabled

  1. Home
  2. VULNERABILITIES

Title:

FTP access with ?anonymous" account.

Vulnerability:

What is FTP ?anonymous" account?
Utilizing the Internet's File Transfer Protocol (FTP), anonymous FTP is a strategy for giving clients access to files with the goal that they don't have to authenticate themselves to the server. Utilizing a FTP program or the FTP command interface, the client enters "unknown" as a client ID. All in all, you enter the word anonymous or ftp when the host prompts you for a username; you can enter anything for the password, for example, your email address or just "guest". By and large, when you get to an unknown FTP site, you won't be provoked for your name and password.

Attackers misuse the weak passwords or anonymous logon vulnerability to specifically sign on to the FTP benefit and transfer vindictive records to take system privileges, which causes information leakages.

Solution:

Ensure to use the latest version of the FTP service software.

FTP service in Windows Server 2008 and the vsftpd service in Linux as examples of how to harden the FTP service:
Harden FTP service in Windows

  1. Open Internet Information Services (IIS) Manager, check hardening features for the FTP service
  2. Disable anonymous logon.
  3. Create an FTP account.
  4. Disable the anonymous logon functionality.
  5. Enable a strong password security policy: Password must meet complexity requirements.
  6. Enable the policy for handling account logon failures
  7. Enable the FTP directory isolation feature.
  8. Specify accessing IP addresses
  9. Enable the authorization policy.
  10. Enable SSL encryption for data transmission
  11. Create a server certificate.
  12. Apply the created certificate.
  13. Enable the logging feature

Harden vsftpd service in Linux

  1. Add a new user ?test? and configure a strong password for the user
  2. Modify the vsftpd.conf configuration file.
  3. Set anonymous_enable=NO
  4. Disable displaying banner information.
  5. Modify the statement as ftpd_banner=Welcome
  6. Limit users that can log on to FTP services
  7. Limit accessible directories for FTP users.
  8. chroot_list_enable=YES
  9. chroot_list_file=/etc/vsftpd/chroot_list
  10. Modify the listening address and the default port
  11. listen_address=192.168.0.192
  12. listen_port=8888
  13. Enable the logging feature
  14. xferlog_enable=YES
  15. xferlog_std_format=YES
  16. Enable other security configurations in the file
  17. If you do not need the service, we recommend that you disable the FTP service.
Content Sniffing Header Vulnerability, Admin Interface Externally Open

Content Sniffing Not Disabled

OWASP Top 10 Security Testing, Content Sniffing Not Disabled

Session Cookie Found Without Secure Flag Set.

Session Cookie Found Without Secure Flag Set, Web App Security Testing Services Company

How To Enable Content Sniffing?

How To Enable Content Sniffing?, Content Sniffing Header Vulnerability

Clickjacking: X-Frame-Options Header Missing

OWASP Top 10 Security Testing , Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Web App Security Testing Services Company, Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Error Page Discloses Web Server Version, Content Sniffing Header Vulnerability

How To Disable Web Dav Extensions?

Error Page Discloses Web Server Version, OWASP Top 10 Security Testing

How To Configure Access-Control-Allow-Origin Header?

Web App Security Testing Services Company, How To Disable Web Dav Extensions?

How To Disable Custom Errors At Webroot?