next »

[perkiset]

I believe when I got attacked and pwnd nasty in about 2001 it was via an FTP vector. I'm a big believer in NOTHING forward facing except web anymore.

[nutballs]

but even via web there are vectors, most of which are introduced by the programmer. The problem is ftp is generally a minimal increase in risk especially compared to a web server running a complex application.

[vsloathe]

Yeah. I'm a firm believer in the idea that there does not exist a web application out there that does not have at least one vector of attack open. Now, it could be argued that what I classify as an "attack vector" is not what your average Joe whitehat hacker security expert would, but I digress. If the vector is not a direct SQL/code injection vector, there is almost always a javascript or clientside code vector that can be used to hijack the session of a trusted user to gain access to the more "low level" vectors. I just don't really see the usefulness in "pwning" a webserver really. I want them to stay up so that I can forward people from my site to their landing page, who later buy a product. Then I get paid 

[perkiset]

LOL I am not suggesting that I feel safe behind only two ports boys... only that if I am limiting all channels of access to a box to two ports managed by a reasonably secure server I feel better. And with the web firewall thread we started this morning I think that provides even more security from your more sophisticated external hacker.

Now: is it possible that my own logic could provide bugs and vectors that a smart and in-the-know person could exploit? Oh yeah, but I also work hard to shut all of that down - for example, even though my sites LOOK like they are a standard dir/dir/file.html they are actually run through translation module in PHP that will only respond to things that I recognize and approve of. Essentially, I look at all the ways that I'd attack a site/server and try to head me off at the pass 

[nutballs]

ok, i r stuck again. not so much stuck, but don't know how to do something, and google is FAIL

i have installed PureFTPd and all is working.
I installed with the recommendation of using pam, which is the plugable authentication module, meaning it will use the OSx user accounts for FTP access. This is what the pureFTP docs say to do.

So now, I can log in, however, it is dumping me into my USER directory. I obviously dont want this.

How can I change what directory I start in, when i log in via FTP, via PAM authentication.
any ideas? i poked everywhere in the gui for anything that might point to an ftp directory, but no joy.

[perkiset]

It it's not in your pureFTP docs then I don't know... in my case, my client is what remembers where I last was and dumps me, because my FTP daemons all drop me in the home directory 

[nutballs]

yea, the problem is, i cant get UP to /www
not really sure what voodoo this is using. I can set it to use puredb as the login system, which is built into pureftp, but I was hoping to actually do it the way THEY said to. lol

[perkiset]

probably meaningless, but I use proftpd because of ease of configurability. Tried pure and had troubles if I remember correctly.

[nutballs]

yea, I am gonna try pro then. do you have a seperate FTP login that you had to set up, seperate from your OSx login?
I can do that in pure, i just was trying to actually follow instructions... I should know better.

on another topic...
Is there a disk image package for osx or linux that you can recommend? I want to image my base install, so I can screw around a bit, and just 1 click do-over.

[perkiset]

yea, I am gonna try pro then. do you have a seperate FTP login that you had to set up, seperate from your OSx login?
I can do that in pure, i just was trying to actually follow instructions... I should know better.

I believe pro can either do OS logins or defined logins, but I do no recall. I think I've always used OS logins in any case.

Is there a disk image package for osx or linux that you can recommend? I want to image my base install, so I can screw around a bit, and just 1 click do-over.

Well the simplest is TimeMachine, but that takes forever. There are quite a number of imagers out there, some for free and some for a few bucks. I don't have one in mind, everything here is now handled via TimeMachine.

[nutballs]

yea, I was hoping for something like Ghost or Trueimage, so i could make a boot DVD that would just spit out a new hard drive for me. Time machine cant do that really.

I will post if I find something. if you plan on doing this as well, as even a small scale, it probably would be useful for you as well.

[nutballs]

So back to FTP.

I am trying out ProFTPd, and discovered something about my config for PureFTPd. I had the user CHrooted, so as a result, i couldnt get out of my "home" directory, duh...

But too late, I am now onto ProFTPd. so...
I set it up with PAM, I can log in, yeay team.
I tried to get it to auto launch with LaunchD, however, no joy. Not a big deal, since I can just ssh in, start it, and then ftp all i want, but i hate that extra step.

[perkiset]

I have a bunch of launchd things I need to learn, so I 'spect that we'll become experts at exactly the same moment.

I'm in Rocky Point and won't be back till tonight, catch you more tomorrow perhaps.

[nutballs]

figured you were out of town.

[jairez]

Is there a disk image package for osx or linux that you can recommend?

OS-X has the built-in imaging that's found in Applications->Utilities->Disk Utility.  I use it like crazy to create/burn DVD images and backups.

Just a heads up, the most important directory(s) you can back up are the {root}/Library - the closes thing to the Windoze registry as it contains all the settings and information for your OSX install - and the {root}/Users directory.  Between these two you should be able to recover everything with minimal headache.  I've done it a couple of times now with the latest being a couple of weeks ago when I installed a 320 GB hdd in my MacBook.  Put down a new OS, re-install software and copy over the Library folder then bang ... everything's just the way I left it.

That said, it obviously won't contain the customized installs of MAMP components, but it does a pretty decent job by letting you create a new image based on a directory, or mounting/creating .ISO or the Mac-native .dmg files.

Not sure if this helps or not, but I certainly hope so.  Also, I seem to think there may be another alternative if you already have the OS down and just want to reset some things, but let me chew on it nocturnally.

 

    - ja