Some people can't appreciate a good thing...

[Skillz]

http://forums.ut-files.com/viewtopic.php?f=32&t=50

Some fool figured it would be nice to login to the ut-files public FTP and delete all the files people uploaded, so if any of you guys uploaded any files around that time, check the deleted files list. If you see your file, you'll probably need to upload it again.

 

[brdempsey69]

Sheesh, can't people just live & let live? That would qualify somewhere along the lines of a denial of service attack & I hope you track them down.

 

[Zur]

You should add a script to move files out of the upload folder and trigger it with a cron every 10-15 minutes or so.

 

[SkaarjMaster]

I didn't even know you could upload files. Any advantage to establishing an account and logging in instead of just downloading like I've been doing all this time?

 

[RoninMastaFX]

I've got a few files that I downloaded from your site that I can contribute! Tell me how to upp them, and they shall be on your server. ;D

 

[Diehard]

People like that are just plain ****ed up

And when i read your post, i was gonna tell, make a script that moves the files out of they way directly after upload, but Azura beat me to it.

And its even worse than that, since it looks like he is from my country and accidentelly also on the same ISP i have; Chello

You could try sent the log to Chello and have them take actions. Oh wait thats my host, and they dont even have one mailadress you can use, not even for clients. You can only phone them(dollar a sec), so prob the only ISP in the world that doesnt have a mailadres

So again what Azura said, or make deletion imposible, and that includes making it imposible to overwrite files.


And the realisation its an Unrealer and prob a user on these forums is even more the sad...........
.
.
.

 

[Skillz]

You should add a script to move files out of the upload folder and trigger it with a cron every 10-15 minutes or so.

The cronjob is setup to run every hour, I think I will try every 1/4 hour. I just don't want it to effect the performance of the box.

I didn't even know you could upload files. Any advantage to establishing an account and logging in instead of just downloading like I've been doing all this time?

The files on this FTP are not the public files you see on the site. It's just a public FTP for users who add files to the site(s) and redirects. Each redirect setup moves the files automatically every hour, while the other files (mods/mutators, maps, etc..) get moved to a different account so that I can determine where they belong. They also get moved every hour, but can take a couple days before the public sees them on the file server.

I've got a few files that I downloaded from your site that I can contribute! Tell me how to upp them, and they shall be on your server. ;D

No old files were deleted. The site is still there, the redirect is still there. The only thing missing is new files people uploaded. Granted most of them are probably duplicates, if their was any new files for the redirect, they'll need to be uploaded again. If any new file was uploaded for the games, they'll need to be uploaded again as well.

People like that are just plain ****ed up

And when i read your post, i was gonna tell, make a script that moves the files out of they way directly after upload, but Azura beat me to it.

Like I mentioned before, it runs every hour. Going to change it to run every 1/4 hour.

And its even worse than that, since it looks like he is from my country and accidentally also on the same ISP i have; Chello

You could try sent the log to Chello and have them take actions. Oh wait thats my host, and they dont even have one mailadress you can use, not even for clients. You can only phone them(dollar a sec), so prob the only ISP in the world that doesnt have a mailadres

The problem is it will just get ignored. I've been this route before, many a times. Unless I am a paying customer on their network, they can careless what happens. I would essentially have to get a lawyer to contact them and well, I simply do not have the money to go that route.

So again what Azura said, or make deletion imposible, and that includes making it imposible to overwrite files.


And the realisation its an Unrealer and prob a user on these forums is even more the sad...........
.
.
.

Their is a way to prevent users from deleting files on pureftpd, however it will prevent ALL users on the FTP server from being able to do this. I have user accounts that need those privileges including the account I have for you.

 

[GreatEmerald]

Their is a way to prevent users from deleting files on pureftpd, however it will prevent ALL users on the FTP server from being able to do this. I have user accounts that need those privileges including the account I have for you.

Hmm, wouldn't simply CHMOD do that? Make the upload folder read-only?

 

[Diehard]

Hmm, wouldn't simply CHMOD do that? Make the upload folder read-only?

Yeah, but if i am correct, that means that you cannot upload.



But if files are moved every 15 minutes, than the guy has to stay logged in continously to be in time to delete them. So moving them real fast is already a good option.


And what you could do is, ban the IP from that guy from your site. Chello, well actually the company is called UPC and Chello is part from it. But my IP changes once in 6 months(if i am lucky). So a block on his IP would ensure that hes blocked for several months. And the reason is simple UPC only has cable connections, no dial up or anything else, just cable, and they refuse to give people new IP's. So in this case a ban is very helpfull.....
.
.
.

 

[RoninMastaFX]

No old files were deleted. The site is still there, the redirect is still there. The only thing missing is new files people uploaded. Granted most of them are probably duplicates, if their was any new files for the redirect, they'll need to be uploaded again. If any new file was uploaded for the games, they'll need to be uploaded again as well.

Ah ok, I misunderstood, my apologies. ;$

 

[Skillz]

Hmm, wouldn't simply CHMOD do that? Make the upload folder read-only?

What Diehard said, it would prevent users from being able to upload anything as well.

Diehard, his IP has been banned. I also setup a log watch on the server that emails me every night the pureftpd logs so I can check every night if people are deleting files they shouldn't be.

 

[Zur]

The cronjob is setup to run every hour, I think I will try every 1/4 hour. I just don't want it to effect the performance of the box.

An alternative is to make the files non-visible (dot prefix on Unix/Linux) or modify permissions so they are non-writable.

 

[Skillz]

An alternative is to make the files non-visible (dot prefix on Unix/Linux) or modify permissions so they are non-writable.

You can still see/view files with the dot. .htaccess for example still show up in the FTP client. The files are only on the server for 15 minutes, at most before being transferred over. I also setup a script to email the pureftpd logs every day, so I will just keep an eye on people deleting files they shouldn't be.

 

[Raynor.Z]

Well this guy definitely needs to be shot, glad to hear most of the stuff is intact though.

 

[Exus Tecius]

ugh.surely it was a half life player.

 

[IronMonkey]

With apologies if I'm teaching granny to suck eggs!

Building Internet Firewalls (2nd ed.) recommends:

• Read and follow: http://www.packetstormsecurity.org/advisories/cert/CA-93:10.anonymous.FTP.activity
• Make your incoming directory write-only (either 773 or 733)
• Make sure the directory owned by a user other than ftp.
• Make sure the group of the directory is something other than a default user group or the ftp group.
• Make anonymous read and anonymous write exclusive.
• Disable the creation of directories and files with "funny names" e.g. files beginning with "."
• Move the files (but be careful with duplicate names) and ensure that the destination is on the same file system (a move is fairly lightweight operation - I wouldn't be worried about the system load even if you ran your proposed cron job every two minutes, as long as the move was on the same filesystem). One point to watch is that you make sure that your move script can properly escape odd (from a Unix perspective) characters in file names like spaces.

Some advice here:

http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ
* How to restrict access to dot files ?

-> Is there an option to prevent people from accessing "." files/dirs (such as .bash_history, .profile, .ssh ...) EVEN if they are owned by the user ? (William Kern)

Yes. '-x' (--prohibitdotfileswrite) denies write/delete/chmod/rename of dot-files, even if they are owned by the user. They can be listed, though, because security through obscurity is dumb and software shouldn't lie to you. But users can't change the content of these files.

Alternatively, you can use '-X' (--prohibitdotfilesread) to also prevent users from READING these files and going into directories that begin with "." .

 

[Skillz]

Interesting read. Have you logged into the public FTP? http://news.ut-files.com/contact/ and let me know if you see something that I can to make it more secure.

I still do not know how to make a directory "write able" but still prevent users from being able to delete the file. That's the only issue I am facing. I can CHMOD it to execute and read only, but then they wouldn't be able to upload (write) anything nor would they be allowed to delete anything. Would defeat the purpose if they can't write to it though which is what is needed the most.

The user is also jailed to the home directory, which contains nothing of importance except what others upload to it. Trying to navigate out of the home directory will just give you a permission error.

 

[Diehard]

On this page: http://news.ut-files.com/contact/

Theres a textual error on the right side under Hosted Sites, correct me if i am wrong but it should be Operation Na Pali instead Operatin Na Pali.
.
.
.

 

[IronMonkey]

I still do not know how to make a directory "write able" but still prevent users from being able to delete the file. That's the only issue I am facing. I can CHMOD it to execute and read only, but then they wouldn't be able to upload (write) anything nor would they be allowed to delete anything. Would defeat the purpose if they can't write to it though which is what is needed the most.

Have you considered playing around with the sticky bit? I've never tried it with a ftp server but it might do the trick.

The most common use of the sticky bit today is on directories. When the sticky bit is set, only the item's owner, the directory's owner, or the superuser can rename or delete files. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files.

I'm afraid that my expertise in running ftp servers consists of shooting anyone who asks to run one on a system that I manage.

 

[Skillz]

Have you considered playing around with the sticky bit? I've never tried it with a ftp server but it might do the trick.



I'm afraid that my expertise in running ftp servers consists of shooting anyone who asks to run one on a system that I manage.

The problem is, users would still be able to delete other files. Regardless of who uploads/connects to the server they all login with the same username.

"only the item's owner, the directory's owner, or the superuser can rename or delete files."

So if John logs in with the uploadu username and uploading test.unr.uz then Jason logs in with the uploadu username, he'll be able to do whatever John can do, since it's the same username.