2

I have realized that some of my FTP users are uploading *.exe file to the FTP user account which is just supposed to have *.MXF and all kind of Media format.

I am looking for a way to deny all kind of file upload except ***.mxf,*.mp4 *.mov and so on. restrict the ftp account to accept only media files and not exe's

does anyone have idea about it how can i manage it with VSFTPD server.

Thank you so much in advance.

kunal
  • 442
  • 1
  • 9
  • 23
  • Try makeing a script that deletes all executables on your server every minute – Intelligent Pickle Jul 06 '17 at 22:23
  • I'm going to make a guess that your users may wise up to this, and rename their .exe files as .mov files, and send instructions to their freinds to download the .mov and rename them... – Charles Green Jul 06 '17 at 23:42
  • @charles. Except the scripting option what is the way to prevent users from uploading unwanted files. Since we don't have any AV installed on my Linux server – kunal Jul 07 '17 at 07:40
  • I'm not a good script writer, but I would suggest a script using file to check for file types that you want to allow and deleting the remainder as suggested above. And perhaps an automated email to your users indicating that their non-media file has been deleted? – Charles Green Jul 07 '17 at 12:45
  • @CharlesGreen you make a valid point regarding extensions vs. file types. Updating my answer accordingly. – Elder Geek Jul 09 '17 at 17:10
  • @elder geek thank you again. As it was already mention the someone can also change the file extension and rename it later after uploading and downloading. The whole point of doing this here is how can we make sure that infected files exe can't be uploaded. I can manage easily to delete the files with scripts and can even inform the users. – kunal Jul 09 '17 at 17:15
  • @kunal updated answer. I hope you find it helpful. The deny_file setting listed for vsftpd.conf will disallow any attempt to modify the file in any way after uploading. – Elder Geek Jul 09 '17 at 17:27
  • You are welcome. Since you've been a member for 3 years, I doubt I have to explain to you that the way we say thanks here is by accepting answers (green check box) and/or upvoting those answers that were most useful to you. Best regards. – Elder Geek Jul 11 '17 at 14:13
  • @ElderGeek thank you. I been the member and I will say thanks in the correct way by accepting your answer as answer once I will properly test it. Your answer looked correct to me but at work because of some other priorities i couldn't manage to check it. So don't worry you will receive the proper thanks. – kunal Jul 11 '17 at 14:51
  • @kunal No worries. Testing is always a good idea. :-) – Elder Geek Jul 11 '17 at 17:22

1 Answers1

3

You might want to review the section of man vsftpd.conf, specifically the deny file section of string options which states.

deny_file

This option can be used to set a pattern for filenames (and directory names etc.) which should not be accessible in any way. The affected items are not hidden, but any attempt to do anything to them (download, change into directory, affect something within directory etc.) will be denied. This option is very simple, and should not be used for serious access control - the filesystem's permissions should be used in preference. However, this option may be useful in certain virtual user setups. In particular aware that if a filename is accessible by a variety of names (perhaps due to symbolic links or hard links), then care must be taken to deny access to all the names. Access will be denied to items if their name contains the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd's regular expression matching code is a simple implementation which is a subset of full regular expression functionality. Because of this, you will need to carefully and exhaustively test any application of this option. And you are recommended to use filesystem permissions for any important security policies due to their greater reliability. Supported regex syntax is any number of *, ? and unnested {,} operators. Regex matching is only supported on the last component of a path, e.g. a/b/? is supported but a/?/c is not. 

    Example: deny_file={*.exe,*.sh,.private}

I have not tested that this will explicitly deny uploading of .exe files, however the assumption is that people are uploading them so others can download them. When that ceases to work, perhaps the activity of uploading them will cease as well. As suggested in this comment you could also write a script to reclaim the space in the upload directory by rm /youruploaddir/*.exe where /youruploaddir/ is the directory that your users are uploading to and use cron to schedule it to run at a specific time or frequency.

Since a file extension in no way guarantees content as mentioned by @CharlesGreen in this comment you might consider a a variation on this script which I designed to find virtually all video files on my system. You can easily modify it to include .mxf (Material Exchange Format) containers. Or as an alternative simply identify the actual .exe files by utilizing grep to match "executable" in the output from file

Executable file determination Example:

file *.* | grep "executable"| cut -d':' -f1

Will print the filenames of the files in the current directory that are actually executable (such as Windows .exe files)

Note: Files are only executable on your system if you have the permissions set to allow that. See this for further detail.

Elder Geek
  • 36,023
  • 25
  • 98
  • 183
  • I will look into this conf file and will try to manage it and as well as look into the script option. Thanks – kunal Jul 07 '17 at 07:37