The first is SERV-U's SITE CHMOD vulnerability and Serv-U MDTM vulnerability, which means you can easily obtain SYSTEM permissions by using an account. The second is the local overflow vulnerability of Serv-u, that is, Serv-U has a default administrative user (username: localadministrator, password: #|@$ak#.|k;0@p), anyone can access it through one The account with local port 43958 can add or delete accounts at will and execute any internal and external commands.
At this time, people began to pay attention to the security of SERV-U and took some relevant measures, such as modifying the management port, account number and password of SERV-U. However, the modified content is still retained in the ServUDaemon.exe file, so after downloading, you can easily obtain the modified port, account and password using hexadecimal editing software such as UltraEdit.
Starting from SERV-U6.0.0.2, the software has a login password function. If a management password is added and the settings are properly set, SERV-U will be much safer than before. Now we begin the SERV-U setup journey, using the version SERV-U 6.0.0.2.
As the old saying goes, a tower of a thousand feet begins with the foundation, and the safety of SERV-U begins with installation. This article mainly writes about the security settings of SERV-U, so it will not spend too much time introducing the installation, only the key points.
SERV-U is installed in the C:Program FilesServ-U directory by default. We'd better make some changes. For example, if the installation drive letter WEB user cannot browse, it will be difficult for him to guess the installation path. Of course, after installation, a shortcut will be generated on the desktop and start menu. It is recommended to delete it because it is generally not used. You may want to ask, how to enter the setting interface of SERV-U? It's actually very simple. Double-click the small Tray Monitor icon in the taskbar in the right corner to start the SERV-U management interface.
Figure 1: Modify the installation directory
When installing, just select the first two items. The next two are instructions and online help files. (See Figure 2)
Figure 2: Only the first two items need to be selected during installation. The following figure is the name of the folder in the generated start menu group. It is recommended to change it to a name that is less like SERV-U, or delete the folder. (See Figure 3)
Figure 3: Change the name of the folder in the start menu group generated after installation
[Cut-Page]
After the installation is complete, a wizard will appear allowing you to create a domain and account. Click Cancel here to cancel the wizard. The account generated by the wizard will cause some problems, so the domain and account are created manually below. (See Figure 4)
Figure 4: Click Cancel to cancel the wizard
Then click the option in front of Start automatically (system service), and then click the Start Server button below to add SERV-U to the system service, so that it can be started with the system without having to start it manually every time. (See Figure 5)
Figure 5: Add SERV-U to the service
Next, the interface shown in Figure 6 will appear. Set a password by clicking Set/Change Password.
Figure 6: Click Set/Change Password to set the password
[Cut-Page]
Then the interface shown in Figure 7 will appear. Because it is the first time to use it, there is no password, which means that the original password is empty. There is no need to enter characters in the old password. Just enter the same password in the New password and Repeat new password below and click OK. It is recommended here to set a password that is complex enough to prevent others from brute force cracking. It doesn't matter if you can't remember it. Just clear and save the line LocalSetupPassword= in ServUDaemon.ini, and you will not be prompted to enter your password to log in when you run ServUAdmin.exe again.
Figure 8: Create a WINDOWS account
After creating the account, double-click the created user to edit the user properties and delete the USERS group from "Belongs to".
Figure 9: Delete USERS group from affiliation
Uncheck "Allow logon to Terminal Server (W)" from the "Terminal Services Profile" option and click OK to continue our settings. (See Figure 10)
Figure 10: Cancel "Allow logon to Terminal Server"
We have created an account here, and it’s time to set up the account in the service. Now we need to use the account we just created. You haven’t forgotten the password yet, so you will need it soon.
[Cut-Page]
Find "Services" in the management tools of the start menu and click to open it. Right-click on "Serv-U FTP Server Service" and select Properties to continue.
Then click "Login" to enter the login account selection interface. Select the system account name you just created, and enter the password for the account twice (the one you were asked to remember just now), then click "Apply" and click OK again to complete the service settings. (See Figure 11)
Figure 11: Change the account password for starting and logging in to SRV-U. Next, you need to use the FTP management tool to create a domain, then create an account, and then choose to save it in the registry. (See Figure 12)
Figure 12: FTP user password is saved in the registry
Open the registry to test the corresponding permissions, otherwise SERV-U will not be started. Enter regedt32 in Start->Run and click "OK" to continue.
Find the [HKEY_LOCAL_MACHINESOFTWARECat Soft] branch. Right-click on it, select Permissions, then click Advanced, cancel allowing the parent's inherited permissions to propagate to this object and all child objects, including those explicitly defined here, click "Apply" to continue, and then delete all accounts. Click the "OK" button again to continue. A dialog box will pop up saying "You have denied all users access to Cat Soft. No one can access Cat Soft, and only the owner can change permissions. Do you want to continue?", click "Yes" to continue. Then click the Add button to add the SSERVU account we created to the permission list of the subkey and give full control permissions. The registry has been set up here. But SERV-U cannot be restarted yet because the installation directory has not been set yet.
Set it up now, keep only your administrative account and SSERVU account, and give all permissions except full control. (See Figure 13)
Figure 13: SERV-U installation directory permission settings
Now, restart the Serv-U FTP Server service in the service and it will start normally. Of course, the settings have not been completely completed here. Your FTP user still cannot log in because he does not have permissions, so you still need to set the directory permissions.
Suppose you have a WEB directory, the path is d:web. Then delete all except the administrator and IIS users in the "Security Settings" of this directory, and then add the SSERVU account. Remember to delete the SYSTEM account as well. Why do we need to set it up like this? Because SERV-U is now started with the SSERVU account instead of SYSTEM permissions, so you no longer use SYSTEM to access the directory but SSERVU. At this time, SYSTEM is no longer useful, so even if it does overflow, it will not May get SYSTEM permissions. In addition, the root directory of the disk where the WEB directory is located must also be set to allow browsing and reading permissions of the SSERV-U account, and confirm that only this folder is set in the advanced setting. (See Figure 14)
Figure 14: Permission settings of the disk where the WEB directory is located
At this point, all settings are completed. The current SERV-U settings are set in conjunction with IIS. Because different accounts are used with IIS, it is impossible for WEB users to access the SERV-U directory, and the WEB directory does not give SYSTEM permissions, so the SYSTEM account cannot access the WEB directory. In other words, even if you use MSSQL to obtain backup permissions, you cannot back up SHELL to your WEB directory. You can use SERV-U safely.
After the installation is complete, a wizard will appear allowing you to create a domain and account. Click Cancel here to cancel the wizard. The account generated by the wizard will cause some problems, so the domain and account are created manually below. (See Figure 4)
Figure 4: Click Cancel to cancel the wizard
Then click the option in front of Start automatically (system service), and then click the Start Server button below to add SERV-U to the system service, so that it can be started with the system without having to start it manually every time. (See Figure 5)
Figure 5: Add SERV-U to the service
Next, the interface shown in Figure 6 will appear. Set a password by clicking Set/Change Password.
Figure 6: Click Set/Change Password to set the password