Feature request: set 220 ready message

[kimboslice]

Would be nice to be able to set the 220 message to something else, rather than disclosing what the server is along with the version

Xlight, wingftp, CoreFTP, IIS, etc allow this to be done... seems to be standard amongst ftp servers, FZ is the only one with no option to do so

Edit; I have figured out a way to do this manually, but it'd be nice to have a legitimate option to do so

[botg]

There are tons of ways to identify a remote server even without a welcome message.

[oibaf]

Don't know if you noticed, but you can add a custom message below the standard one. We decided not to let the user remove the standard one, though.

[kimboslice]

I'm aware theres other ways to identify a server (fingerprinting), but that doesn't mean one shouldn't try to make it as difficult as possible

However, curious where and how to set a custom message below the standard one?

[boco]

fzserverwelcome.jpg (30.6 KiB) Viewed 9137 times

[kimboslice]

Is this in beta or something? no such option is available in 1.3.0

Edit; ah ya I can see this option in the nightly build

[kimboslice]

There are tons of ways to identify a remote server even without a welcome message.

We decided not to let the user remove the standard one, though.

This is the equivalent of the Apache or Nginx devs saying 'We decided not to let the user remove the Server header because its still possible to identify the host'

As far as I'm aware, Apache (the host of this forum) discloses host+version, and you have removed the version from the response, so why not allow the same to be done with your own product?

There was a path traversal vulnerability found for versions prior to 1.1.0, no? pretty huge security risk... should an equally significant security risk be found, it would be quite silly to disclose the version in the ready message

edit; oh and, RFC2068 states

Code: Select all

Revealing the specific software version of the server may allow the
   server machine to become more vulnerable to attacks against software
   that is known to contain security holes. Implementers SHOULD make the
   Server header field a configurable option.

Now, I know this pertains to webservers, but nonetheless, the general consensus is to obscure as much as possible, and youre using the ready message much like a Server header

[botg]

Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software
that is known to contain security holes. Implementers SHOULD make the
Server header field a configurable option.

I recommend replacing that entire paragraph with "You MUST NOT run known-vulnerable software versions." Everything else is just smoke and mirrors and ultimately futile. Even if there is zero information available to the attacker, what stops him from simply trying out all possible exploits for all possible software products and versions? It can be fully automated.

[kimboslice]

I recommend replacing that entire paragraph with "You MUST NOT run known-vulnerable software versions." Everything else is just smoke and mirrors and ultimately futile.

Well, I'm not the IETF

Even if there is zero information available to the attacker, what stops him from simply trying out all possible exploits for all possible software products and versions? It can be fully automated.

Telling an attacker exactly what host+version it is narrows it down significantly and makes it quite a bit easier

if everything else is just smoke and mirrors, why have you disabled version info from the server header of this forum?