Page 1 of 1
Feature request: set 220 ready message
Posted: 2022-04-14 17:38
by kimboslice
Would be nice to be able to set the 220 message to something else, rather than disclosing what the server is along with the version
Xlight, wingftp, CoreFTP, IIS, etc allow this to be done... seems to be standard amongst ftp servers, FZ is the only one with no option to do so
Edit; I have figured out a way to do this manually, but it'd be nice to have a legitimate option to do so
Re: Feature request: set 220 ready message
Posted: 2022-04-15 11:37
by botg
There are tons of ways to identify a remote server even without a welcome message.
Re: Feature request: set 220 ready message
Posted: 2022-04-15 12:56
by oibaf
Don't know if you noticed, but you can add a custom message below the standard one. We decided not to let the user remove the standard one, though.
Re: Feature request: set 220 ready message
Posted: 2022-04-18 19:16
by kimboslice
I'm aware theres other ways to identify a server (fingerprinting), but that doesn't mean one shouldn't try to make it as difficult as possible
However, curious where and how to set a custom message below the standard one?
Re: Feature request: set 220 ready message
Posted: 2022-04-18 19:26
by boco
- fzserverwelcome.jpg (30.6 KiB) Viewed 10225 times
Re: Feature request: set 220 ready message
Posted: 2022-04-18 19:47
by kimboslice
Is this in beta or something? no such option is available in 1.3.0
Edit; ah ya I can see this option in the nightly build
Re: Feature request: set 220 ready message
Posted: 2022-04-18 23:09
by kimboslice
botg wrote: ↑2022-04-15 11:37
There are tons of ways to identify a remote server even without a welcome message.
oibaf wrote: ↑2022-04-15 12:56
We decided not to let the user remove the standard one, though.
This is the equivalent of the Apache or Nginx devs saying 'We decided not to let the user remove the Server header because its still possible to identify the host'
As far as I'm aware, Apache (the host of this forum) discloses host+version, and you have removed the version from the response, so why not allow the same to be done with your own product?
There was a path traversal vulnerability found for versions prior to 1.1.0, no? pretty huge security risk... should an equally significant security risk be found, it would be quite silly to disclose the version in the ready message
edit; oh and,
RFC2068 states
Code: Select all
Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software
that is known to contain security holes. Implementers SHOULD make the
Server header field a configurable option.
Now, I know this pertains to webservers, but nonetheless, the general consensus is to obscure as much as possible, and youre using the ready message much like a Server header
Re: Feature request: set 220 ready message
Posted: 2022-04-19 10:20
by botg
Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software
that is known to contain security holes. Implementers SHOULD make the
Server header field a configurable option.
I recommend replacing that entire paragraph with "You MUST NOT run known-vulnerable software versions." Everything else is just smoke and mirrors and ultimately futile. Even if there is zero information available to the attacker, what stops him from simply trying out all possible exploits for all possible software products and versions? It can be fully automated.
Re: Feature request: set 220 ready message
Posted: 2022-04-19 19:43
by kimboslice
botg wrote: ↑2022-04-19 10:20
I recommend replacing that entire paragraph with "You MUST NOT run known-vulnerable software versions." Everything else is just smoke and mirrors and ultimately futile.
Well, I'm not the IETF
botg wrote: ↑2022-04-19 10:20
Even if there is zero information available to the attacker, what stops him from simply trying out all possible exploits for all possible software products and versions? It can be fully automated.
Telling an attacker exactly what host+version it is narrows it down significantly and makes it quite a bit easier
if everything else is just smoke and mirrors, why have you disabled version info from the server header of this forum?