Anonymous FTP is Default?

[JGrana]

A little while ago, I had enabled FTP on my RT-AC66U running 374.33.

At work, I had one of our IT guys run a port scan on the router and it showed ftp as open.

So, he connected to the router and was able to do a password less anonymous ftp into the box.

In looking at vsftpd.conf, I see that anonymous_enable and a number of other "anon_" are set to YES.

Did I do something here or misunderstand that by enabling ftp I was opening the router up to the world?

(I have since disabled ftp!!!!).

In any case, should not the default be a lot of "NO"?

 

[Asmodian]

I understand FTP is very insecure even when using a password. If you are security conscious I would leave FTP disabled.

 

[JGrana]

I understand FTP is very insecure even when using a password. If you are security conscious I would leave FTP disabled.

Thanks, I don't disagree and should have been more careful.

With that said, I am more curious about the defaults in vsftp.conf.
I am not sure if it is something I did when installing some things using Entware or is the default anonymous=YES really the case.... seems pretty dangerous to even think about enabling FTP.

 

[DSwit]

Before enabling ftp, I'd suggest creating a /jffs/configs/vsftpd.conf file and using it to disable anonymous logins.

anonymous_enable=NO

If your ftp server is only used to serve files to remote clients and won't ever receive files from clients you can use.

write_enable=NO

You'll need to create a non root user in rt-n66u gui page and set a strong password as well. You can set read/write access for the user in the same menu. Set the permissions to read only for that user.

Hope this is of some help.

 

[RMerlin]

Simply enable "Share with account" on the FTP setting page at:

http://192.168.1.1/Advanced_AiDisk_ftp.asp

This will disable Anonymous mode.