LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-17-2005, 08:18 PM   #1
baronlynx
Member
 
Registered: Jan 2004
Location: Lille [Fr]
Distribution: SUSE9.3, WinXP on a leech (vmware)
Posts: 62

Rep: Reputation: 15
Question dangers of the ftp service


hi,

i would like to set up a directory in my box and share it with others by ftp service

could someone tell me some about ftp:
1. dangers in using ftp on your own computer with people who log in,
2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure),
3. can i make restrictions so the users who log in would never see the other data that i don't want them to see?
4. how to set it up, what software to use etc ...
5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider?
6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)

it's gonna be a story of compromises i guess ...

thanx in advance for all help

baronlynx
 
Old 01-17-2005, 09:09 PM   #2
GUIPenguin
Member
 
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239

Rep: Reputation: 30
man vsftpd

Last edited by GUIPenguin; 01-17-2005 at 09:12 PM.
 
Old 01-17-2005, 09:12 PM   #3
hw-tph
Senior Member
 
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 58
1. Generally speaking, running any type of daemon is a security hazard. Any type of software is subject to having bugs, and with this type of software they can be fairly critical. Anonymous, read-only FTP with a daemon that doesn't respond to SITE commands is usually the safest way. Anonymous write capability means you will be hosting illegal software within a week (people use scanners to scan entire subnets for anonymous non-readonly FTP servers to provide themselves and each others with storage space for the Windows software they're too cheap to buy).

2. Not really. If the users have *real* accounts - meaning they can log in and use your system - you can let them use scp. This is a secure FTP-like means of transferring files of SSH. You can also use encrypted FTP - highly recommended for security reasons but it does put a much bigger load on your server. Encrypted FTP, using SSL/TLS is available in most modern FTP servers by now. Users will no doubt find it a bit annoying to deal with though, at least to start with.

3. Yes. You can have them "jailed" to their home directory, meaning they cannot view anything outside that directory. Their home directory will appear as the root of the server when they log in.

4. Setting it all up depends on what software you use of course. Stay away from wuftpd (hardly anyone uses it by now anyway) since it has traditionally been riddled with exploits. vsftpd seems to be a good choice nowadays - I use it on my server now, but previously I used ProFTPd which also worked well.

5. With some FTP servers you will need "real" system users. With vsftpd and other modern FTP daemons you can set up virtual users only for the FTP service. This I highly recommend.

6. As I mentioned, if the users are supposed to have full system access anyway, then having them use scp instead of ftp would be a good choice. However, if you don't want them to have real access to the system, an ftp server setup with virtual users is probably the best idea.


Håkan
 
Old 01-17-2005, 09:15 PM   #4
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
1. dangers in using ftp on your own computer with people who log in
You have the same danger running ftp as you would allowing any other service on your computer. The problem is not known security problems, it's the unknown ones. From a general use perspective, there's the possibility someone could delete files they're not supposed to (probably a fault in the configuration). From an attacker perspective, there may be a way for the user to gain root privileges, allowing them to upload/delete/move whatever file(s) they want. It's a leap-frog game, and always will be. I know that's not the answer you wanted to hear, but it's just how things work. If you keep your software up-to-date and subscribe to the software's mailing list, then you should be reasonably safe in running the software. At the very least, you'll know what your system is vulnerable to, and what steps you can take (if any) to minimize the risk.

2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure)
Having the users tunnel through ssh will protect the data they transfer. This includes user and password authentication. While it does not directly offer any server security, it does indirectly improve it, by making it harder for someone trying to sniff a user-password combination.

3. can i make restrictions so the users who log in would never see the other data that i don't want them to see?
Some ftp server software allows you to "jail" your users. What that means is, when the user logs in, that user cannot leave a specific directory tree. Say for instance, you jail the user into /usr/local/share/ftp_files. Typically, that means the ftp user can go into any subdirectory of /usr/local/share/ftp_files, but the user cannot go any higher. /usr/local/share is off-limits (and any other, "higher" directories).

4. how to set it up, what software to use etc ...
You'll need to research the software that's available and choose for yourself.There are lots of different kinds: vsftp (very secure ftp), wuftpd, and others. How to set it up will be detailed in the software's documentation. You'll have to read over it. FTP is common enough that configuration files are well commented (usually).

5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider?
This will depend on the software you choose. Typically, ftp users will match existing users on the system. Some FTP software will allow you to create ftp-specific users to avoid making an account on your normal system. An example would be anonymous access. Typically, that gets mapped to the "nobody" user on a system when determining what filesystem permissions are given to the user.

6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)
You could accomplish similar tasks by running a web server, but that's a whole other can of worms.

EDIT:
Ugh... beaten to the punch... again...

Last edited by Dark_Helmet; 01-17-2005 at 09:17 PM.
 
Old 01-17-2005, 09:21 PM   #5
GUIPenguin
Member
 
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239

Rep: Reputation: 30
Quote:
if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)
you could always look at setting up a samba file server too.
http://www.samba.netfirms.com/index.htm
 
Old 01-18-2005, 04:48 AM   #6
baronlynx
Member
 
Registered: Jan 2004
Location: Lille [Fr]
Distribution: SUSE9.3, WinXP on a leech (vmware)
Posts: 62

Original Poster
Rep: Reputation: 15
Question

thank you hw-tph & Dark_Helmet & GUIPenguin for your fast replies ...


clarification: i dont want any other user but me to have an access to my sys (else then ftp jailed dir) from outside world



my question to you continues ...

are there windoze clients for
Quote:
Encrypted FTP, using SSL/TLS

or does the built in explorer client (in win xp) support it ?




is this a solution for internet access too or only for intranet ?
Quote:
you could always look at setting up a samba file server too.
http://www.samba.netfirms.com/index.htm


cheers,
baron //reading man vsftpd//

Last edited by baronlynx; 01-18-2005 at 04:50 AM.
 
Old 01-18-2005, 07:43 AM   #7
hw-tph
Senior Member
 
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 58
Yes, there are Windows FTP clients with SSL/TLS support. I prefer FlashFXP which although not free is a) hands down the best FTP GUI client out there, and b) quite affordable.


Håkan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dangers with lm-sensors? halfpower Linux - General 1 10-02-2005 05:44 PM
ftp service mehro Linux - Networking 2 09-28-2005 03:53 AM
SuSE 9.2 - FTP Port open with no FTP service?!?! don_wombat Linux - Security 12 12-01-2004 04:14 PM
FTP Service Aldyn Linux - Newbie 4 05-31-2003 02:31 PM
ftp service alwayslearning Linux - Software 14 05-15-2003 07:39 AM


All times are GMT -5. The time now is 02:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration