LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   I want to disable ftp and use sftp. (https://www.linuxquestions.org/questions/linux-newbie-8/i-want-to-disable-ftp-and-use-sftp-4175541905/)

mikenash 05-07-2015 03:11 PM

I want to disable ftp and use sftp.
 
I am using Suse 12 Enterprise.
I would like to use sftp and disable ftp.
Presently I am able to do both.
I stopped vsftpd.service.
Tried comment on ports 20 & 21 in /etc/services.
Stop FTP server using YAST.
Stopped xinetd tftp service using YAST.
Is it wise to turn this service off?
How do I display the status for sftp and ftp?
I am still able to ftp.
Where is the kill switch?

smallpond 05-07-2015 03:25 PM

Check /etc/xinetd.d/ for a vsftpd file. If there is one, edit to "disable = yes"

mikenash 05-08-2015 10:14 AM

FTP still works
 
I can still ftp! I think this is only local now. From a DOS prompt on a laptop I can not ftp in. From the server with the changes I am able to ftp to another server on the network. From the other network I can not ftp in. So it seems that outgoing ftp is not disabled. Strange but why and how can I disable ftp completely?
Disable = yes in /etc/xinet.d/vsftpd
In Yast I set FTP server to manal and stop the service.
In xinetd I see that ftp and tftp are off.
In Yast I disable tftp server.
Testing:
ftp 9.42.101.38
Wrapper for lftp to simulate compatibility with lukemftp
Name (root): root
Password:
lftp root@9.42.101.38:~> ls
---- Connecting to 9.42.101.38 (9.42.101.38) port 21
<--- 220 Welcome message
<--- 230 Login successful.
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Desktop
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Documents
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Downloads
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Music
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Pictures
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Public
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Templates
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Videos
-rw-r--r-- 1 0 0 28074 Feb 20 21:20 autoinst.xml
drwxr-xr-x 2 0 0 4096 Sep 21 2014 bin
drwxr-xr-x 6 0 0 4096 Feb 20 21:08 inst-sys
lftp root@9.42.101.38:~> quit
linux140:/ # systemctl status vsftpd
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)

May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "227 Entering Passive Mode (9,42,101,40,117,123)."
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP command: Client "9.42.101.38", "LIST"
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "150 Here comes the directory listing."
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "226 Directory send OK."
May 08 10:43:34 linux140 systemd[1]: Stopping Vsftpd ftp daemon...
May 08 10:43:34 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Starting Vsftpd ftp daemon...
May 08 10:43:48 linux140 systemd[1]: Started Vsftpd ftp daemon.
May 08 10:43:57 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
Hint: Some lines were ellipsized, use -l to show in full.

suicidaleggroll 05-08-2015 10:32 AM

Of course outgoing ftp is not disabled, why would you want/need to disable that?

mikenash 05-08-2015 11:03 AM

I want to disable ftp and use sftp
 
I want to use sftp. I have read that this was more secure and that you should disable ftp.
I am learning and this seems like a good way to learn how to do something. So I would like to disable ftp completely.

suicidaleggroll 05-08-2015 12:22 PM

You already have. EVERYTHING you read online about ftp being insecure and disabling it is talking about incoming connections to an ftp server. Trying to disable outgoing ftp connections is futile and it's going to keep you from being able to access a HUGE part of the web. Your system updates would likely stop working, dynamic DNS updates could stop working, etc.

ftp and sftp, despite having similar names, are completely different protocols. You cannot force other servers to use sftp instead of ftp, you have to use what they provide. The only thing you can control is what services you provide on your machine. If you don't want to run an ftp server, then don't run an ftp server. You've already shut yours off, so you're done.

mikenash 05-10-2015 06:41 PM

I want to disable ftp and use sftp
 
I am here to learn. When reading the Red Hat 7 Administrator guide I came across this information.

9.2.3. Requiring SSH for Remote Connections
For SSH to be truly effective, using insecure connection protocols should be prohibited.
Otherwise, a user's password may be protected using SSH for one session, only to be captured later
while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd.

9.3.3. Using the sftp Utility
The sftp utility can be used to open a secure, interactive FTP session. In its design, it is similar
to ftp except that it uses a secure, encrypted connection.

Disabling ftp and using sftp seemed like a good exercise to learn. What I found was that I have not been
able to completely disabled ftp. So, what could be wrong? Is there another action that I need to do?
Is ftp designed to work this way? Is it a defect? Another point that was raise is that using sftp would
be restrictive. Red Hat 7 states that a good substitute for ftp is sftp but no mention of any restrictions.
I need to hear and learn from the more experienced community.

btmiller 05-10-2015 08:03 PM

If you're going to use sftp as a client. then the serve you're connecting to has to be able to use it as well. Usually for anonymous connections (e.g. to download publicly available and non-sensitive files), people still use regular FTP or HTTP without encryption.

suicidaleggroll 05-10-2015 10:50 PM

Quote:

Originally Posted by mikenash (Post 5360566)
Disabling ftp and using sftp seemed like a good exercise to learn. What I found was that I have not been
able to completely disabled ftp. So, what could be wrong? Is there another action that I need to do?
Is ftp designed to work this way? Is it a defect? Another point that was raise is that using sftp would
be restrictive. Red Hat 7 states that a good substitute for ftp is sftp but no mention of any restrictions.
I need to hear and learn from the more experienced community.

You still seem to be very confused about the server and client sides of a connection.

For any service, be it http, ftp, sftp, telnet, ssh, etc., there are two sides to the connection. You have the server who is providing access, and the client who is requesting access. In every case, it is the server that is vulnerable to attack. If the connection protocol used between the client and the server is not secure, an anonymous 3rd party may be able to fraudulently acquire the client's credentials and use them to connect to the server. This would expose the server to access by a fraudulent 3rd party, who may be able to cause all kinds of damage. Note though, that the client is never at risk. It's the client/server exchange over an unprotected protocol that may leave the server vulnerable, not the client.

As it is with your case. You're trying to protect your server, and that's good, but you do that by closing off vulnerable services that are accessible to outside parties, such as ftp. Trying to block outgoing ftp connections is completely pointless. By doing that you're not doing anything to protect your server, you're just going to piss off your users by making it impossible to use the web.

Using sftp instead of ftp is a good move, but you can only enforce this for incoming connections to your server. You CANNOT force other ftp servers on the net to use sftp instead. While sftp might be more secure, it's their decision whether or not to use it, not yours.

mikenash 05-11-2015 09:33 AM

Thank you for the explaination. The documentation can be confusing to a newbie. For example when reading about encrypting vsftpd with TLS is explicitly states that it has to be installed on both sides. But when stating sftp is a good substitute it did not occur to me that OpenSSh had to be installed on both sides. Installing on the enterprise systems the SSH capability was immediately available. Information was there but I lack experience especially with other platforms.


All times are GMT -5. The time now is 02:02 AM.