LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-07-2015, 03:11 PM   #1
mikenash
Member
 
Registered: Dec 2014
Posts: 81

Rep: Reputation: Disabled
I want to disable ftp and use sftp.


I am using Suse 12 Enterprise.
I would like to use sftp and disable ftp.
Presently I am able to do both.
I stopped vsftpd.service.
Tried comment on ports 20 & 21 in /etc/services.
Stop FTP server using YAST.
Stopped xinetd tftp service using YAST.
Is it wise to turn this service off?
How do I display the status for sftp and ftp?
I am still able to ftp.
Where is the kill switch?
 
Old 05-07-2015, 03:25 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 (pre-systemd)
Posts: 2,686

Rep: Reputation: 725Reputation: 725Reputation: 725Reputation: 725Reputation: 725Reputation: 725Reputation: 725
Check /etc/xinetd.d/ for a vsftpd file. If there is one, edit to "disable = yes"
 
Old 05-08-2015, 10:14 AM   #3
mikenash
Member
 
Registered: Dec 2014
Posts: 81

Original Poster
Rep: Reputation: Disabled
FTP still works

I can still ftp! I think this is only local now. From a DOS prompt on a laptop I can not ftp in. From the server with the changes I am able to ftp to another server on the network. From the other network I can not ftp in. So it seems that outgoing ftp is not disabled. Strange but why and how can I disable ftp completely?
Disable = yes in /etc/xinet.d/vsftpd
In Yast I set FTP server to manal and stop the service.
In xinetd I see that ftp and tftp are off.
In Yast I disable tftp server.
Testing:
ftp 9.42.101.38
Wrapper for lftp to simulate compatibility with lukemftp
Name (root): root
Password:
lftp root@9.42.101.38:~> ls
---- Connecting to 9.42.101.38 (9.42.101.38) port 21
<--- 220 Welcome message
<--- 230 Login successful.
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Desktop
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Documents
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Downloads
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Music
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Pictures
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Public
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Templates
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Videos
-rw-r--r-- 1 0 0 28074 Feb 20 21:20 autoinst.xml
drwxr-xr-x 2 0 0 4096 Sep 21 2014 bin
drwxr-xr-x 6 0 0 4096 Feb 20 21:08 inst-sys
lftp root@9.42.101.38:~> quit
linux140:/ # systemctl status vsftpd
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)

May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "227 Entering Passive Mode (9,42,101,40,117,123)."
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP command: Client "9.42.101.38", "LIST"
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "150 Here comes the directory listing."
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client "9.42.101.38", "226 Directory send OK."
May 08 10:43:34 linux140 systemd[1]: Stopping Vsftpd ftp daemon...
May 08 10:43:34 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Starting Vsftpd ftp daemon...
May 08 10:43:48 linux140 systemd[1]: Started Vsftpd ftp daemon.
May 08 10:43:57 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
Hint: Some lines were ellipsized, use -l to show in full.
 
Old 05-08-2015, 10:32 AM   #4
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016
Of course outgoing ftp is not disabled, why would you want/need to disable that?
 
Old 05-08-2015, 11:03 AM   #5
mikenash
Member
 
Registered: Dec 2014
Posts: 81

Original Poster
Rep: Reputation: Disabled
I want to disable ftp and use sftp

I want to use sftp. I have read that this was more secure and that you should disable ftp.
I am learning and this seems like a good way to learn how to do something. So I would like to disable ftp completely.
 
Old 05-08-2015, 12:22 PM   #6
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016
You already have. EVERYTHING you read online about ftp being insecure and disabling it is talking about incoming connections to an ftp server. Trying to disable outgoing ftp connections is futile and it's going to keep you from being able to access a HUGE part of the web. Your system updates would likely stop working, dynamic DNS updates could stop working, etc.

ftp and sftp, despite having similar names, are completely different protocols. You cannot force other servers to use sftp instead of ftp, you have to use what they provide. The only thing you can control is what services you provide on your machine. If you don't want to run an ftp server, then don't run an ftp server. You've already shut yours off, so you're done.

Last edited by suicidaleggroll; 05-08-2015 at 12:24 PM.
 
Old 05-10-2015, 06:41 PM   #7
mikenash
Member
 
Registered: Dec 2014
Posts: 81

Original Poster
Rep: Reputation: Disabled
I want to disable ftp and use sftp

I am here to learn. When reading the Red Hat 7 Administrator guide I came across this information.

9.2.3. Requiring SSH for Remote Connections
For SSH to be truly effective, using insecure connection protocols should be prohibited.
Otherwise, a user's password may be protected using SSH for one session, only to be captured later
while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd.

9.3.3. Using the sftp Utility
The sftp utility can be used to open a secure, interactive FTP session. In its design, it is similar
to ftp except that it uses a secure, encrypted connection.

Disabling ftp and using sftp seemed like a good exercise to learn. What I found was that I have not been
able to completely disabled ftp. So, what could be wrong? Is there another action that I need to do?
Is ftp designed to work this way? Is it a defect? Another point that was raise is that using sftp would
be restrictive. Red Hat 7 states that a good substitute for ftp is sftp but no mention of any restrictions.
I need to hear and learn from the more experienced community.
 
Old 05-10-2015, 08:03 PM   #8
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If you're going to use sftp as a client. then the serve you're connecting to has to be able to use it as well. Usually for anonymous connections (e.g. to download publicly available and non-sensitive files), people still use regular FTP or HTTP without encryption.
 
Old 05-10-2015, 10:50 PM   #9
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016
Quote:
Originally Posted by mikenash View Post
Disabling ftp and using sftp seemed like a good exercise to learn. What I found was that I have not been
able to completely disabled ftp. So, what could be wrong? Is there another action that I need to do?
Is ftp designed to work this way? Is it a defect? Another point that was raise is that using sftp would
be restrictive. Red Hat 7 states that a good substitute for ftp is sftp but no mention of any restrictions.
I need to hear and learn from the more experienced community.
You still seem to be very confused about the server and client sides of a connection.

For any service, be it http, ftp, sftp, telnet, ssh, etc., there are two sides to the connection. You have the server who is providing access, and the client who is requesting access. In every case, it is the server that is vulnerable to attack. If the connection protocol used between the client and the server is not secure, an anonymous 3rd party may be able to fraudulently acquire the client's credentials and use them to connect to the server. This would expose the server to access by a fraudulent 3rd party, who may be able to cause all kinds of damage. Note though, that the client is never at risk. It's the client/server exchange over an unprotected protocol that may leave the server vulnerable, not the client.

As it is with your case. You're trying to protect your server, and that's good, but you do that by closing off vulnerable services that are accessible to outside parties, such as ftp. Trying to block outgoing ftp connections is completely pointless. By doing that you're not doing anything to protect your server, you're just going to piss off your users by making it impossible to use the web.

Using sftp instead of ftp is a good move, but you can only enforce this for incoming connections to your server. You CANNOT force other ftp servers on the net to use sftp instead. While sftp might be more secure, it's their decision whether or not to use it, not yours.

Last edited by suicidaleggroll; 05-10-2015 at 10:55 PM.
 
Old 05-11-2015, 09:33 AM   #10
mikenash
Member
 
Registered: Dec 2014
Posts: 81

Original Poster
Rep: Reputation: Disabled
Thank you for the explaination. The documentation can be confusing to a newbie. For example when reading about encrypting vsftpd with TLS is explicitly states that it has to be installed on both sides. But when stating sftp is a good substitute it did not occur to me that OpenSSh had to be installed on both sides. Installing on the enterprise systems the SSH capability was immediately available. Information was there but I lack experience especially with other platforms.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I cant disable openssh sftp -Snake- Linux - Server 5 07-27-2014 07:26 AM
SFTP user disable shaileshjain Linux - Server 3 06-17-2014 01:40 AM
ftp or sftp earthy Linux - Software 2 02-12-2011 11:22 AM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 08:10 AM
would like to disable direct root login using ssh/sftp rholme Linux - Newbie 4 05-17-2008 07:12 PM


All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration