LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-26-2015, 11:03 AM   #1
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Rep: Reputation: Disabled
Need better Upload Strategy


Trying to get my website set up, and not hang myself in the process!!

So, last night I was able to upload my website's DB from my laptop to my VPS using CyberDuck.

Being new to all of this, I uploaded the .sql file to...
Code:
/home/rob123/public_ftp/
Then I used MySQL to install the upload script.

That went well, but now I have this naked script floating around on my VPS!

How can I delete this .sql file and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??

(For those of you who have followed my threads, I am *very* worried about files and login credentials and passwords getting stored in places that they shouldn't!!!)


Also, in retrospect I am thinking it wasn't so smart to upload my DB to a public folder like that.

In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??

Oh the stress of it all!!!

Sincerely,


Rob
 
Old 02-26-2015, 11:51 AM   #2
jstephens84
Senior Member
 
Registered: Sep 2004
Location: Nashville
Distribution: Manjaro, RHEL, CentOS
Posts: 2,098

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by RobInRockCity View Post
Trying to get my website set up, and not hang myself in the process!!

So, last night I was able to upload my website's DB from my laptop to my VPS using CyberDuck.

Being new to all of this, I uploaded the .sql file to...
Code:
/home/rob123/public_ftp/
Then I used MySQL to install the upload script.

That went well, but now I have this naked script floating around on my VPS!

How can I delete this .sql file and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??

(For those of you who have followed my threads, I am *very* worried about files and login credentials and passwords getting stored in places that they shouldn't!!!)


Also, in retrospect I am thinking it wasn't so smart to upload my DB to a public folder like that.

In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??

Oh the stress of it all!!!

Sincerely,


Rob
best way to find all the locations of a sql file would be either one of these commands
Code:
locate *.sql
or
Code:
find / -iname ".sql"
as for uploading I would use scp as it will tunnel over ssh. Here are some examples
http://www.hypexr.org/linux_scp_help.php

Last edited by jstephens84; 02-26-2015 at 11:53 AM.
 
Old 02-26-2015, 11:52 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by RobInRockCity View Post
How can I delete this .sql file
What am I missing here? Your (S)FTP(S)-capable client (Cyberduck) has a point-and-click interface so just browse to your /home/rob123/public_ftp/ directory and delete the file?


Quote:
Originally Posted by RobInRockCity View Post
and be 100% certain that it is NOT lingering somewhere else on the server, and that it CANNOT be recovered??
If it's a shared server then you never can be 100 per cent sure as a root user can do and access everything. Do check your web server logs to see if the directory was crawled recently by a spider or if the file was served, same routine if you allow anonymous FTP or any other access to that directory.


Quote:
Originally Posted by RobInRockCity View Post
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Obviously you'd have to decrypt it On The Fly when inserting (plus see the above root user comment again) but file encryption protects data at rest and using SFTP or FTPS (two diffent things) protects data in transit.
 
Old 02-26-2015, 11:55 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
*Also note traditional UNIX doesn't give a rodents behind about file extensions so a SQL dump doesn't need to be named as such. Something like ".kernel32.dll" should work just fine.
 
Old 02-26-2015, 01:09 PM   #5
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jstephens84 View Post
best way to find all the locations of a sql file would be either one of these commands
Code:
locate *.sql
or
Code:
find / -iname ".sql"
So I would SSH into my VPS, and then type those commands?

Which directory do I have to be in when I type those?


Quote:
Originally Posted by jstephens84 View Post
as for uploading I would use scp as it will tunnel over ssh. Here are some examples
http://www.hypexr.org/linux_scp_help.php
Yeah, that is on my ToDo list.

But for now CyberDuck is working well.

Either way, my OP is asking about *after* I upload a file onto my VPS. (Even if I used SCP, I would have the same concerns...)

For example, if I delete the .sql upload using cPanel, maybe it just drops the file into a "Trash Bin"?

Or maybe when I uploaded my database, things were stored in some temporary cache?

Or maybe my web host has the server set up so when I delete a file from my VPS, it still lingers...

Follow my concerns?

Sincerely,


Rob

---------- Post added 02-26-15 at 01:10 PM ----------

Quote:
Originally Posted by unSpawn View Post
*Also note traditional UNIX doesn't give a rodents behind about file extensions so a SQL dump doesn't need to be named as such. Something like ".kernel32.dll" should work just fine.
Ok, interesting!
 
Old 02-26-2015, 01:18 PM   #6
jstephens84
Senior Member
 
Registered: Sep 2004
Location: Nashville
Distribution: Manjaro, RHEL, CentOS
Posts: 2,098

Rep: Reputation: 102Reputation: 102
Absolutely I follow your concerns. It was just a response to your question of In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security?? As regards to the location of where to run those commands you can be anywhere in the filesystem and run those commands. I forgot to mention you may need to run updatedb first before the locate command works.

As far as deleting the file from Cpanel it will delete it and there is no trash bin when deleting files from the terminal which is basically all the Cpanel is doing. Taking a web based action and turning it into a terminal command.

probably a more secure practice would be to encrypt the file and use a secure upload means which will help provide security all around. This will provide Protection for In flight and at rest. Here is a link for encrypting a file http://www.cyberciti.biz/tips/linux-...-password.html
 
1 members found this post helpful.
Old 02-26-2015, 02:27 PM   #7
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jstephens84 View Post
As far as deleting the file from Cpanel it will delete it and there is no trash bin when deleting files from the terminal which is basically all the Cpanel is doing. Taking a web based action and turning it into a terminal command.
So whether I delete an uploaded file in cPanel or via command-line, I can rest assured that "delete means deleted", right?

And to be sure, would an uploaded file ever get stored somewhere else (e.g. Physical Server my VPS is on, Cache, etc.)??


Quote:
Originally Posted by jstephens84 View Post
probably a more secure practice would be to encrypt the file and use a secure upload means which will help provide security all around.

This will provide Protection for In flight and at rest.
Good idea!!


Quote:
Originally Posted by jstephens84 View Post
Here is a link for encrypting a file http://www.cyberciti.biz/tips/linux-...-password.html
Thank you very much!!

Who would have thought encrypting a file could be so easy?!

Is there a way for me to use GPG on my MacBook, or is it just for Linux?

Sincerely,


Rob
 
Old 02-26-2015, 03:07 PM   #8
jstephens84
Senior Member
 
Registered: Sep 2004
Location: Nashville
Distribution: Manjaro, RHEL, CentOS
Posts: 2,098

Rep: Reputation: 102Reputation: 102
For GPG on MAC I would look into this https://gpgtools.org.
 
Old 02-26-2015, 03:24 PM   #9
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
So whether I delete an uploaded file in cPanel or via command-line, I can rest assured that "delete means deleted", right?
Well... that depends.

If you delete a file with rm or hitting delete in a gui - most likely it either moves it to a trash folder or just had the indicator towards it removed. The data is likely still in place until something overwrites it.

Since you also do not own the server two things can happen:

While the file was sitting around, the owner of the server could of copied it.

Until the file is overwritten (following a delete), the file can be recovered (partially, in full or not at all)

To securely delete, you should use shred or something similar. Having a gpg encrypted file works fine, until you decrypt it and use it at which point it can be copied by the server owner again.

Quote:
In the future, what is a better way to upload sensitive files to my VPS to maintain complete Privacy and Security??
Remember - you are assuming here that the VPS is 100% trustworthy. If you're worried about transit, scp works fine.
I seem to be following you around with that message aren't I?
 
Old 02-26-2015, 05:00 PM   #10
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Miati View Post
Well... that depends.

If you delete a file with rm or hitting delete in a gui - most likely it either moves it to a trash folder or just had the indicator towards it removed. The data is likely still in place until something overwrites it.
That is what I would have guessed.


Quote:
Originally Posted by Miati View Post
Since you also do not own the server two things can happen:

While the file was sitting around, the owner of the server could of copied it.
Yep.


Quote:
Originally Posted by Miati View Post
Until the file is overwritten (following a delete), the file can be recovered (partially, in full or not at all)
I agree.


Quote:
Originally Posted by Miati View Post
To securely delete, you should use shred or something similar. Having a gpg encrypted file works fine, until you decrypt it and use it at which point it can be copied by the server owner again.
You just can't win for losing, eh?

What is "shred"?



Quote:
Originally Posted by Miati View Post
Remember - you are assuming here that the VPS is 100% trustworthy.
I guess when you are on a budget like I am, there are greater risks associated than if you have your own servers and data centers...


At the same time, though, it would seem that if I export/backup my MySQL database to a directory outside of the Web Root, and then encrypt it, and then download it onto my MacBook in an encrypted form, that it would be resonably secure, right?


Quote:
Originally Posted by Miati View Post
If you're worried about transit, scp works fine.

I seem to be following you around with that message aren't I?
*LOL*

Yes, Miati my shadow!!

Hey, I think you need to give me some credit here!

While maybe you could do this by the time you were 12, I finally learned how to use SSH to log into my VPS, and then use command-line on my VPS to copy and move some files, and to upload and download some files.

Small steps, I know, but I am getting there.

Also, to your point, no, I have not tried SCP yet. But I will. For now, my brain needs time to get comfortable with CybeDuck. Then as I get more comfortable with all that I'm doing, I will gladly try SCP and lots of other command-line things.

I am listening to my teachers on here - you guys just need to be patient. (It takes a while to unlearn a lifetime of using GUI!!)

Sincerely,


Rob
 
Old 02-26-2015, 07:27 PM   #11
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 939

Rep: Reputation: 104Reputation: 104
I didn't read everything.
Just FYI:

If you're using a VPS you definitely have an intermediate layer (the hypervisor machine that controls your VPS) which (has to) intercept everything which is read/written from/to HDD, RAM, CPU and whatever.
Therefore, at least your hosting company, if they want to, they can read anything - doesn't matter if you write or not stuff or if you keep it encrypted until the last stage (CPU).
Summarized: if you're using VPS for secret data, you've definitely lost.

Even in the case of an owned root host, as long as you're not the one that is hosting it, you don't have ultimate control over the data that is handled (saved and/or processed) and you cannot be sure that what you see "from within your server" is really communicating directly to the HW, and without duplication or being just a plain imitation.
 
Old 02-26-2015, 07:49 PM   #12
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
What is "shred"?
Another cli program
(man shred)
Code:
 shred - overwrite a file to hide its contents, and optionally delete it
Quote:
While maybe you could do this by the time you were 12, I finally learned how to use SSH to log into my VPS, and then use command-line on my VPS to copy and move some files, and to upload and download some files.
...
(It takes a while to unlearn a lifetime of using GUI!!)
Only been using linux for about 2 years after only windows my whole life. I get the weirdness of typing in commands. I personally remember copying and pasting commands like sudo apt-get install program because the guide said it would install program.
I recall at one point deciding to learn everything I could about the terminal. My reasoning for doing so is because while gui's will likely change dramatically over short periods of time (gnome and windows are good examples) terminal commands stay the same. For a longgg time. I often read up on forum posts and guides from 2000-2005 that are still relevant. Commands have been the same for 30 years (not all, but a lot).
So if you work on learning the cli now, it'll still be relevant years from now. In the tech world, that kind of assurance is rare. (just IMO)
 
1 members found this post helpful.
Old 02-26-2015, 09:25 PM   #13
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Pearlseattle View Post
I didn't read everything.
Just FYI:

If you're using a VPS you definitely have an intermediate layer (the hypervisor machine that controls your VPS) which (has to) intercept everything which is read/written from/to HDD, RAM, CPU and whatever.
Therefore, at least your hosting company, if they want to, they can read anything - doesn't matter if you write or not stuff or if you keep it encrypted until the last stage (CPU).
Summarized: if you're using VPS for secret data, you've definitely lost.

Even in the case of an owned root host, as long as you're not the one that is hosting it, you don't have ultimate control over the data that is handled (saved and/or processed) and you cannot be sure that what you see "from within your server" is really communicating directly to the HW, and without duplication or being just a plain imitation.
All very good points. Thanks for compunding my *paranoia*!!!


Rob
 
Old 02-26-2015, 09:27 PM   #14
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Miati View Post
Another cli program
(man shred)
Code:
 shred - overwrite a file to hide its contents, and optionally delete it

Only been using linux for about 2 years after only windows my whole life. I get the weirdness of typing in commands. I personally remember copying and pasting commands like sudo apt-get install program because the guide said it would install program.
I recall at one point deciding to learn everything I could about the terminal. My reasoning for doing so is because while gui's will likely change dramatically over short periods of time (gnome and windows are good examples) terminal commands stay the same. For a longgg time. I often read up on forum posts and guides from 2000-2005 that are still relevant. Commands have been the same for 30 years (not all, but a lot).
So if you work on learning the cli now, it'll still be relevant years from now. In the tech world, that kind of assurance is rare. (just IMO)
I'll do my best to make you proud!!




Rob
 
Old 03-02-2015, 03:01 PM   #15
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 939

Rep: Reputation: 104Reputation: 104
A final paranoia-boost:
read the "man shred" until the end. It is mentioned that overwriting files is not guaranteed to work with most of the filesystems.
The reason is that in order to save time or because of other functionality offered by the filesystem (e.g. historical snapshots of data), even when you overwrite a file the data is not going to land at the same place that the original file was using => the original data will still be lying somewhere on the HDD.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Proftpd upload to a folder other than 'upload' fooboo Linux - Software 4 04-27-2006 08:51 PM
strategy for decrypting Y0jiMb0 Programming 9 11-23-2005 08:14 AM
fc update strategy woranl Fedora 5 01-26-2005 10:48 PM
IglooFTP-PRO refuses to upload files in folder when I upload folder eBopBob Linux - Software 0 08-27-2004 06:52 AM
Update strategy hypernetics Linux - General 3 05-29-2004 01:29 PM


All times are GMT -5. The time now is 10:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration