LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-18-2011, 01:22 PM   #1
bvz
LQ Newbie
 
Registered: Sep 2011
Posts: 15

Rep: Reputation: Disabled
Which is safer? Only ssh +scp for 2 users? Or ssh (1 user) + vsftpd (1 virtual user)


I am building a server that will need to accessible from the outside world for two operations:

1) I need to maintain it remotely (via ssh)
2) Automatically copy files to and from it from a second, dedicated machine (either via scp or vsftpd). The automated nature of this requires that the second machine either have a password stored in a script OR use keys with no passphrase. The second computer will be identical to the server (same physical security, same software, same configuration, etc...)


Do you think it is more secure to:

A) Only have a single user allowed to ssh into the machine and then install vsftp with a virtual user to do the automated copying. This way, even if the remote machine is compromised and the password/keys are stolen, a remote shell cannot be opened with this information. Only the vsftpd has been compromised.

B) Allow two users to ssh (the admin and the remote, automated user who will use scp) and NOT install vsftpd. The remote user would be an unprivileged user. By not installing vsftpd I will have reduced the number of open ports and the number of attack vectors?

Thanks!
 
Old 09-18-2011, 04:49 PM   #2
kerrylinux
LQ Newbie
 
Registered: May 2009
Location: Co. Kerry, Ireland
Distribution: CentOS, Fedora, RedHat, Ubuntu Enterprise Cloud
Posts: 12

Rep: Reputation: Disabled
Quote:
Originally Posted by bvz View Post
Do you think it is more secure to:

A) Only have a single user allowed to ssh into the machine and then install vsftp with a virtual user to do the automated copying. This way, even if the remote machine is compromised and the password/keys are stolen, a remote shell cannot be opened with this information. Only the vsftpd has been compromised.

B) Allow two users to ssh (the admin and the remote, automated user who will use scp) and NOT install vsftpd. The remote user would be an unprivileged user. By not installing vsftpd I will have reduced the number of open ports and the number of attack vectors?
The admin user will use a password protected ssh-key, so his security is not at stake, given the physical security of the primary server.

For the unprivileged user who is using an unprotected key on the secondary machine (either for ftp or ssh) the security risks are totally different. In case of ftp there is no effective protection for the transmission of the ftp password, you can sniff it with a packet analyzer like wireshark. If you use (unprotected) ssh-keys for scp you will get full encryption of your connection and data transfer between the two servers, BUT you will have to guard the clear text ssh-key on the second server very closely. Use the second method, because ssh always outperforms (any) ftp with respect to security.

Last edited by kerrylinux; 09-18-2011 at 04:51 PM.
 
Old 09-18-2011, 09:55 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
For the automated cxn, consider using ssh-agent to initiate the cxn and put the copying process into a daemon, inside the ssh-agent env.
This way you can use a passwd that doesn't have to reside on (client) disk (unlike the ssh-key).
 
  


Reply

Tags
scp, ssh, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd SSH add user Legerarmy Linux - Server 8 09-06-2010 05:49 PM
Limit user via SSH (AllowedUser) but how NOT to affect vsftpd? Swakoo Linux - Security 13 06-25-2007 10:33 AM
vsftpd + virtual users + ssh = failure bbbb Linux - Software 2 11-28-2005 02:42 AM
SSH and SCP user logins sopiaz57 Linux - Security 11 01-27-2004 10:38 PM


All times are GMT -5. The time now is 02:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration