|
dangers of the ftp service
hi,
i would like to set up a directory in my box and share it with others by ftp service could someone tell me some about ftp: 1. dangers in using ftp on your own computer with people who log in, 2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure), 3. can i make restrictions so the users who log in would never see the other data that i don't want them to see? 4. how to set it up, what software to use etc ... 5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider? 6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz) it's gonna be a story of compromises i guess ... thanx in advance for all help baronlynx |
man vsftpd
|
1. Generally speaking, running any type of daemon is a security hazard. Any type of software is subject to having bugs, and with this type of software they can be fairly critical. Anonymous, read-only FTP with a daemon that doesn't respond to SITE commands is usually the safest way. Anonymous write capability means you will be hosting illegal software within a week (people use scanners to scan entire subnets for anonymous non-readonly FTP servers to provide themselves and each others with storage space for the Windows software they're too cheap to buy).
2. Not really. If the users have *real* accounts - meaning they can log in and use your system - you can let them use scp. This is a secure FTP-like means of transferring files of SSH. You can also use encrypted FTP - highly recommended for security reasons but it does put a much bigger load on your server. Encrypted FTP, using SSL/TLS is available in most modern FTP servers by now. Users will no doubt find it a bit annoying to deal with though, at least to start with. 3. Yes. You can have them "jailed" to their home directory, meaning they cannot view anything outside that directory. Their home directory will appear as the root of the server when they log in. 4. Setting it all up depends on what software you use of course. Stay away from wuftpd (hardly anyone uses it by now anyway) since it has traditionally been riddled with exploits. vsftpd seems to be a good choice nowadays - I use it on my server now, but previously I used ProFTPd which also worked well. 5. With some FTP servers you will need "real" system users. With vsftpd and other modern FTP daemons you can set up virtual users only for the FTP service. This I highly recommend. 6. As I mentioned, if the users are supposed to have full system access anyway, then having them use scp instead of ftp would be a good choice. However, if you don't want them to have real access to the system, an ftp server setup with virtual users is probably the best idea. Håkan |
1. dangers in using ftp on your own computer with people who log in
You have the same danger running ftp as you would allowing any other service on your computer. The problem is not known security problems, it's the unknown ones. From a general use perspective, there's the possibility someone could delete files they're not supposed to (probably a fault in the configuration). From an attacker perspective, there may be a way for the user to gain root privileges, allowing them to upload/delete/move whatever file(s) they want. It's a leap-frog game, and always will be. I know that's not the answer you wanted to hear, but it's just how things work. If you keep your software up-to-date and subscribe to the software's mailing list, then you should be reasonably safe in running the software. At the very least, you'll know what your system is vulnerable to, and what steps you can take (if any) to minimize the risk. 2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure) Having the users tunnel through ssh will protect the data they transfer. This includes user and password authentication. While it does not directly offer any server security, it does indirectly improve it, by making it harder for someone trying to sniff a user-password combination. 3. can i make restrictions so the users who log in would never see the other data that i don't want them to see? Some ftp server software allows you to "jail" your users. What that means is, when the user logs in, that user cannot leave a specific directory tree. Say for instance, you jail the user into /usr/local/share/ftp_files. Typically, that means the ftp user can go into any subdirectory of /usr/local/share/ftp_files, but the user cannot go any higher. /usr/local/share is off-limits (and any other, "higher" directories). 4. how to set it up, what software to use etc ... You'll need to research the software that's available and choose for yourself.There are lots of different kinds: vsftp (very secure ftp), wuftpd, and others. How to set it up will be detailed in the software's documentation. You'll have to read over it. FTP is common enough that configuration files are well commented (usually). 5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider? This will depend on the software you choose. Typically, ftp users will match existing users on the system. Some FTP software will allow you to create ftp-specific users to avoid making an account on your normal system. An example would be anonymous access. Typically, that gets mapped to the "nobody" user on a system when determining what filesystem permissions are given to the user. 6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz) You could accomplish similar tasks by running a web server, but that's a whole other can of worms. EDIT: Ugh... beaten to the punch... again... |
Quote:
http://www.samba.netfirms.com/index.htm |
thank you hw-tph & Dark_Helmet & GUIPenguin for your fast replies ...
clarification: i dont want any other user but me to have an access to my sys (else then ftp jailed dir) from outside world my question to you continues ... are there windoze clients for Quote:
or does the built in explorer client (in win xp) support it ? is this a solution for internet access too or only for intranet ? Quote:
cheers, baron //reading man vsftpd// :scratch: :study: |
Yes, there are Windows FTP clients with SSL/TLS support. I prefer FlashFXP which although not free is a) hands down the best FTP GUI client out there, and b) quite affordable.
Håkan |
| All times are GMT -5. The time now is 04:27 PM. |