Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-17-2005, 07:18 PM
|
#1
|
Member
Registered: Jan 2004
Location: Lille [Fr]
Distribution: SUSE9.3, WinXP on a leech (vmware)
Posts: 62
Rep:
|
dangers of the ftp service
hi,
i would like to set up a directory in my box and share it with others by ftp service
could someone tell me some about ftp:
1. dangers in using ftp on your own computer with people who log in,
2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure),
3. can i make restrictions so the users who log in would never see the other data that i don't want them to see?
4. how to set it up, what software to use etc ...
5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider?
6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)
it's gonna be a story of compromises i guess ...
thanx in advance for all help
baronlynx
|
|
|
01-17-2005, 08:09 PM
|
#2
|
Member
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239
Rep:
|
man vsftpd
Last edited by GUIPenguin; 01-17-2005 at 08:12 PM.
|
|
|
01-17-2005, 08:12 PM
|
#3
|
Senior Member
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032
Rep:
|
1. Generally speaking, running any type of daemon is a security hazard. Any type of software is subject to having bugs, and with this type of software they can be fairly critical. Anonymous, read-only FTP with a daemon that doesn't respond to SITE commands is usually the safest way. Anonymous write capability means you will be hosting illegal software within a week (people use scanners to scan entire subnets for anonymous non-readonly FTP servers to provide themselves and each others with storage space for the Windows software they're too cheap to buy).
2. Not really. If the users have *real* accounts - meaning they can log in and use your system - you can let them use scp. This is a secure FTP-like means of transferring files of SSH. You can also use encrypted FTP - highly recommended for security reasons but it does put a much bigger load on your server. Encrypted FTP, using SSL/TLS is available in most modern FTP servers by now. Users will no doubt find it a bit annoying to deal with though, at least to start with.
3. Yes. You can have them "jailed" to their home directory, meaning they cannot view anything outside that directory. Their home directory will appear as the root of the server when they log in.
4. Setting it all up depends on what software you use of course. Stay away from wuftpd (hardly anyone uses it by now anyway) since it has traditionally been riddled with exploits. vsftpd seems to be a good choice nowadays - I use it on my server now, but previously I used ProFTPd which also worked well.
5. With some FTP servers you will need "real" system users. With vsftpd and other modern FTP daemons you can set up virtual users only for the FTP service. This I highly recommend.
6. As I mentioned, if the users are supposed to have full system access anyway, then having them use scp instead of ftp would be a good choice. However, if you don't want them to have real access to the system, an ftp server setup with virtual users is probably the best idea.
Håkan
|
|
|
01-17-2005, 08:15 PM
|
#4
|
Senior Member
Registered: Jan 2003
Posts: 2,786
|
1. dangers in using ftp on your own computer with people who log in
You have the same danger running ftp as you would allowing any other service on your computer. The problem is not known security problems, it's the unknown ones. From a general use perspective, there's the possibility someone could delete files they're not supposed to (probably a fault in the configuration). From an attacker perspective, there may be a way for the user to gain root privileges, allowing them to upload/delete/move whatever file(s) they want. It's a leap-frog game, and always will be. I know that's not the answer you wanted to hear, but it's just how things work. If you keep your software up-to-date and subscribe to the software's mailing list, then you should be reasonably safe in running the software. At the very least, you'll know what your system is vulnerable to, and what steps you can take (if any) to minimize the risk.
2. can i make a use of ssh by allowing only connections by ssh to my ftp (will it be more secure then? - prob for clients but not for me, but i am not sure)
Having the users tunnel through ssh will protect the data they transfer. This includes user and password authentication. While it does not directly offer any server security, it does indirectly improve it, by making it harder for someone trying to sniff a user-password combination.
3. can i make restrictions so the users who log in would never see the other data that i don't want them to see?
Some ftp server software allows you to "jail" your users. What that means is, when the user logs in, that user cannot leave a specific directory tree. Say for instance, you jail the user into /usr/local/share/ftp_files. Typically, that means the ftp user can go into any subdirectory of /usr/local/share/ftp_files, but the user cannot go any higher. /usr/local/share is off-limits (and any other, "higher" directories).
4. how to set it up, what software to use etc ...
You'll need to research the software that's available and choose for yourself.There are lots of different kinds: vsftp (very secure ftp), wuftpd, and others. How to set it up will be detailed in the software's documentation. You'll have to read over it. FTP is common enough that configuration files are well commented (usually).
5. does providing access by ftp (not anonymous) implies changing and adding users in the system ? or only in the ftp service software provider?
This will depend on the software you choose. Typically, ftp users will match existing users on the system. Some FTP software will allow you to create ftp-specific users to avoid making an account on your normal system. An example would be anonymous access. Typically, that gets mapped to the "nobody" user on a system when determining what filesystem permissions are given to the user.
6. if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)
You could accomplish similar tasks by running a web server, but that's a whole other can of worms.
EDIT:
Ugh... beaten to the punch... again...
Last edited by Dark_Helmet; 01-17-2005 at 08:17 PM.
|
|
|
01-17-2005, 08:21 PM
|
#5
|
Member
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239
Rep:
|
Quote:
if not ftp then what ? (i would like it easy enough for the clients, and accessible with windowz)
|
you could always look at setting up a samba file server too.
http://www.samba.netfirms.com/index.htm
|
|
|
01-18-2005, 03:48 AM
|
#6
|
Member
Registered: Jan 2004
Location: Lille [Fr]
Distribution: SUSE9.3, WinXP on a leech (vmware)
Posts: 62
Original Poster
Rep:
|
thank you hw-tph & Dark_Helmet & GUIPenguin for your fast replies ...
clarification: i dont want any other user but me to have an access to my sys (else then ftp jailed dir) from outside world
my question to you continues ...
are there windoze clients for
Quote:
Encrypted FTP, using SSL/TLS
|
or does the built in explorer client (in win xp) support it ?
is this a solution for internet access too or only for intranet ?
cheers,
baron //reading man vsftpd// 
Last edited by baronlynx; 01-18-2005 at 03:50 AM.
|
|
|
01-18-2005, 06:43 AM
|
#7
|
Senior Member
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032
Rep:
|
Yes, there are Windows FTP clients with SSL/TLS support. I prefer FlashFXP which although not free is a) hands down the best FTP GUI client out there, and b) quite affordable.
Håkan
|
|
|
All times are GMT -5. The time now is 04:23 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|