Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i am new to linux and am wondering what the security implications are if a local user name and password gets into the hands of the wrong people.
Why i ask this is because i'm doing an ftp upload and for this i've created a java applet, that has a hard coded username and password. It's fairly easy to decompile java code and get access to this user information - who is the apache user.
Is this a big problem? If i restrict ssh to only allow one user eg ssh_user then what harm can a cracker do, armed with my apache user name and password? What other means are there of making use of this? Telnet is disabled...Can this be used to access my system in any other way?
Wouldn't a better question be "How do I configure FTP so uploads do not require a userid and password?" I believe that this is the way almost all ftp sites are configured, and the risk, however small, of exposing user names and passwords is avoided.
And haven't you somewhat increased you risk by advertising, in a public forum, your intent to make your system's user name and password part of your script?
As to the answer to my proposed question, there are several documents available (here and elsewhere) which provide such methods -- and I'm not actually knowledgeable enough to offer any better advice than the common one to RTM.
thanks for your reply. I can configure vsftpd to use anonymous uploads (it should do so by default) but for some reason my vsftpd server doesn't like anon connections. But i'm sure i can fix that somehow. So i'm not asking for ftp setup help.
My question was actually just what harm people can do with a username and password combination...judging from your reply...lots of harm it seems. But how? Through ssh? That can be made secure quite easily i think. How else? How else can remote users log into your system with a username and password combination...
The problem is that there are lots of clever people out there, and it only takes one of them to find a way to exploit your system. Handing them the keys doesn't make it harder. My point: I'm not sure what specific problems you'd have, but strongly suspect that you don't want to find out.
I was just looking at another post, and found a reference to "http://pureftpd.sourceforge.net/" which is a "Secure" FTP server. I did understand that you weren't looking to replace your FTP server, but you might want to take a look at that one.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.