Re: How safe are FTP servers?
- From: General Schvantzkoph <schvantzkoph@xxxxxxxxx>
- Date: 17 May 2007 19:12:50 GMT
On Thu, 17 May 2007 17:23:12 +0000, Stuart Miller wrote:
"General Schvantzkoph" <schvantzkoph@xxxxxxxxx> wrote in message
news:pan.2007.05.17.13.06.32@xxxxxxxxxxxx
I have a server that I use to distribute code to my customers. Each
customer has an account on the server which they access via ssh using
RSA authentication. I have a new customer at a large defense company
that can't use ssh, their firewall doesn't allow it. To accommodate
that customer I've put Proftp on the release server. I've set it up so
there is no root login and access is limited to users with a valid
shell. In addition all user accounts have 700 privileges so no one can
see anyone else's directories. This server machine doesn't have ssh
access to any other machine on my network, I require RSA authentication
on all of my boxes and there is no public key from this server on any
other box. I also don't have any legacy servers installed on any of my
systems so I'm assuming that even if someone gained access to my
release server they could access any other system.
I've tried to avoid FTP because it uses passwords instead of RSA keys
and I don't want to be subject to password guessing attacks. Now that
I'm stuck with an FTP server I'd like to know if I've just been overly
paranoid. How safe is an FTP server? What else should I do to secure my
network?
The simple answer is 'not very safe'
But why are you using ftp?
FTP allows your server to receive files from clients, something like
would be needed in a large web hosting operation, where every user
manages their own space for their own website
If all you are doing is allowing clients to download files, then there
are many other applications which will perform that task. Depending on
you security needs, Apache will do that very well with negligible
security risk to your server. There are all kinds of neat
'authentication' modules.
Back to ftp, you can 'jail' users in the 'public' area, so the chance of
root level damage it remote.
You can set permissions to prohibit writing, so you ftp site can not be
used as a repository for pirated files.
You can use decent passwords.
If it is just to protect the files from unauthorized access, such as
'trade secret' type software, you can encrypt it before posting it.
If you need more ideas, I can find one of my 'linux security' manuals.
Stuart
My customers need to upload as well as download. I've been using ssh for
this function which I'm comfortable with, I'm hoping that this customer
can work things out with his IT people so that he will be able to use ssh
in the future, in the mean time I've set up FTP so that he can get a
release. I'm only going to open the port when he needs to get a new
release.
I have some questions on chroot. To chroot Proftp is the following
correct,
Put the following in /etc/init.d/proftpd
DefaultRoot ~
Can I do the same thing with ssh access?
.
- References:
- How safe are FTP servers?
- From: General Schvantzkoph
- Re: How safe are FTP servers?
- From: Stuart Miller
- How safe are FTP servers?
- Prev by Date: Re: How safe are FTP servers?
- Next by Date: Re: How safe are FTP servers?
- Previous by thread: Re: How safe are FTP servers?
- Next by thread: Re: How safe are FTP servers?
- Index(es):
Relevant Pages
|
Loading
