Re: How safe are FTP servers?
- From: Tim Southerwood <ts@xxxxxxxxxx>
- Date: Fri, 18 May 2007 14:14:41 +0100
Ertugrul Soeylemez wrote:
<snip>
You can imagine yourself how safe FTP is, and a few other people have
already given an answer to this question. I understand your problem is
that you want to distribute files, and the traffic should be encrypted
as well as securely authenticated (i.e. no passwords). There are a few
alternatives. One of them should certainly pass almost any firewall.
Agree completely. Theer are two main security considerations here:
a) Can some little t*sser crack your server daemon outright? eg buffer
overrun, get into your system, root it etc. This is addressed by using
decent server software with a good track record, or by layering another
stronger system over the top (eg ssh tunnels).
b) If not a), can they sniff your client's authentication credentials
between your server and theirs and then log in normally and nick/wreck your
data? This is addressed by either securing the network or securing the
channel, eg by encryption.
As Unruh already mentioned, you can use rsync. This is probably the
best method to distribute files, especially source code, which changes
frequently, but also for data that doesn't change. The big advantage is
that rsync can run transparently over a few protocols, including SSH
(where it looks just like SCP)
<pedant>
Just to clarify, rsync uses it's own rsync protocol over SSH, stuffed
through an SSH tunnel. To illustrate, do an rsync over SSH and observe the
remote end - you will find and rsync process running on the end of a unix
stream back to an sshd service process. I assume you meant by "looks just
like SCP" you meant "looks like some random encrypted scunge". :-)
</pedant>
and rsync's own protocol.
For the problem, where SSH traffic is blocked, you can use authenticated
HTTP. That means that both you and your client have a valid
certificate. There are two options. The first is that you aquire a
server certificate from some big CA, which is known to most webbrowsers.
A few of them are free. Then you can give out client certificates
(i.e. let them generate one and sign them with your own). That's less
user-friendly than rsync with SSH, but gives equivalent security.
You could of course also generate your own cert and you only need one on the
server if you then use something like Basic HTTP authentication as well -
at least you get an encrypted channel. It's more vulnerable to attacks done
like that, but it's often "good enough TM".
Last, but certainly not least, you can try using FTP with TLS. Unlike
SSL, where the application protocol is embedded into, in TLS it's the
opposite way. TLS is embedded into FTP, so the firewall should not be
able to detect the difference (without specifically watching for it).
vsftpd supports this. Then disable password-based authentication and
work with certificates, just like with HTTP/S.
I never worked out why FTP over SSL or TLS never seemed to catch on. Seems
as obvious as IMAP over SSL.
Cheers
Tim
.
- Follow-Ups:
- Re: How safe are FTP servers?
- From: Matt Simpson
- Re: How safe are FTP servers?
- From: Ertugrul Soeylemez
- Re: How safe are FTP servers?
- References:
- How safe are FTP servers?
- From: General Schvantzkoph
- Re: How safe are FTP servers?
- From: Ertugrul Soeylemez
- How safe are FTP servers?
- Prev by Date: Re: IPTABLES and DNS
- Next by Date: Re: How safe are FTP servers?
- Previous by thread: Re: How safe are FTP servers?
- Next by thread: Re: How safe are FTP servers?
- Index(es):
Relevant Pages
|
|
