Re: Good secure file transfer, was Re: How safe are FTP servers?
- From: Ertugrul Soeylemez <do-not-spam-me@xxxxxxxx>
- Date: Tue, 29 May 2007 03:05:08 +0200
Nico <nkadel@xxxxxxxxx> (07-05-28 02:19:45):
I've had good success migrating companies off of it to HTTPS for
download and HTTPS/WebDAV for upload.
You migrate people *from* FTP to WebDAV, in the name of security?
I'll grant that you've already said you're using HTTPS which is
obviously the right way to go ...
Probably that's even too complicated. For most applications, there
are much easier alternatives, which are equivalently secure.
Oh? For download, HTTPS is fine and well supported, and has plenty of
clients available for the scriptable, command line, or graphical
interfaces. And unlike FTP, requires only a single firewall port
without complexities to handle the traffic. And most web servers
already have the "restrict user to single directory access", very
flexible controls over symlink handling and directory browsability,
multiple well-supported user authentication techniques, etc.
The user authentication is what I'm referring to. Cryptographical
authentication via HTTPS has some remarkable difficulties compared to
other protocols. This is because HTTPS is mainly used to authenticate
servers, not users.
FTP has some of those, but breaks down on the clear-text user login
and password handling. And the mutliple ports causes real problems
with firewalls and proxies set up to be quite fascist.
I don't think that I sounded like a supporter of FTP, but if I did, then
I'm sorry. I hate FTP.
SSH/SFTP/SCP have very, very serious flaws in controlling user access
to the server's file system. They work well for certain operations:
having a command line browseable, more secure tool than FTP is good.
But The lack of a chroot cage to hide server content, such as /etc/
passwd or other configuratoins, and the difficulty of preventing shell
access for SSH users, all lead to some real risks in running it on a
server. There are some SSH servers that provide this (RunSCP comes to
mind), but they're nowhere near as commonly deployed as plain old
OpenSSH.
SSH means `Secure SHell'. That implies regular shell access. However,
if you system is configured properly, then there is no problem with
that, besides that it adds a further layer of potential security
problems. To avoid that, avoid SSH, or chroot it (which is well
possible [1,2]).
Regards,
Ertugrul Söylemez.
References:
[1] http://chrootssh.sourceforge.net/index.php
[2] http://www.brandonhutchinson.com/chroot_ssh.html
--
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.
.
- References:
- How safe are FTP servers?
- From: General Schvantzkoph
- Re: How safe are FTP servers?
- From: General Schvantzkoph
- Re: How safe are FTP servers?
- From: Ertugrul Soeylemez
- Re: How safe are FTP servers?
- From: Sylvain Robitaille
- Re: How safe are FTP servers?
- From: Nico
- Re: How safe are FTP servers?
- From: Sylvain Robitaille
- Re: How safe are FTP servers?
- From: Ertugrul Soeylemez
- Good secure file transfer, was Re: How safe are FTP servers?
- From: Nico
- How safe are FTP servers?
- Prev by Date: Re: Wireshark - post-processing capture files.
- Next by Date: Blocking iphiding sites
- Previous by thread: Re: Good secure file transfer, was Re: How safe are FTP servers?
- Next by thread: Survey on Supercomputer Cluster Security
- Index(es):
Relevant Pages
|
