FTP server / web server security question

Printable View

Show 40 post(s) from this thread on one page

April 7th, 2004, 02:55 AM
Psychomantum

FTP server / web server security question

Ok,

I have a friend who has an idea on how to keep his server more secure. I think he is creating way more work for himself and not solving many promblems. I want to run this by the people here to see what you think:

Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.

I don't see how this is solving any problems, since you still can't get the files into the web server tree unless you log in under super user mode.

Any ideas on how I can convince him this is a bad idea? I use the server as well, and I don't really want to go through all this just to upload one stinkin' file once and a while.

Thanks in advance.
April 7th, 2004, 03:02 AM
.:front2back:.

But think about it, even though it will take longer just to upload the file.
Just think about how long it will take someone if they try to compromise the server..
I'd happily go along with your mate's idea it sounds good.

cheers
.:front2back:.
April 7th, 2004, 03:09 AM
skiddieleet

I don't know about the security that much, but I'm sure you have to login to use the ftp. So you could just change the DocumentRoot in the httpd.conf to something in the home directory like /home/user/www
and make sure that folder is created before you restart the webserver, and you do have to restart the webserver for all changes in the config. Of course I was assuming apache here, but I'm sure you can do similar things to other webservers. I guess your main issue is keeping up with patches on your webserver, sshd, and ftp server. Keep up with vulnerabilities and patches on those, and you should be good.

edit
s/you/your friend
April 7th, 2004, 03:22 AM
Psychomantum

Yes we are using Apache, and yes we are uploading to our home directories using FTP.

My main issue is that I've never seen a server do this. Even paid hosts that are supposed to be fairly secure allow you to upload to your web directory. He's trying to tell me that everyone does this, but I haven't seen anyone do it.

I can no longer use the built-in FTP in programs like dreamweaver, becaues I'd have to login to the machine anyway to move the file, so I might as well do it all at once.

Plus, we would be using twice as much disc space on the server, because there'd be a copy in my home directory and a copy on the web directory.

I guess what I really want to know is how do the big guys (the expensive web hosts) do it and stay secure?
April 7th, 2004, 07:20 AM
catch

Considering that the super user account is a serious weakness in Linux/UN*X systems...

What part of utilizing that account even more frequently seems like a good idea? ;)

catch
April 7th, 2004, 10:03 AM
SirDice

Re: FTP server / web server security question

Quote:

Originally posted here by Psychomantum
Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.

If you use the same account and password for both the FTP and SSH then it's no use what so ever. FTP is a cleartext protocol so your username/password already got send over the network. And why on earth do you need root to update a couple of webpages?

I would give your account read/write permissions on the webserver directory and only allow ssh. Then you can use scp or sftp to directly copy the file to their location.
April 7th, 2004, 11:03 AM
the_JinX

yup I'm with SirDice on this one..

the problem with FTP is the fact that passwords are sent in "plain text"
that's proppably why your friend doesn't want FTP to a "web folder"

using sftp (there must be windows sftp clients, I think..) would solve that, and you could still in one go place your content . .

sftp is just normal ftp over an ssl layer..
April 7th, 2004, 11:07 AM
thehorse13

Quote:

there must be windows sftp clients, I think..)

Yep, WinSCP3 is the one I use. :)

It has support for SCP and SFTP sessions along with a failover should one method fail. Nifty little app. Yes, it's free.
April 7th, 2004, 02:33 PM
chsh

The solution is bad, for several reasons. It is far better to simply setup your FTP server to dump the files directly into the appropriate directory using a virtual username (that exists within the FTP server only), OR to use SCP/SFTP to handle the transfer. Between the two, SCP is obviously the more secure option of the two.

PuTTY/pscp + iXplorer is a good combo for people who want an SCP-capable gui, as well as commandline tools. :)
April 7th, 2004, 06:40 PM
Psychomantum

Do I need a special deamon to run secure FTP?

If so, where can I get one?

Show 40 post(s) from this thread on one page