Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: FTP server / web server security question

  1. #1
    Junior Member
    Join Date
    Dec 2003

    Question FTP server / web server security question


    I have a friend who has an idea on how to keep his server more secure. I think he is creating way more work for himself and not solving many promblems. I want to run this by the people here to see what you think:

    Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.

    I don't see how this is solving any problems, since you still can't get the files into the web server tree unless you log in under super user mode.

    Any ideas on how I can convince him this is a bad idea? I use the server as well, and I don't really want to go through all this just to upload one stinkin' file once and a while.

    Thanks in advance.

  2. #2
    But think about it, even though it will take longer just to upload the file.
    Just think about how long it will take someone if they try to compromise the server..
    I'd happily go along with your mate's idea it sounds good.


  3. #3
    Elite Hacker
    Join Date
    Mar 2003
    I don't know about the security that much, but I'm sure you have to login to use the ftp. So you could just change the DocumentRoot in the httpd.conf to something in the home directory like /home/user/www
    and make sure that folder is created before you restart the webserver, and you do have to restart the webserver for all changes in the config. Of course I was assuming apache here, but I'm sure you can do similar things to other webservers. I guess your main issue is keeping up with patches on your webserver, sshd, and ftp server. Keep up with vulnerabilities and patches on those, and you should be good.

    s/you/your friend

  4. #4
    Junior Member
    Join Date
    Dec 2003
    Yes we are using Apache, and yes we are uploading to our home directories using FTP.

    My main issue is that I've never seen a server do this. Even paid hosts that are supposed to be fairly secure allow you to upload to your web directory. He's trying to tell me that everyone does this, but I haven't seen anyone do it.

    I can no longer use the built-in FTP in programs like dreamweaver, becaues I'd have to login to the machine anyway to move the file, so I might as well do it all at once.

    Plus, we would be using twice as much disc space on the server, because there'd be a copy in my home directory and a copy on the web directory.

    I guess what I really want to know is how do the big guys (the expensive web hosts) do it and stay secure?

  5. #5
    Join Date
    May 2003
    Considering that the super user account is a serious weakness in Linux/UN*X systems...

    What part of utilizing that account even more frequently seems like a good idea?


  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands

    Re: FTP server / web server security question

    Originally posted here by Psychomantum
    Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.
    If you use the same account and password for both the FTP and SSH then it's no use what so ever. FTP is a cleartext protocol so your username/password already got send over the network. And why on earth do you need root to update a couple of webpages?

    I would give your account read/write permissions on the webserver directory and only allow ssh. Then you can use scp or sftp to directly copy the file to their location.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    yup I'm with SirDice on this one..

    the problem with FTP is the fact that passwords are sent in "plain text"
    that's proppably why your friend doesn't want FTP to a "web folder"

    using sftp (there must be windows sftp clients, I think..) would solve that, and you could still in one go place your content . .

    sftp is just normal ftp over an ssl layer..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    there must be windows sftp clients, I think..)
    Yep, WinSCP3 is the one I use.

    It has support for SCP and SFTP sessions along with a failover should one method fail. Nifty little app. Yes, it's free.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Nov 2001
    The solution is bad, for several reasons. It is far better to simply setup your FTP server to dump the files directly into the appropriate directory using a virtual username (that exists within the FTP server only), OR to use SCP/SFTP to handle the transfer. Between the two, SCP is obviously the more secure option of the two.

    PuTTY/pscp + iXplorer is a good combo for people who want an SCP-capable gui, as well as commandline tools.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Junior Member
    Join Date
    Dec 2003
    Do I need a special deamon to run secure FTP?

    If so, where can I get one?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts