|
-
April 7th, 2004, 02:55 AM
#1
Junior Member
 FTP server / web server security question
Ok,
I have a friend who has an idea on how to keep his server more secure. I think he is creating way more work for himself and not solving many promblems. I want to run this by the people here to see what you think:
Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.
I don't see how this is solving any problems, since you still can't get the files into the web server tree unless you log in under super user mode.
Any ideas on how I can convince him this is a bad idea? I use the server as well, and I don't really want to go through all this just to upload one stinkin' file once and a while.
Thanks in advance.
-
April 7th, 2004, 03:02 AM
#2
But think about it, even though it will take longer just to upload the file.
Just think about how long it will take someone if they try to compromise the server..
I'd happily go along with your mate's idea it sounds good.
cheers
.:front2back:.
-
April 7th, 2004, 03:09 AM
#3
I don't know about the security that much, but I'm sure you have to login to use the ftp. So you could just change the DocumentRoot in the httpd.conf to something in the home directory like /home/user/www
and make sure that folder is created before you restart the webserver, and you do have to restart the webserver for all changes in the config. Of course I was assuming apache here, but I'm sure you can do similar things to other webservers. I guess your main issue is keeping up with patches on your webserver, sshd, and ftp server. Keep up with vulnerabilities and patches on those, and you should be good.
edit
s/you/your friend
-
April 7th, 2004, 03:22 AM
#4
Junior Member
Yes we are using Apache, and yes we are uploading to our home directories using FTP.
My main issue is that I've never seen a server do this. Even paid hosts that are supposed to be fairly secure allow you to upload to your web directory. He's trying to tell me that everyone does this, but I haven't seen anyone do it.
I can no longer use the built-in FTP in programs like dreamweaver, becaues I'd have to login to the machine anyway to move the file, so I might as well do it all at once.
Plus, we would be using twice as much disc space on the server, because there'd be a copy in my home directory and a copy on the web directory.
I guess what I really want to know is how do the big guys (the expensive web hosts) do it and stay secure?
-
April 7th, 2004, 07:20 AM
#5
Considering that the super user account is a serious weakness in Linux/UN*X systems...
What part of utilizing that account even more frequently seems like a good idea? 
catch
-
April 7th, 2004, 10:03 AM
#6
Re: FTP server / web server security question
Originally posted here by Psychomantum
Instead of FTP'ing files to the directory you want them, you have to upload them to your home directory, then ssh in to the machine, switch to super user mode, and copy them into the web server directory.
If you use the same account and password for both the FTP and SSH then it's no use what so ever. FTP is a cleartext protocol so your username/password already got send over the network. And why on earth do you need root to update a couple of webpages?
I would give your account read/write permissions on the webserver directory and only allow ssh. Then you can use scp or sftp to directly copy the file to their location.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 7th, 2004, 11:03 AM
#7
yup I'm with SirDice on this one..
the problem with FTP is the fact that passwords are sent in "plain text"
that's proppably why your friend doesn't want FTP to a "web folder"
using sftp (there must be windows sftp clients, I think..) would solve that, and you could still in one go place your content . .
sftp is just normal ftp over an ssl layer..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
April 7th, 2004, 11:07 AM
#8
there must be windows sftp clients, I think..)
Yep, WinSCP3 is the one I use. 
It has support for SCP and SFTP sessions along with a failover should one method fail. Nifty little app. Yes, it's free.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
April 7th, 2004, 02:33 PM
#9
The solution is bad, for several reasons. It is far better to simply setup your FTP server to dump the files directly into the appropriate directory using a virtual username (that exists within the FTP server only), OR to use SCP/SFTP to handle the transfer. Between the two, SCP is obviously the more secure option of the two.
PuTTY/pscp + iXplorer is a good combo for people who want an SCP-capable gui, as well as commandline tools.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
April 7th, 2004, 06:40 PM
#10
Junior Member
Do I need a special deamon to run secure FTP?
If so, where can I get one?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
