FTP server / web server security question

[thehorse13]

It runs over port 22, SSH. On *nix, simply run the SSH daemon. On Windows, there are 3rd party SSH daemons available out there. Google it.

[Maestr0]

Just tunnel your normal FTP traffic over SSH. I would also do as Chsh suggested and use a limited user account setup solely for Web site maintenance on the FTP server.

This link should provide you with all you will need to use Dreamweaver securely.
http://www.macromedia.com/support/dr...uments/ssh.htm

-Maestr0

[th3>kLuTz]

I am not familiar with SFTP, however, I can recommend a prog that is easy to use, easy to configure and encrypts all traffic. Try out EFTP. I use it at home and my ftp server is up 24/7. I have logged several attempts to crack it, but noone has yet. It starts off by sending the userid and pass encrypted with the blowfish algorithm. once the user has authenticated, then it sets up a pgp encrypted tunnel (i use 2056 bit). It takes it about 30 sec to a min to set the tunnel up, but with all the security features, it makes it secure. If anyone else has tried it, I would like to hear your opinions of it. I havent found any weakness, except that in order to get the encryption, you have to use the eftp client with the server. (both are free)

[Psychomantum]

Thanks for all your help people.

I tried WinSCP and I like it a lot. I might suggest to him that he set it up for SFTP, but I can live with SSH's scp.

[Vorlin]

In the end, you can do all or none of the following:

1: lose telnet and ftp. Shut off services in /etc/xinetd.d/(name here, set disable to yes then kill -SIGHUP xinetd which causes it to reread config files and terminate the services that aren't available anymore).

The above removes two cleartext services and thus, the ability to be exploited.

2: get the latest rpm of ssh and run sshd. This provides ssh, scp, sftp services through port 22.

3: use a chrooted ftp service available through your browser (ftp://whatever...). This allows drag-and-drop ability and you can secure these directories for owners and groups, thus allowing greater security.

4: get webmin and create a few scripts that do all your moving for you. This can be run in ssl-mode if you want (even though nobody knows your certificate) and now you have point-and-click methods of updating your web pages.

FTP using browser to drag-drop your files.
Login with same browser through your webmin (http://yoursite:10000 usually) and with ACL-driven accounts, now you can do your work.

Just an idea.

[catch]

This isn't an opinion or advice or anything of that nature, but from my professional experience... I've only seen plain text protocols exploted a handful of times, and each of those were either by insiders or alreadt exploited systems AND those compromises only lead to compromise of the accounts in question.

On the other hand I have seen many, many systems compromised via SSH, these attacks tend to be from outsiders and tend to break the service itself leveraging superuser privileges.

This is just antecdotal of course, but it does only further stress the point of multilevel security and or domain based access controls on public servers.

catch

[Vorlin]

Agreed, catch...I'm all for ACLs myself and have spent quite a bit of time trying to get it just right.