Am Sun, 14 May 2017 02:48:46 +0100 schrieb lee <l...@yagibdah.de>: > Kai Krakow <hurikha...@gmail.com> writes: > > > Am Sat, 29 Apr 2017 20:30:03 +0100 > > schrieb lee <l...@yagibdah.de>: > > > >> Danny YUE <sheepd...@gmail.com> writes: > >> > [...] > [...] > [...] > >> > >> Doesn't that require ssh access? And how do you explain that to > >> ppl finding it too difficult to use Filezilla? Is it available for > >> Windoze? > > > > Both, sshfs and scp, require a full shell (that may be restricted > > but that involves configuration overhead on the server side). > > I wouldn't want them to have that.
And I can understand this... > > You can use sftp (FTP wrapped into SSH), which is built into SSH. It > > has native support in many Windows clients (most implementations use > > PuTTY in the background). It also has the advantage that you can > > easily restrict users on your system to SFTP-only with an easy > > server-side configuration. > > From what I've been reading, sftp is deprecated and has been replaced > by ftp with TLS. From what I'm guessing, you're mixing up sftp and ftps. sftp is ssh+ftp, and ftps is ftp with ssl. The latter is probably deprecated in favor of ftp with tls. TLS supports name indication (to show the correct server certificate) and it supports handshaking so the same port can be used for secure and insecure connections. Apparently, many sites on the internet also mix up ftps und sftp, for them both is FTP with SSL. But that's not true. I think that comes from the fact that "secure ftp" often is a synonym for "ssl encryption" as it is with "secure http". But that doesn't mean the acronym is "sftp" as it also is not "shttp". > [...] > >> > >> Does that work well, reliably and securely over internet > >> connections? > > > > It supports encryption as transport security, and it supports > > kerberos for secure authentication, the latter is not easy to setup > > in Linux, but it should work with Windows clients out-of-the-box. > > > > But samba is a pretty complex daemon and thus offers a big attack > > surface for hackers and bots. I'm not sure you want to expose this > > to the internet without some sort of firewall in place to restrict > > access to specific clients - and that probably wouldn't work for > > your scenario. > > At least it's a possibility. I don't even know if they have static > IPs, though. Modern CIFS implementations can be forced to encrypt the transport layer and only accept kerberos authenticated clients. It should be safe to use then if properly firewalled. At least "CIFS" (which is samba) afaik means "common internet file system" - that should at least have a minimal meaning of "intended to be used over internet connections". Of course this really doesn't say anything about transport security. Be sure to apply one, and you should be good to go. > > But you could offer access via OpenVPN and tunnel samba through > > that. > > I haven't been able yet to figure out what implications creating a VPN > has. I understand it's supposed to connect networks through a secured > tunnel, but what kind of access to the LAN does someone get who > connects via VPN? Besides, VPN is extremely complicated and > difficult to set up. I consider it an awful nightmare. You need to first understand how tunnel devices work. Then it becomes very easy to set up. The access to the LAN can be restricted by firewall rules. As long as you don't setup routes from the transfer network (where the tunnel is located) to your LAN, there won't be access. And then there's firewall rules after you set up routing. > Wireguard seems a lot easier. I didn't know that, I will look into it. > > By that time, you can as easily offer FTP, too, through the tunnel > > only, as there should be no more security concerns now: It's > > encrypted now. > > The ftp server already doesn't allow unencrypted connections. > > Now try to explain to ppl for whom Filezilla is too complicated how to > set up a VPN connection and how to secure their LAN once they create > the connection (if we could ever get that to work). I haven't been > able to figure that out myself, and that is one of the main reasons > why I do not have a VPN connection but use ssh instead. The only > disadvantage is that I can't do RDP sessions with that --- I > probably could and just don't know how to --- but things might be a > lot easier if wireguard works. You can always deploy VPN at the edge of the network, so your clients won't need to bother with the details but just use the connection. You can also try using WinSCP instead of filezilla (it supports, despite the name, also FTP). Then put a connection file to their desktop and configure it to run in explorer-mode. Now it should mostly look like a file explorer and they can copy files like they used to. But then again: Ppl want to get paid for their work. That also means they need to invest at least a bit more than just their time... ;-) > > OpenVPN also offers transparent compression which can be a big > > plus for your scenario. > > Not really, a lot of data is images, usually JPEG, some ZIP files, > some PDF. All that doesn't compress too well. Okay, net data is incompressible, but protocol overhead (like directory listings) should compress pretty well. > > OpenVPN is not too difficult to setup, and the client is available > > for all major OSes. And it's not too complicated to use: Open VPN > > connection, then use your file transfer client as you're used to. > > Just one simple extra step. > > I'm finding it a horrible nightmare, see above. It is the most > difficult thing you could come up with. I haven't found any good > documentation that explains it, the different types of it, how it > works, what to use (apparently there are many different ways or > something, some of which require a static IP on both ends, OpenVPN works perfectly with dynamic IPs on both sides. IPsec doesn't do well here. > and they > even give you different disadvantages in performance ...), Every tunnel interface has performance overheads, that's the nature of how they work. > how to > protect the participants and all the complicated stuff involved. Put it on the edge router. > So > far, I've managed to stay away from it, and I wouldn't know where to > start. Of course, there is some documentation, but it is all > confusing and no good. > > The routers even support it. In theory, it shouldn't be difficult to > set up, but that's only theory. They do not have any documentation as > to how to protect the connected networks from each other. I could > probably get it to work, but I wouldn't know what I'm doing, and I > don't like that. Do not use simple routes with cludgy VPN implementations. Such routers have those mostly as free bonus features for selling/marketing purposes. Use a real firewall router. There are even free ones that you can install on supported hardware routers. But maybe better give it a professional touch by buying a real hardware/software bundle with support included, so you can get support setting everything up correctly. > I admit that I don't really want to know how VPN works because it's > merely an annoyance and not what I need. What's needed is a simple, > encrypted connection between networks, and VPN is anything but that. Well, VPN is actually that: It's an encrypting tunnel able to bridge two networks. But I see that you're asking for a single secure connection. You don't want to connect networks. > Wireguard sounds really simple. Since I need to set up a VPN or > VPN-like connection sooner than later, I'm considering using it. I'll look into that, as mentioned earlier. -- Regards, Kai Replies to list-only preferred.
