+1 Perhaps possible to have something that only enables the service when a default admin is replaced with strong password? its convenient for developers, but no real service should allow a weak password on a well known account name.
On Tue, Jun 1, 2010 at 3:07 AM, Arne Kepp <[email protected]> wrote: > I like the idea, and I think FTP is probably the way to go given > Microsofts propensity to break WebDAV. > > But by default GeoServer ships with a small security problem in the > sense that the admin password is universally known. I prefer Tomcat's > approach in which no account enabled by default, but this has not been a > big issue up to this point. > > But if we include an FTP server then GeoServer suddenly becomes a > valuable target for people who want to distribute illegal materials. > > I therefore suggest that it should not be possible to login with the > standard credentials, and if possible tell the FTP client the reason for > the rejection in the Access Denied response. > > Moving the service to a different port does not really help in this > regard, it's easy to run SYN scans against large networks, and a custom > port makes it easier to identify the software and possible credentials > to try. > > -Arne > > > On 05/31/2010 06:04 PM, Andrea Aime wrote: >> Hi, >> I need an easy to set up FTP server for GeoServer >> so that remote admins can upload data. >> >> Alessio some time ago pointed me at Apache Mina FtpServer, >> and this tutorial shows how to create an embedded FTP >> server the easy way: >> http://mina.apache.org/ftpserver/embedding-ftpserver-in-5-minutes.html >> >> GeoSolutions actually added that into GeoBatch already. >> Alessio, Simone, is it working fine for you? >> >> I guess this would be a contribution of general interest. >> Yes, setting up a stand alone FTP server for the same purpose >> is not hard, but requires deciding which one you want to use >> platform per platform, configuring it, creating the necessary >> users (a separate set from GeoServer own users), and making >> sure the files created by the server can be read >> (and eventually written) by GeoServer. >> >> The idea of the embedded module is that you drop it in and >> it just start serving the data directory contents to all >> the GS users that have administration powers (since you need >> to be able to configure the data afterwards anyways). >> Basically a no options easy install that gets you going >> in 5 minutes. >> >> Given it's a full fledged FTP server we also get much better >> service than just file upload in forms, for example, no >> limit on file sizes, restartable services, easy multiple uploads, >> and a ton of existing clients on various platforms that >> can access it directly. >> >> So, opinions? >> >> Cheers >> Andrea >> >> >> >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Geoserver-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > ------------------------------------------------------------------------------ _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
