On Feb 27, 2005, at 10:34 AM, Dan Crutcher wrote: > >> At the very least you should consider setting up TCP wrappers by >> configuring /etc/hosts.allow and /etc/hosts.deny and limiting access >> to certain accounts with /etc/ftpusers. > > This is a bit beyond my level of expertise, but it sounds like a good > idea. Can you point me to a source that would explain in more detail > how to do this?
A site with an introduction to TCP Wrappers is <http://www.macos.utah.edu/Documentation/macosx/security/ tcpwrappers.html> In the terminal type "man ftpusers" to get the documentation for ftpusers. Googling will get you more information than you really want on these topics. >> FTP is very insecure due to the fact that when a person on the other >> end >> connects to your MacOS X machine via FTP, their username and password >> are >> passed across the Internet in clear text, which means that anyone >> watching >> traffic now has your IP address, the username, and the password. > > Just so I understand better, how would someone "watch" traffic on the > Internet between, say, my computer at home and an FTP server at my > workplace? I've heard of this sort of thing before, but have never > really understood how it works. Can anyone connected to the Internet > "see" the data as it flows through from server to server? Wouldn't you > have to be strategically located -- such as, at an ISP or some main > transfer point -- to see anything meaningful? Here's an example. There are programs called packet sniffers that can monitor all the network traffic passing by a machine. You can set them up to watch for phrases like "Password" or "User ID." If you set one up in a public lab at a university, you can catch unencrypted passwords. This has often happened at UofL. It's is a real problem for people who want to use the wireless connection in a public place. You don't really know that the protocol was set up securely. The guy sitting next to you could be listening in. If your connection is secure, nobody (except maybe the NSA and their brethren) can listen. > Suppose someone did capture the IP and login information of an FTP > client -- what harm could they do other than getting into the > particular directory that that client has access to and messing around > with the files therein? That's a start. It's usually the first step to gaining access to a machine. They'll poke around to find a hole such as permissions set wrong on a program that runs with root privileges. >> My advice is to NOT turn on FTP and instead turn on Remote Login, >> which >> turns on ssh and essentially something called SFTP. For your Mac >> people who are >> going to connect, head to Version Tracker and have them download >> Fugu, which >> is a free application that allows secure connections (SFTP, not FTP >> S=secure). For your Windows people, try Version Tracker and click on >> the >> Windows tab and search for Core FTP LE or WinSCP or EngInSite >> DataFreeway. > > This sounds like a good idea, and I may well do this. The only thing > that worries me about it is that many of our clients would might use > this service (mainly advertisers who want to upload large graphics > files to our server) may not want to bother with jumping through this > extra technological hoop. There are better ways to handle uploads. You can set up anonymous ftp access with drop boxes that keep the files invisible to everyone out on the network. That's how I set up the labs in the Mathematics Department. Another way is to set up a machine that's used for not much else and put the accounts on it. Stick your firewall between the ftp machine and your important machines. The ftp machine can be almost anything because it doesn't need much power. For example, an old Pentium2 box with Linux would be really cheap. I've seen suitable hardware a rummage sales for $30 and all the software is free. > We use straight FTP all the time to upload large files to various > printers, and they don't seem to worry about someone capturing our > login information. Is that because they've probably got some extra > security measures set up on their end -- or are they just whistling > past the graveyard? If it's anonymous ftp, you can set that up pretty securely. There's also the old "security through obscurity" myth. > >> Remember that FTP, ssh, and SFTP do NOT copy resource forks, which >> some >> applications still use when saving files. I would suggest you test >> will all >> types of files to insure you do not have an problem later on down the >> road. > > Could this be overcome by having them use compression utilities like > zip or stuffit before they upload the files to us? Yes. On the Mac StuffIt will work, but not zip of gzip. From Windows, zip is appropriate. | The next meeting of the Louisville Computer Society will | be February 22. The LCS Web page is <http://www.kymac.org>. | List posting address: <mailto:macgroup at erdos.math.louisville.edu> | List Web page: <http://erdos.math.louisville.edu/macgroup>
