Hi all,
I am trying to solve a problem I have to improve security and I am
hoping someone will have a good idea or point me to docs that may
suggest a good way to achieve this.
The setup: The various servers are only accessible from three specific
location and all is done via ssh only. Any other access from the world,
needs to be via VPN to other box and turn around to connect to these
servers and all VPN gateway also use PF with OS signature and deny ALL
Linux and the like OS connections to limit even more the access.
The issue: Some clients, even after refusal for a long time insists to
use FTP to upload files to servers. So after a long discussion, it was
agree to limit access to their office only and no login account on a
OpenBSD box where they dump their PDF to be called on the web server. I
wanted to use ssh, but look like the jail of ftpd with no shell works ok
so far.
The current compromise: FTP was allow to two directory ONLY that are
part of sub section of a web site. So, the site, other then very
specific portion of the site is not accessible via FTP.
The risk: Now, if a php script is uploaded in the specific directory,
then obviously a call to that page will run the php scripts and can open
security that way and allow to do what ever the php was design for in
the server jail space obviously, but still.
The goal: Only allow PDF upload to that directory with the ftp client
and also no possibility to rename the files to .php for example.
Why: Looks like I can't win the battle to not opening up a bit more the
ftp access and I refuse to do so until I can address the concern above.
I will open it more ONLY if I find a way to limit this to PDF ONLY.
Having a cronjob delete any .php files, or any none PDF files from that
directory is not really an option as you could still upload a file, call
it, before the cronjob run and kill it.
So, any way this can be done?
Allow, delete, replace, upload of *.pdf ONLY via ftpd for the reason above?
May be it's not possible, but I am hoping that someone will have a
clever idea and I would be able to do this.
Regards,
Daniel