o-----------ooO--(- Important Message -)--Ooo------------o
| |
| SAVE BANDWITH, SPACE, TIME & MONEY, REPLY WITH PRUDENCE.|
| |
o----=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=----o
-------- Original Message --------
Subject: [UNIX] Securing FTP uploads using SSH (A practical guide to
securing FTP under Linux)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
Securing FTP uploads using SSH (A practical guide to securing
FTP under
Linux)
--------------------------------------------------------------------------------
SUMMARY
Many hosts on the Internet provide their users with access to
<http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=FTP> FTP services
(FTP
allows retrieving and storing of files from a remote server).
FTP does not provide any standard security mechanism to prevent
malicious
attackers from sniffing out usernames and passwords, which are sent in
clear text. This means that an attacker on the local network can use a
simple sniffer to grab the username and passwords. Remote attackers will
break into a weaker host on the local network, and from there attempt to
'sniff' the username and password of the target host.
Many administrators install SSH in order to avoid using telnet (which
also
incorporates a cleartext login mechanism), but neglect the fact that
their
username and password is sent in clear-text whenever they download or
upload files to their FTP server.
This guide will show you how to use SSH to implement a secure tunnel
between the FTP server and the FTP client. We assume SSH is installed on
both the server and the client.
DETAILS
SSH is a packet-based binary protocol that works on top of any transport
that will pass a stream of binary data. Normally, TCP/IP is used as the
transport, but the implementation of the SSH protocol also permits the
use
of an arbitrary proxy program to forward confidential data through an
encrypted connection. The packet mechanism and the related mechanisms
for
authentication, key exchange, encryption, and integrity protection
implement a transport-layer security mechanism. This mechanism is in
turn
used to implement secure connections.
If you already have an SSH daemon which is used for secure telnet
connections, you can easily allow your users to upload and download
files
securely from your site (this guide can be used to protect any other TCP
based protocol as well as FTP).
1) Make sure you have a working SSH server, and a working SSH Client (We
used SSH Tunnel&Terminal 2.0.12 build 9, but other version should work
just as well).
2) Chose configuration of a Local Tunnel (Go to Edit -> Properties ->
Local Tunneling).
3) Add a new Tunnel (if one does not already exist).
4) 'Source Port' should be configured to one that isn't currently used
(Under Windows you can use netstat with the parameter '-a' to see which
port numbers are taken), we chose port number 2121.
5) 'Destination Host' should be set to the remote host you want
connections to be forwarded to, this is usually the host you are
connecting to.
6) 'Destination Port' should be set to 21 (for FTP).
7) 'Application to Start' should be left empty.
Now simply connect to your SSH Server. Once the authentication has been
completed, start your favorite FTP Client, and point it to 'localhost'
using port number 2121. You should now be able to successfully connect
to
the desired server.
Note that if TCP Wrappers has been enabled on the remote host, you might
be unable to connect due to the fact that 'localhost' connections might
be
disabled (Check your log file), to enable it, edit the /etc/hosts.allow.
ADDITIONAL INFORMATION
See our other guide:
<http://www.securiteam.com/unixfocus/Who_guards_your_front_doors___A_practical_guide_to_securing_POP3_under_Linux_.html>
Who guards your front doors? (A practical guide to securing POP3 under
Linux).
An evaluation version of SSH Tunnel&Terminal client can be downloaded
from:
<http://www.datafellows.com/> http://www.datafellows.com/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: [EMAIL PROTECTED]
In order to subscribe to the mailing list, simply forward this email to:
[EMAIL PROTECTED]
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
-
Disclaimer : http://users.my-linux.org/disclaimer.html
