o-----------ooO--(- Important Message -)--Ooo------------o | | | SAVE BANDWITH, SPACE, TIME & MONEY, REPLY WITH PRUDENCE.| | | o----=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=----o To all readers, Please do not use SSH if you do not reside in the United States or Canada. There is a encryption export law that prohibits exporting encryption higher than 56bits outside the US. MS's Win2k has 128bit but apparently has permission to be exported. If you do want to use SSH, there's nothing to stop you, just that you know about this law. >From: "Harisfazillah Jamel" <[EMAIL PROTECTED]> >Reply-To: "Penguin @ My-Linux" <[EMAIL PROTECTED]> >To: Penguin My-Linux <[EMAIL PROTECTED]> >Subject: [Penguin] [Fwd: [UNIX] Securing FTP uploads using SSH (A practical >guide to securing FTP under Linux)] >Date: Thu, 10 Feb 2000 13:37:05 +0800 >MIME-Version: 1.0 >Received: from [202.188.177.125] by hotmail.com (3.2) with ESMTP id >MHotMailBA6BCDBC00B1D820F3B2CABCB17D0C3C0; Thu Feb 10 01:20:02 2000 >Received: (from majordom@localhost)by My.Enemy.ORG (8.9.3/8.9.0) id >OAA04350for penguin-list; Thu, 10 Feb 2000 14:18:20 +0800 >Received: (from moderate@localhost)by My.Enemy.ORG (8.9.3/8.9.0) id >OAA04300for [EMAIL PROTECTED]; Thu, 10 Feb 2000 14:18:13 +0800 >Received: from mail2.affinbank.com.my ([202.190.104.2])by My.Enemy.ORG >(8.9.3/8.9.0) with ESMTP id NAA00895for <[EMAIL PROTECTED]>; Thu, 10 Feb >2000 13:33:41 +0800 >Received: Thu, 10 Feb 2000 13:33:41 +0800 >Received: from affinbank.com.my ([192.168.10.1]) by mail2.affinbank.com.my > (Netscape Messaging Server 3.52) with ESMTP id 795 for ><[EMAIL PROTECTED]>; Thu, 10 Feb 2000 13:29:58 +0800 >From [EMAIL PROTECTED] Thu Feb 10 01:23:39 2000 >X-Authentication-Warning: My.Enemy.ORG: majordom set sender to >[EMAIL PROTECTED] using -f >Posted-Date: Thu, 10 Feb 2000 13:33:41 +0800 >Message-ID: <[EMAIL PROTECTED]> >X-Mailer: Mozilla 4.7 [en-gb] (Win95; I) >X-Accept-Language: en >X-Priority: 1 (Highest) >Sender: [EMAIL PROTECTED] >Precedence: bulk > >o-----------ooO--(- Important Message -)--Ooo------------o >| | >| SAVE BANDWITH, SPACE, TIME & MONEY, REPLY WITH PRUDENCE.| >| | >o----=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=----o > > > > >-------- Original Message -------- >Subject: [UNIX] Securing FTP uploads using SSH (A practical guide to >securing FTP under Linux) >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] > >The following security advisory is sent to the securiteam mailing list, >and can be found at the SecuriTeam web site: http://www.securiteam.com > > > Securing FTP uploads using SSH (A practical guide to securing >FTP under >Linux) >-------------------------------------------------------------------------------- > > >SUMMARY > >Many hosts on the Internet provide their users with access to ><http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=FTP> FTP services >(FTP >allows retrieving and storing of files from a remote server). >FTP does not provide any standard security mechanism to prevent >malicious >attackers from sniffing out usernames and passwords, which are sent in >clear text. This means that an attacker on the local network can use a >simple sniffer to grab the username and passwords. Remote attackers will >break into a weaker host on the local network, and from there attempt to >'sniff' the username and password of the target host. >Many administrators install SSH in order to avoid using telnet (which >also >incorporates a cleartext login mechanism), but neglect the fact that >their >username and password is sent in clear-text whenever they download or >upload files to their FTP server. >This guide will show you how to use SSH to implement a secure tunnel >between the FTP server and the FTP client. We assume SSH is installed on >both the server and the client. > >DETAILS > >SSH is a packet-based binary protocol that works on top of any transport >that will pass a stream of binary data. Normally, TCP/IP is used as the >transport, but the implementation of the SSH protocol also permits the >use >of an arbitrary proxy program to forward confidential data through an >encrypted connection. The packet mechanism and the related mechanisms >for >authentication, key exchange, encryption, and integrity protection >implement a transport-layer security mechanism. This mechanism is in >turn >used to implement secure connections. > >If you already have an SSH daemon which is used for secure telnet >connections, you can easily allow your users to upload and download >files >securely from your site (this guide can be used to protect any other TCP >based protocol as well as FTP). > >1) Make sure you have a working SSH server, and a working SSH Client (We >used SSH Tunnel&Terminal 2.0.12 build 9, but other version should work >just as well). > >2) Chose configuration of a Local Tunnel (Go to Edit -> Properties -> >Local Tunneling). > >3) Add a new Tunnel (if one does not already exist). > >4) 'Source Port' should be configured to one that isn't currently used >(Under Windows you can use netstat with the parameter '-a' to see which >port numbers are taken), we chose port number 2121. > >5) 'Destination Host' should be set to the remote host you want >connections to be forwarded to, this is usually the host you are >connecting to. > >6) 'Destination Port' should be set to 21 (for FTP). > >7) 'Application to Start' should be left empty. > >Now simply connect to your SSH Server. Once the authentication has been >completed, start your favorite FTP Client, and point it to 'localhost' >using port number 2121. You should now be able to successfully connect >to >the desired server. >Note that if TCP Wrappers has been enabled on the remote host, you might >be unable to connect due to the fact that 'localhost' connections might >be >disabled (Check your log file), to enable it, edit the /etc/hosts.allow. > > >ADDITIONAL INFORMATION > >See our other guide: ><http://www.securiteam.com/unixfocus/Who_guards_your_front_doors___A_practical_guide_to_securing_POP3_under_Linux_.html> >Who guards your front doors? (A practical guide to securing POP3 under >Linux). > >An evaluation version of SSH Tunnel&Terminal client can be downloaded >from: > <http://www.datafellows.com/> http://www.datafellows.com/ > > > >======================================== > > >This bulletin is sent to members of the SecuriTeam mailing list. >To unsubscribe from the list, send mail with an empty subject line and >body to: [EMAIL PROTECTED] >In order to subscribe to the mailing list, simply forward this email to: >[EMAIL PROTECTED] > > >==================== >==================== > >DISCLAIMER: >The information in this bulletin is provided "AS IS" without warranty of >any kind. >In no event shall we be liable for any damages whatsoever including >direct, indirect, incidental, consequential, loss of business profits or >special damages. >- >Disclaimer : http://users.my-linux.org/disclaimer.html > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com - Disclaimer : http://users.my-linux.org/disclaimer.html
