Charlie Coleman wrote: > At 07:35 PM 11/28/2006 +0000, Paul Hill wrote: > ... > > >> You have to be careful about anonymous access. Once I opened up a FTP >> server to allow a client to transfer some data and then forgot about >> it. A few weeks later I looked in the folder to find a bunch of MP3s. >> It seems people were using it to trade MP3s... >> > > FTPS is the way to go....here is a good comparison of the current SFTP/FTPS usage
http://www.enterprisedt.com/products/edtftpjssl/faq-answers.html > ... > > That is why I said you never allow the read/write permissions to the same > FTP folder. You have a place where they can write, and a place where they > can read. And those places are not the same. You won't get problems like > what you described above if you set it up that way. And, like any thing > else 'exposed' on your server, you need to monitor what's going on. > > One of the reasons FTP has gotten a bad name is that a lot of FTP sites got > set up without any detailed consideration of what might happen. So you hear > about systems getting compromised because the FTP configuration allowed > users to go bopping around the drive looking for files. Oddly enough, in > the early days of the Internet, the Unix world was worse about their FTP > configs than in the MS world (of course, the MS world was pretty far behind > for a while and so wasn't a target I guess). > > As for my experience, at one client site, there was a serious security > breach. Their web pages, etc got hacked, data got messed up, etc. Yes, they > used HTTPS. It was probably just a bad web page/asp/.net/whatever design. > However, the systems that were using my architecture (with FTP) were not > affected at all. They've never been hacked or breached. Don't take that the > wrong way - any set up has the potential to be hacked. > > -Charlie > > _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
