Re: FW: Try security update from the Microsoft
A Windows-worm in the debian-security list? Great :D BM - Original message follows - BM Microsoft Consumer BM this is the latest version of security update, the BM June 2003, Cumulative Patch update which eliminates all BM known security vulnerabilities affecting Internet Explorer, BM Outlook and Outlook Express as well as five newly discovered BM vulnerabilities. Install now to protect your computer from these BM vulnerabilities, the most serious of which could allow an attacker to BM run executable on your system. This update includes the functionality BM of all previously released patches. BM System requirements: BM Win 9x/Me/2000/NT/XP BM This update applies to: BM Microsoft Internet Explorer, version 4.01 and later BM Microsoft Outlook, version 8.00 and later BM Microsoft Outlook Express, version 4.01 and later BM Recommendation: BM Customers should install the patch at the earliest opportunity. BM How to install: BM Run attached file. Click Yes on displayed dialog box. BM How to use: BM You don't need to do anything after installing this item. BM Microsoft Technical Support is available at BM http://support.microsoft.com/ BM For security-related information about Microsoft products, BM please visit the Microsoft Security Advisor web site at BM http://www.microsoft.com/security BM Contact us at BM http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp BM Please do not reply to this message. It was sent from an unmonitored BM e-mail address and we are unable to respond to any replies. BM Thank you for using Microsoft products. -- Best regards, Kay-Michaelmailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
recommendations for FTP server
Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Stephen Gran [EMAIL PROTECTED] writes: I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Hope this helps. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Stephen Gran [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Fri, 20 Jun 2003 18:37:43 + If security is a concern, you might want to use SecureFTP instead. It is part of the OpenSSH package. The sftp client is a part of most Linux and BSD (including MacOS X) distros and there are also sftp clients for MacIntosh http://ca.huji.ac.il/services/internet/ssh/macsftp.shtml and Windows http://www.chiark.greenend.org.uk/~sgtatham/putty/ . Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Stephen Gran sent the following message Today: SG Hello all, SG SG I'd like the FTP server to not allow anonymous logins (which I assume SG most can do), chroot users to their home directories, and have some sort SG of encrypted connections (over SSL would be nice). I have thought about SG just using sftp, but currently ssh connections are rerouted to another SG box on the LAN, and I'd like to leave that set up as is, if possible. SG SG I see that proftpd is the example used in the 'securing Debian' manual, SG but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't SG appear to do chroot'ing, at least not at a quick glance. Anybody know SG of one that combines these features? I suppose there is always stunnel, SG although I have never tried to use it for FTP. Install SSH and give your friends shell accounts. SFTP is a drop-in replacement for FTP. Generally, I never use FTP except to make anonymous downloads available. There have been too many problems with many FTP servers in the past. Adding SSL to a standard FTP session also presents the problem that many standard FTP clients (at least on Windows) do not support this configuration. -- Chris Caldwell Information Systems Coordinator, Enterprise Systems Information Systems and Services, The George Washington University caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c) http://asclepius.tops.gwu.edu | GPG key ID: 0xE52D0BE8 Formal education can rarely improve the character of a scoundrel. - Derek Bok, Harvard University -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: recommendations for FTP server
Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
This one time, at band camp, Matt Zimmerman said: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Thanks all, -- -- | Stephen Gran | Neglect of duty does not cease, by | | [EMAIL PROTECTED] | repetition, to be neglect of duty. -- | | http://www.lobefin.net/~steve | Napoleon| -- pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
* Stephen Gran [EMAIL PROTECTED] wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Regards, Marcus -- Tuba cum sonuerit dies erit extrema et iudex advenerit vocabit sempiterna electos in patria prescitos ad inferna. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. I'd suggest pointing them at WinSCP: http://winscp.com for a pointy-clicky scp/sftp client for Win32, and Fugu: http://rsug.itd.umich.edu/software/fugu/ for an OS X client, both of which are free and source available (fugu under a BSD-style licence, WinSCP under a similar licence to puTTY). Hope this helps, David -- C Nonsense in BASIC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 20 Jun 2003 16:25:30 -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: [...] Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. Seems nice and stable to me. Nick Boyce Bristol, UK -- Microsoft may provide updates that will be automatically downloaded onto your computer. These updates may disable your ability to copy and/or play content and use other software on your computer. -- http://bsdvault.net/article.php?sid=527mode=order=0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Quoting Marcus Frings ([EMAIL PROTECTED]): Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Hey, thanks, Marcus! That file reflects (and disclaims) my prejudice that anonymous ftp remains A Good Thing (see: http://linuxmafia.com/~rick/linux-info/ftp-justification), and that either scp or ftp-ssl (or, I guess, sftp) is perfectly adequate for non-anonymous file transfers. OS coverage for scp is basically universal: http://linuxmafia.com/pub/linux/security/ssh-clients Of course, no doubt some people will whine about scp not doing file-browsing. Some front-ends can kludge that capability anyway (SecPanel, KSSH, KDESSH, ssh-gui, and GPuTTY for X11/*ix, Fugu for Mac OS X / Cocoa, FileZilla and Secure iXplorer for Win32) -- or you can try ftp-ssl or sftp. Don't forget, too, about the FISH protocol, as implemented in Midnight Commander, KD3 3.1's kio_fish plugin, and lftp (ftp-like browsing over generic SSH transport). http://linuxmafia.com/~rick/linux-info/fish-protocol -- Cheers, First they came for the verbs, and I said nothing, for Rick Moenverbing weirds language. Then, they arrival for the nouns [EMAIL PROTECTED] and I speech nothing, for I no verbs. - Peter Ellis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FW: Try security update from the Microsoft
A Windows-worm in the debian-security list? Great :D BM - Original message follows - BM Microsoft Consumer BM this is the latest version of security update, the BM June 2003, Cumulative Patch update which eliminates all BM known security vulnerabilities affecting Internet Explorer, BM Outlook and Outlook Express as well as five newly discovered BM vulnerabilities. Install now to protect your computer from these BM vulnerabilities, the most serious of which could allow an attacker to BM run executable on your system. This update includes the functionality BM of all previously released patches. BM System requirements: BM Win 9x/Me/2000/NT/XP BM This update applies to: BM Microsoft Internet Explorer, version 4.01 and later BM Microsoft Outlook, version 8.00 and later BM Microsoft Outlook Express, version 4.01 and later BM Recommendation: BM Customers should install the patch at the earliest opportunity. BM How to install: BM Run attached file. Click Yes on displayed dialog box. BM How to use: BM You don't need to do anything after installing this item. BM Microsoft Technical Support is available at BM http://support.microsoft.com/ BM For security-related information about Microsoft products, BM please visit the Microsoft Security Advisor web site at BM http://www.microsoft.com/security BM Contact us at BM http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp BM Please do not reply to this message. It was sent from an unmonitored BM e-mail address and we are unable to respond to any replies. BM Thank you for using Microsoft products. -- Best regards, Kay-Michaelmailto:[EMAIL PROTECTED]
recommendations for FTP server
Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- pgpXnWLOAvb39.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. -- - mdz
Re: recommendations for FTP server
Stephen Gran [EMAIL PROTECTED] writes: I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services
Re: recommendations for FTP server
Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Hope this helps.
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Stephen Gran [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Fri, 20 Jun 2003 18:37:43 + If security is a concern, you might want to use SecureFTP instead. It is part of the OpenSSH package. The sftp client is a part of most Linux and BSD (including MacOS X) distros and there are also sftp clients for MacIntosh http://ca.huji.ac.il/services/internet/ssh/macsftp.shtml and Windows http://www.chiark.greenend.org.uk/~sgtatham/putty/ . Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | --
RE: recommendations for FTP server
Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | --
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgplusA9qMc0n.pgp Description: PGP signature
Re: recommendations for FTP server
This one time, at band camp, Matt Zimmerman said: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Thanks all, -- -- | Stephen Gran | Neglect of duty does not cease, by | | [EMAIL PROTECTED] | repetition, to be neglect of duty. -- | | http://www.lobefin.net/~steve | Napoleon| -- pgp5BXCQteqB4.pgp Description: PGP signature
Re: recommendations for FTP server
* Stephen Gran [EMAIL PROTECTED] wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Regards, Marcus -- Tuba cum sonuerit dies erit extrema et iudex advenerit vocabit sempiterna electos in patria prescitos ad inferna.
Re: recommendations for FTP server
Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: recommendations for FTP server
You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. I'd suggest pointing them at WinSCP: http://winscp.com for a pointy-clicky scp/sftp client for Win32, and Fugu: http://rsug.itd.umich.edu/software/fugu/ for an OS X client, both of which are free and source available (fugu under a BSD-style licence, WinSCP under a similar licence to puTTY). Hope this helps, David -- C Nonsense in BASIC
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 20 Jun 2003 16:25:30 -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: [...] Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. Seems nice and stable to me. Nick Boyce Bristol, UK -- Microsoft may provide updates that will be automatically downloaded onto your computer. These updates may disable your ability to copy and/or play content and use other software on your computer. -- http://bsdvault.net/article.php?sid=527mode=order=0