Re: sftp-server listening port how-to
Stuart Henderson : > Do you have the correct directory? > > The user's home directory is appended to ChrootDirectory. e.g. in your example > something like /home/of/the/hackers/home/myftpuser. Super good, now I'm also chrooted.. Thanks a lot, Stuart! -- Daniele Bonini
Re: sftp-server listening port how-to
On 2023-03-09, Daniele Bonini wrote: > I configured sshd to chroot ftp requests in this way: > > Match User myftpuser > ChrootDirectory /home/of/the/hackers > ForceCommand internal-sftp > > giving the proper permissions to the destination dir, etc. > as from Peter doc too. Do you have the correct directory? The user's home directory is appended to ChrootDirectory. e.g. in your example something like /home/of/the/hackers/home/myftpuser. -- Please keep replies on the mailing list.
Re: sftp-server listening port how-to
> let's remain on sftp topic.. I finally managed to receive the proper answers from my hosting that permitted me change sshd port successfully. On the other hand I came across some Linoox doc about how-to produce a chroot ssh environment to make the sshd_config settings meaningful and running and from my understanding I consider all that effort a little overwhelming against my necessities, at time. However, I want thank all for your answers. -- Daniele Bonini
Re: sftp-server listening port how-to
On Thu, 9 Mar 2023 13:13:40 +0100 "Peter N. M. Hansteen" wrote: > Further to the "why would you want to?" issue, I offer this from the > Hail Mary Cloud cycle: > https://bsdly.blogspot.com/2013/02/theres-no-protection-in-high-ports.html About the only benefit is that having a non-standard port number for SSH/SFTP is that the noise generated by the script kiddies banging on port 22 and not trying other port numbers is reduced. It most definitely does not make anything more secure as a port scan will soon tell an attacker where to try next. It'll stop the most brain-dead of script kiddies, but have little effect with an attacker that has half a working braincell and a copy of `nmap` handy. The latter group is smaller than the former, but is still very large, so the amount of noise reduced will vary. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: sftp-server listening port how-to
Here I am with one more trouble.. (I'm still waiting proper reply from the hosting for the change of sshd port and the related consequences to the VPS console but let's remain on sftp topic..) I configured sshd to chroot ftp requests in this way: Match User myftpuser ChrootDirectory /home/of/the/hackers ForceCommand internal-sftp giving the proper permissions to the destination dir, etc. as from Peter doc too. Both by Filezilla and console sftp I get ugly errors: Filezilla: FATAL ERROR: Remote side unexpectedly closed network Could not connect to server sftp: client_loop: send disconnect: Broken pipe Connection closed NB: I do not want to exit from the match directive scope and find me in more troubles :-/ -- Daniele Bonini
Re: sftp-server listening port how-to
Peter N. M. Hansteen : > > That little guide I posted a link to has a section about setting up > a separate set of users for sftp Thank you for your answers and the doc too, Peter. While I'm reading you I'm trying to grasp from my hosting what are they enforcing under their gui layer to understand if it is good to proceed in this one more security distraction.. Again, appreciated. -- Daniele Bonini
Re: sftp-server listening port how-to
On Thu, Mar 09, 2023 at 01:31:47PM +0100, Daniele Bonini wrote: > > > change it to any number you want. > > VPS here come in a nice package with a default web console over ssh. > > An other one: if I try to nobody the user default shell > I'm out of any luck to be able to connect. That little guide I posted a link to has a section about setting up a separate set of users for sftp. For other use, you would likely be better off with a normal shell. something like keep your normal user (guessing 'daniele'), and in addition define 'sftp-daniele' along with other users who only need sftp, not a regular shell, in a handful of easy steps as outlined in the guide. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: sftp-server listening port how-to
cor...@free.fr wrote: > > Since sftp uses ssh port, you can just change the port for sshd. > in sshd_config: > > Port 22 > > change it to any number you want. VPS here come in a nice package with a default web console over ssh. An other one: if I try to nobody the user default shell I'm out of any luck to be able to connect. Unfortunately appear all a little too restrictive. However, thank you for the quick reply.
Re: sftp-server listening port how-to
On Thu, Mar 09, 2023 at 12:47:14PM +0100, Daniele Bonini wrote: > > I'm wondering if there is any chance to change the default > listening port for sftp-server. > > NB: I'm using it on my Linoox VPS but I see from the man > a given OpenBSD 2.8 port origin. it is indeed possible to change the listening port. It's all in the man page. My immediate question would be, why would you want to? For a truly unhelpful interlude, I offer [Thu Mar 09 13:07:40] peter@skapet:~$ grep sftp /etc/services sftp115/tcp or on a nearby mac, [Thu Mar 09 13:08:14] peter@Peters-MacBook-Pro:~$ grep sftp /etc/services sftp115/udp # Simple File Transfer Protocol sftp115/tcp # Simple File Transfer Protocol utsftp 2529/udp# UTS FTP utsftp 2529/tcp# UTS FTP which hints strongly at the historical "Simple File Transfer Protocol", described in RF913, dated September 1984 (and it is likely not what you want. At all). For the actual steps involved in setting up your sshd with sftp-server, this guide looks at first blush fairly sane: https://linuxhandbook.com/sftp-server-setup/ Further to the "why would you want to?" issue, I offer this from the Hail Mary Cloud cycle: https://bsdly.blogspot.com/2013/02/theres-no-protection-in-high-ports.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: sftp-server listening port how-to
On 09/03/2023 19:47, Daniele Bonini wrote: Hello, I'm wondering if there is any chance to change the default listening port for sftp-server. NB: I'm using it on my Linoox VPS but I see from the man a given OpenBSD 2.8 port origin. Thanks, appreciated! -- Daniele Bonini Since sftp uses ssh port, you can just change the port for sshd. in sshd_config: Port 22 change it to any number you want. Thanks.
sftp-server listening port how-to
Hello, I'm wondering if there is any chance to change the default listening port for sftp-server. NB: I'm using it on my Linoox VPS but I see from the man a given OpenBSD 2.8 port origin. Thanks, appreciated! -- Daniele Bonini