Re: ftp set up

2007-03-06 Thread Gerard Seibert
On Tue, 6 Mar 2007 4:48:25 -0800
Vizion [EMAIL PROTECTED] wrote:

 I wonder if someone could point me to a reliable detailed resource
 for configuring an ftp server on freebsd 6.1 for both incoming and
 outgoing files (including anonymous ftp).
 
 I do not want anonymous uploaders to view existing file names in
 ftp/incoming or be able to download from incoming. I want the server
 as secure as is reasonably practicable. The notes in the freebsd
 handbook are not really comprehensive enough for me.

You might want to read up on some of the FTP servers that are available
in the ports system. Find one that meets your needs and then if you are
still having problems or questions, either check on the FTP server's
mailing list, if one is available, or post your question here.

-- 
Gerard

Friends, n:
People who borrow your books and set wet glasses on them.

People who know you well, but like you anyway.


signature.asc
Description: PGP signature


Re: ftp set up

2007-03-06 Thread Bill Moran

Please wrap your lines around 72 characters.

In response to Vizion [EMAIL PROTECTED]:
 
 I wonder if someone could point me to a reliable detailed resource for
 configuring an ftp server on freebsd 6.1 for both incoming and outgoing
 files (including anonymous ftp).
 
 I do not want anonymous uploaders to view existing file names in
 ftp/incoming or be able to download from incoming. I want the server as
 secure as is reasonably practicable. The notes in the freebsd handbook are
 not really comprehensive enough for me. 

Please don't do this.  Please don't even try.

Never try to use the word secure in the same sentence as ftp.  They don't
fit in the same sentence.

Set up ssh, then have Windows users use WinSCP.

Let me tell a little story.  A few years back I was asked to set up secure
ftp for a client.  I argued, but he insisted, and the customer is always
right, so I set it up for him.

The plan, to keep it secure, was to enable the FTP server when it was needed,
and disable it when the transfer was complete.

Well, one day he forgot to turn it off.  A few weeks later he went to enable
it for another transfer and noticed a bunch of files on the server he didn't
recognize.

Someone had guessed the password and was using his FTP server to transfer files
of a most unsavory nature.

After we destroyed the files, changed the passwords, etc -- he decided to keep
using the FTP (in spite of the incident).  The only problem, he argued, was
that we'd forgot to turn it off.

But the crook now had our address.  The next time he enabled that server, it
wasn't more than a few hours before the crook was using it to move around
his files again.  The guy must have set up some monitoring to alert him when
the FTP site came up, then he either had a sniffer to get the password or
he was able to brute-force it really fast.

I tell that story when people tell me that the data their transferring isn't
sensitive, and therefore using FTP isn't a security risk.  It still is.  The
only time it's OK to use FTP is when it's download only and the files are
publicly available.  Any other time, FTP is a liability.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ftp set up

2007-03-06 Thread Vizion
 

 -Original Message-
 From: Bill Moran [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, March 06, 2007 5:24 AM
 To: Vizion
 Cc: freebsd-questions@freebsd.org
 Subject: Re: ftp set up
 
 
 Please wrap your lines around 72 characters.
 
 In response to Vizion [EMAIL PROTECTED]:
  
  I wonder if someone could point me to a reliable detailed 
 resource for
  configuring an ftp server on freebsd 6.1 for both incoming 
 and outgoing
  files (including anonymous ftp).
  
  I do not want anonymous uploaders to view existing file names in
  ftp/incoming or be able to download from incoming. I want 
 the server as
  secure as is reasonably practicable. The notes in the 
 freebsd handbook are
  not really comprehensive enough for me. 
 
 Please don't do this.  Please don't even try.
 
 -- 
Got yr point -- my guess is you did not use a process to shift files out of the 
the upload directory as soon as they arrived. That way they can be monitored 
and never downloaded. 
I think it is up to each administrator to solve the problems. If you happen to 
have an answer to my original question -- a reliable source of info about ftp 
configuration it would be useful. It is a long time since I ran an ftp server 
and I am rusty.
 
I ran a large number of ftp servers for a long time and suffered many hacking 
attempts but none succeeded on my watch. I agree it is not easy - but necessary
david


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ftp set up

2007-03-06 Thread Bill Moran
In response to Vizion [EMAIL PROTECTED]:
 
  -Original Message-
  From: Bill Moran [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, March 06, 2007 5:24 AM
  To: Vizion
  Cc: freebsd-questions@freebsd.org
  Subject: Re: ftp set up
  
  
  Please wrap your lines around 72 characters.
  
  In response to Vizion [EMAIL PROTECTED]:
   
   I wonder if someone could point me to a reliable detailed 
  resource for
   configuring an ftp server on freebsd 6.1 for both incoming 
  and outgoing
   files (including anonymous ftp).
   
   I do not want anonymous uploaders to view existing file names in
   ftp/incoming or be able to download from incoming. I want 
  the server as
   secure as is reasonably practicable. The notes in the 
  freebsd handbook are
   not really comprehensive enough for me. 
  
  Please don't do this.  Please don't even try.
  
  -- 
 Got yr point -- my guess is you did not use a process to shift files out
 of the the upload directory as soon as they arrived. That way they can be
 monitored and never downloaded.

You're still sending out _very_ long lines.

... and no, I didn't use a process to prevent files from being subsequently
downloaded, it would have defeated the purpose of file transfer.

 I think it is up to each administrator to solve the problems. If you
 happen to have an answer to my original question -- a reliable source of
 info about ftp configuration it would be useful. It is a long time since I
 ran an ftp server and I am rusty.

Sorry, I don't.  I haven't set up an FTP server in a long time.  scp has
replaced ftp -- which was my point.

I've done my due-diligence in warning of the dangers ...

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ftp set up

2007-03-06 Thread Vizion
In response to Vizion [EMAIL PROTECTED]:
 
  -Original Message-
  From: Bill Moran [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, March 06, 2007 5:24 AM
  To: Vizion
  Cc: freebsd-questions@freebsd.org
  Subject: Re: ftp set up
  
  
  Please wrap your lines around 72 characters.
  
  In response to Vizion [EMAIL PROTECTED]:
   
   I wonder if someone could point me to a reliable detailed 
  resource for
   configuring an ftp server on freebsd 6.1 for both incoming 
  and outgoing
   files (including anonymous ftp).
   
   I do not want anonymous uploaders to view existing file names in
   ftp/incoming or be able to download from incoming. I want 
  the server as
   secure as is reasonably practicable. The notes in the 
  freebsd handbook are
   not really comprehensive enough for me. 
  
  Please don't do this.  Please don't even try.
  
  -- 
 Got yr point -- my guess is you did not use a process to shift files out
 of the the upload directory as soon as they arrived. That way they can be
 monitored and never downloaded.

You're still sending out _very_ long lines.
BTW my standard line length is 80 chars..
I have reduced them for you.
Dont you have a wrap option on your mail reader to set the lines to your 
desired width


... and no, I didn't use a process to prevent files from being subsequently
downloaded, it would have defeated the purpose of file transfer.
Here we differ .. if you did not do that you asked for trouble!!


David

 I think it is up to each administrator to solve the problems. If you
 happen to have an answer to my original question -- a reliable source of
 info about ftp configuration it would be useful. It is a long time since I
 ran an ftp server and I am rusty.

Sorry, I don't.  I haven't set up an FTP server in a long time.  scp has
replaced ftp -- which was my point.

I've done my due-diligence in warning of the dangers ...

Uploading to an ftp server has to be treated as a
process by which the sender offers files to the administrator
who may or may not choose to transfer them to the
download directory. 
IF you let an end user determine what may be made available
and subsequently have trouble well do not blame
ftp blame the administrator!!
IMHO To do otherwise is not exercising due diligence!!

On web sites I follow the same principle -- users cannot add links 
-- only offer them.. same principle!

david
-- 
Bill Moran
http://www.potentialtech.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ftp set up

2007-03-06 Thread Paulette McGee

--- Bill Moran [EMAIL PROTECTED] wrote:

 
 Please wrap your lines around 72 characters.
 
 In response to Vizion [EMAIL PROTECTED]:
  
  I wonder if someone could point me to a reliable
 detailed resource for
  configuring an ftp server on freebsd 6.1 for both
 incoming and outgoing
  files (including anonymous ftp).
  
  I do not want anonymous uploaders to view existing
 file names in
  ftp/incoming or be able to download from incoming.
 I want the server as
  secure as is reasonably practicable. The notes in
 the freebsd handbook are
  not really comprehensive enough for me. 
 
 Please don't do this.  Please don't even try.
 
 Never try to use the word secure in the same
 sentence as ftp.  They don't
 fit in the same sentence.
 
 Set up ssh, then have Windows users use WinSCP.
 
 Let me tell a little story.  A few years back I was
 asked to set up secure
 ftp for a client.  I argued, but he insisted, and
 the customer is always
 right, so I set it up for him.
 
 The plan, to keep it secure, was to enable the FTP
 server when it was needed,
 and disable it when the transfer was complete.
 
 Well, one day he forgot to turn it off.  A few weeks
 later he went to enable
 it for another transfer and noticed a bunch of files
 on the server he didn't
 recognize.
 
 Someone had guessed the password and was using his
 FTP server to transfer files
 of a most unsavory nature.
 
 After we destroyed the files, changed the passwords,
 etc -- he decided to keep
 using the FTP (in spite of the incident).  The only
 problem, he argued, was
 that we'd forgot to turn it off.
 
 But the crook now had our address.  The next time he
 enabled that server, it
 wasn't more than a few hours before the crook was
 using it to move around
 his files again.  The guy must have set up some
 monitoring to alert him when
 the FTP site came up, then he either had a sniffer
 to get the password or
 he was able to brute-force it really fast.
 
 I tell that story when people tell me that the data
 their transferring isn't
 sensitive, and therefore using FTP isn't a security
 risk.  It still is.  The
 only time it's OK to use FTP is when it's download
 only and the files are
 publicly available.  Any other time, FTP is a
 liability.
 
 -- 
 Bill Moran
 http://www.potentialtech.com
 ___
 freebsd-questions@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
 
Just an informational bit for the windows users that
will transfer files:

WinSCP
http://winscp.net/eng/index.php

Filezilla 
http://filezilla.sourceforge.net/

Portable FileZilla
http://portableapps.com/

PS: The portable version of FileZilla doesn't require
an install on Windows.

 


 

TV dinner still cooling? 
Check out Tonight's Picks on Yahoo! TV.
http://tv.yahoo.com/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]