Results 1 to 10 of 12

Thread: ftp with regular linux user unsafe?

Hybrid View

  1. #1
    Join Date
    Dec 2009
    Beans
    27

    ftp with regular linux user unsafe?

    So after i've finally set up my home server, I want to make sure it's secure enough..

    Firewall wise everything is good to go, but i'm worried about my ftp. FTP should be fine when the user logging in goes to a folder where no harm can be done to the system, however the standard linux users can FTP into the server.

    For example, i can type in my IP address and FTP into the server with the root user. Not really safe if you ask me. This goes for all current linux users. On one hand, it's pretty handy to have this feature when I need to make some changes or if i need access to certain folders (i never log in with root btw), but it's also frightning.

    What would the pro's advise me on this? Is it something unavoidable? Should i "jail" all users to their home directory? I don't know what to do!

  2. #2
    Join Date
    Sep 2006
    Beans
    7,624
    Distro
    Lubuntu Development Release

    sftp

    FTP is unsafe for uploads. That is because the username, password and entire session are transmitted in the clear, unencrypted:



    So if you are logging in with FTP with a regular user's account, those credentials are being spread around the net and could end up causing trouble because other people can get your password that way.

    A better way would be to use SFTP. If you have the package OpenSSH-server installed, then you already have SFTP set up. No additional configuration is needed.

    In addition to the text-based SFTP client that comes with Ubuntu, there are also graphical clients built into the file managers Nautilus and Dolphin. To use either, press ctrl-L and then enter the URL for the server: sftp://user@xx.yy.zz.aa/some/path/

  3. #3
    Join Date
    Dec 2009
    Beans
    27

    Re: sftp

    Ok for some reason sftp works now! it didn't use to work for some reason but now it does. So from now on i'll use SFTP to do file transfers. Also, it isn't a problem that the users in question can still actually FTP into my server unsecured? This might be phrased confusingly so i'll just note that I am the only user of the server (and sometimes my dad). So there is no problem leaving the set up as is, as long as i use SFTP from now on?

  4. #4
    Join Date
    Sep 2006
    Beans
    7,624
    Distro
    Lubuntu Development Release

    Re: ftp with regular linux user unsafe?

    You can leave the set up as is if SFTP works, but it would be recommendable to remove FTP if you are not using it. It's generally considered a good idea to remove services that you don't use.

  5. #5
    Join Date
    Jun 2011
    Beans
    350

    Re: sftp

    Since there isn't any reason to leave FTP running and you have indicated the root account is enabled, it is a bad idea to leave FTP running. Attackers are likely to brute-force the password on your FTP server eventually and gain access to your system.

    I recommend turning off FTP and making sure root access is disabled for the SFTP server. The configuration file for SFTP is located in at /etc/ssh/sshd_config

  6. #6
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,254
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: ftp with regular linux user unsafe?

    Much depends on the specific FTP server you use. I run proftpd here, and it offers configuration options that can make it quite safe. One such option is to prohibit login or any access at all, for all users except those specified in the option. In my case I specified that only user "ftp" with an alias of "anonymous" can get in, and this prohibits access to any normal user including myself but allows the usual anonymous access. Other options control access to specific directories and can block access to the rest of your system. Accessible directories are either read-only or write-only but never read-write, so they cannot be used for anonymous storage areas. I can move files between them, but not through the FTP program itself.

    The result is that first-time customers for my data recovery services can upload their damaged files to my FTP server, using a special program that I make available to them that wends its way through my security measures, but script kiddies have not managed to break in since I tightened the access rules (although a dozen or more try to do so each day)...

    The proftpd package is available in the repositories. I highly recommend it.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  7. #7
    Join Date
    Nov 2005
    Location
    Bordeaux, France
    Beans
    11,297
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: ftp with regular linux user unsafe?

    Anonymous FTP is fine of course (most open source software is distributed that way) as long as you disallow uploads completely (otherwise, you might get some very nasty things uploaded).

    If you are going to let real users log in, though, you should setup SSL encryption so that passwords and data do not travel in the clear. vsftpd can do this, I suppose proftpd and others can, as well. It is also a good idea to only allow some users to login, and probably to chroot users to their home directory as well, so that they can't go look around (unless they also have login access, of course).

    But just use SFTP if you can.
    「明後日の夕方には帰ってるからね。」


  8. #8
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: ftp with regular linux user unsafe?

    For the last few years, some backdoor has been discovered in the source code for the most popular FTP servers used.
    * ProFTP http://www.zdnet.com/blog/security/o...urce-code/7787
    * vsFTP http://www.h-online.com/open/news/it...e-1272310.html
    * and others.

    FTP servers are major targets for attack. Unless you have a real reason to run FTPd, don't.

    I always love seeing a blog article I wrote referenced here. Thanks Lars!

    Setting up ssh/sftp/scp in a secure manner isn't very hard. http://blog.jdpfu.com/2011/08/23/sec...cking-failures explains. Using key-based ssh authentication works easier and much more securely than FTP.

    Googling for an answer first is appreciated here too.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •