ftp set up
Paulette McGee
paulette_mcgee at yahoo.com
Tue Mar 6 23:13:06 UTC 2007
--- Bill Moran <wmoran at potentialtech.com> wrote:
>
> Please wrap your lines around 72 characters.
>
> In response to Vizion <vizion at vizion.occoxmail.com>:
> >
> > I wonder if someone could point me to a reliable
> detailed resource for
> > configuring an ftp server on freebsd 6.1 for both
> incoming and outgoing
> > files (including anonymous ftp).
> >
> > I do not want anonymous uploaders to view existing
> file names in
> > ftp/incoming or be able to download from incoming.
> I want the server as
> > secure as is reasonably practicable. The notes in
> the freebsd handbook are
> > not really comprehensive enough for me.
>
> Please don't do this. Please don't even try.
>
> Never try to use the word "secure" in the same
> sentence as "ftp". They don't
> fit in the same sentence.
>
> Set up ssh, then have Windows users use WinSCP.
>
> Let me tell a little story. A few years back I was
> asked to set up "secure
> ftp" for a client. I argued, but he insisted, and
> "the customer is always
> right", so I set it up for him.
>
> The plan, to keep it secure, was to enable the FTP
> server when it was needed,
> and disable it when the transfer was complete.
>
> Well, one day he forgot to turn it off. A few weeks
> later he went to enable
> it for another transfer and noticed a bunch of files
> on the server he didn't
> recognize.
>
> Someone had guessed the password and was using his
> FTP server to transfer files
> of a most unsavory nature.
>
> After we destroyed the files, changed the passwords,
> etc -- he decided to keep
> using the FTP (in spite of the incident). The only
> problem, he argued, was
> that we'd forgot to turn it off.
>
> But the crook now had our address. The next time he
> enabled that server, it
> wasn't more than a few hours before the crook was
> using it to move around
> his files again. The guy must have set up some
> monitoring to alert him when
> the FTP site came up, then he either had a sniffer
> to get the password or
> he was able to brute-force it really fast.
>
> I tell that story when people tell me that the data
> their transferring isn't
> sensitive, and therefore using FTP isn't a security
> risk. It still is. The
> only time it's OK to use FTP is when it's download
> only and the files are
> publicly available. Any other time, FTP is a
> liability.
>
> --
> Bill Moran
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
Just an informational bit for the windows users that
will transfer files:
WinSCP
http://winscp.net/eng/index.php
Filezilla
http://filezilla.sourceforge.net/
Portable FileZilla
http://portableapps.com/
PS: The portable version of FileZilla doesn't require
an install on Windows.
____________________________________________________________________________________
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
http://tv.yahoo.com/
More information about the freebsd-questions
mailing list