[Dshield] My graphics guy sent me the following message this morning...

security@admin.fulgan.com security at admin.fulgan.com
Wed Feb 4 16:27:43 GMT 2004


> FTPisn't secure, and I've heard of lots of boxes being owned due to FTP
> being opened to the internet when it wasn't correctly configured.

You can say the same about ANY protocol. 

FTP can be very well secured indeed. You have numerous choices, incluing using TLS for connection security and optionaly authenticate the user and you can use one-time passwords (actually, it's a fancy way to say "challenge-response authentication). On the application level, you can force the users in their own directories and remove all execute access to any and every file that is on the server from FTP users.

If you're on the cheap side, using SSH tunnelling is a cheap way to protect your command channel and login password without too much configuration. Just remember that this only applies to the command channel: the data channel (where your files and directory listing are being transmitted) is still in clear text.

Also, you can use IPSec to establish VPN channels between your client(s) and the server, protecting all data transfert, including FTP command and data channel.

> For my home site, I threw up Apache & PHP with GeekLog on it. 
> Geeklog's had a number of security issues, but there's plenty of
> Bulletin Board scripts which allow file uploads and downloads.  As long
> as you don't publish links to the frontend of the BB system security
> won't be as much of an issue.  (Meaning don't have it listed in any
> links form your main site, and don't have it as the default web page)

Repeat after me: "Security my obscurity is no security". Do that a thousand time and, meanwhile, give me the URL of your front page so I can have some fun ;)

Seriously: you're advising to replace a PROTOCOL which can be very well secured by a PROGRAM that has known security issues ?

> FTP servers answer anyone (unless configured otherwise) whereas the
> bulletin board script can be 'hidden'.   Yes, apache will still answer
> all requests, but theoretically that shouldn't be a problem.

"Hiding" the script is far worse than configuring the FTP server only to answer to specific IP addresses. First off, it's way too easy to accidentally "give off" the secret (logged in from a public machine ? It's in the URL cache. Passed througfh a proxy server ? It's logged. Ever used a wireless card ? It can be sniffed out of the air).

Really, what you are proposing here is not securing the system, it's making it far more attaquable.

If you need a file transfert system, get a good FTP server and configure it properly. It's really easy to do, you know and the less you want your user to be able to do, the easier it is to do it properly.

Good luck,
Stephane




More information about the list mailing list