Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Getting FTP as secure as possible?

  1. #1
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Getting FTP as secure as possible?

    I have set up FTP on my file server so that way family can get at pictures and such, and I can access my files from home or school/whathaveyou.

    I've:

    Removed Anonymous access (you have to have a user account and pass)
    Set it to Read Only. Can't modify or delete anything.
    Set up logging IP addresses
    Account Lockout after 3 attempts, with 30 minute renewal.

    Anything that I've missed?

    I want to keep it as simple as possible for the girlfriend/family to get on, so I've used my no-ip that I've used previously so they don't need to constantly get/remember a new set of ip numbers. Ideally I would like to have FTP over SSL, or something similar, but I'm not sure firefox/IE has that integrated and I don't think it was added to windows server until the 2008 version. Being able to access it like a web page makes it far easier for them to deal with too, instead of a 3rd program or cli.

  2. #2
    t3h f3cKiN 33Ji7 calumc's Avatar
    Join Date
    May 2007
    Location
    Co. Sligo, Ireland
    Posts
    1,010

    Default Re: Getting FTP as secure as possible?

    If you're going for simple id say ditch the ftp idea. You could either just put them on www with http auth or use some sort of php file manager.
    If you do wanna stay with ftp first thing to do is get it off the default port, close every other port and make sure that fxp is disabled to prevent ftp bounce attacks (im presuming you'd have no need for it).
    I have absolutely no clue about windows ftp software but if possible run it in a chrooted envoirnment. About ssl/tls again i have no idea about windows but if this server is just for family members id say its over complicating things.
    Quote Originally Posted by Crazy Buddhist View Post
    I'm starting to worry that I may become genuinely funny at some point. Then there will be no hope.

  3. #3
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Re: Getting FTP as secure as possible?

    I am avoiding the http thing as I don't know if my internet provider blocks or throttles incoming port 80 traffic, and to get everything set up only to find that out sucks.

    I went with ftp as all they have to do is:

    1: Boot up firefox or IE
    2: Type or bookmark "ftp://myserver.com", edited for obvious reasons.
    3: Login

    And Boom, they are in and can get what they need in a more visual environment than most programs or cli's.

    I just wasn't sure if there was anything else I can do to secure basic ftp. I know its not encrypted and if anyone is sniffing their packets their password and username is exposed. But I want to make sure that worse case, they are just going to have read access to my pictures, music, and such.

  4. #4
    Administrator OvRiDe's Avatar
    Join Date
    Dec 2005
    Location
    Tulsa, OK
    Posts
    4,586

    Default Re: Getting FTP as secure as possible?

    Not much more you can do and keep it simple.

    You could use something like SFTP, BUT it would mean installing an SSH server on your side, which is pretty easy. The big problem comes in on the other side where your target audience would need to install and SFTP client, such as WinSCP. Its pretty easy to install, but I totally understand that can be a lot easier said then done.

    On the http side, check out Relay (http://www.ecosmear.com/relay/) its pretty cool, not necessarily the easiest to setup server side, but really cool once its up and running.

    VPN would be another thing, but again we are back to client side setup.

    This is all stuff you already know, it looks like you have taken about the best possible methods you can to secure your FTP. If your site isn't very high traffic you should be just fine.

    EDIT: One thing you might consider is using an ftp server that is not integrated into windows. Main reason is it uses virtual user accounts so they are not actual users on the OS. Also in most cases it will automatically lock those users into a single directory. Filezilla is a pretty decent ftp server, and its free, and will do all that I have mentioned. I am not sure but I think it supports SSL as well.

    Good luck and good job!
    Last edited by OvRiDe; 12-10-2008 at 11:38 PM.

  5. #5
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Re: Getting FTP as secure as possible?

    Ya, I thought about sftp and vpn but in trying to keep it as simple as possible for my mom/aunt and brothers makes going those routes more difficult.

    I get enough headaches with 'how do I use this' or spending hours trying to walk my brother through installing a graphics card with him telling me hes not a retard over and over again, when I've not said a word but give instructions, yet when i give specific instructions to the t, he chooses not to follow them because he thinks he knows best. Two hours later after going back and finally listening it works, lol.

    Relay does seem pretty cool. But functionally wise, doesn't seem to add a whole lot to what ftp through a browser does. I DO like how images get thumbnails though. Not sure how taxing php/mysql/apache/perl would be on a 800Mhz p3. I had a decent size/pretty large database on a 3.0Ghz Celeron with 1gb ram at one point that slowed down quite a bit at points.

    As for traffic, I doubt if there will ever be more than one person accessing it at a time.

    If anyone can think of anything else I can do while keeping it simple for them, please let me know.

  6. #6
    Administrator OvRiDe's Avatar
    Join Date
    Dec 2005
    Location
    Tulsa, OK
    Posts
    4,586

    Default Re: Getting FTP as secure as possible?

    yah.. thats pretty much what I figured with your end users..

    As for Relay.. one benefit is you could use HTTPS, and then your user names and passwords wouldn't be transmitted in clear text.

  7. #7
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Re: Getting FTP as secure as possible?

    Ohh really. That might be my tipping point. You think all that would run fine on a p3 800Mhz with 768mB ram?

    If so, the benefits being secure and showing thumbnails on pictures would be worth the effort if its all the same of going to the address and logging in.

  8. #8
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Re: Getting FTP as secure as possible?

    Is there anything I am missing? Are there any open vulnerabilities I am missing? I understand that by using ftp people could get my users usernames and passwords and login, but what else could happen? Would worse case mean that they could download everything on my server?

    Over winter break I might look into trying Relay, but for now does having ftp open expose my network or server to anything else other than downloads? At most I will have 10 different users have access, and none are admin accounts.

    The only other service I have going is to allow remote desktop from within the network, as the server runs headless, this gives me access from my main desktop to restart, create user accounts and such, but only accessible from my one admin account. I've not forwarded any ports to have access from outside the network, unless you don't need that to get in?

    I just want to make sure I am doing everything I can within basic reason to cover everything. I understand going with a secure connection would solve most of my worries, but for now am I covered with what I've done? If all that I have to worry about is the possibility of someone downloading my data without my permission, then that I can deal with for now.

  9. #9
    Code Monkey NightrainSrt4's Avatar
    Join Date
    Jun 2007
    Location
    Your cookie jar
    Posts
    2,679

    Default Re: Getting FTP as secure as possible?

    And I just spent more time going through Relay's wiki. It seems like it hasn't been updated in over 2 years, and is still in 0.1beta. Not sure about using something that doesn't really seem to have much support, and of which I can't know much about its stability.

    Also I read on the page that the server freaks if a user tries to upload a file larger than the amount of memory in the server. That would definitely be an issue, as the server only has 768Mb, I could get it up to 896Mb, but thats the most Ram I have, and the server only supports a max of 1Gb. This wasn't a problem the other day, but yesterday my brother asked me to create atleast one folder with write access so he could store stuff. Every folder is read only but the one upload folder, but if he uploads something large for some reason, the server could potentially freak.

    Hmmm... guess I will still have to search for more options.

  10. #10

    Default Re: Getting FTP as secure as possible?

    Quote Originally Posted by OvRiDe View Post
    yah.. thats pretty much what I figured with your end users..

    As for Relay.. one benefit is you could use HTTPS, and then your user names and passwords wouldn't be transmitted in clear text.
    This was my first concern .. not everyone realises ftp passwords and usernames are sent as unencrypted ASCII data.

    The other thing you could look into is using webDAV for sharing files, offers more security than ftp.

    http://www.webdav.org/

    Introduction

    WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a set of extensions to the HTTP protocol that lets users collaboratively edit and manage files on a remote web server.

    You can lock the editing abilities and just let users look. Using WebDAV you install a little file on the users pc's and they have a drag and drop folder that looks local but is actually on your server. I've not used it but am currently investigating it. I think it would be the simplest solution to your needs.

    WebDAV is recommended over other solutions for puters running Vista which struggle badly with ftp over https.

    CrazyB

    ps just found this: edit2: (think this is fixed is sp1)

    "Connecting to your site's Resources using WebDAV on a computer running Windows Vista does not work reliably. Developers are currently investigating this issue. However, Microsoft has a software update available that may help correct connection problems for some users. For information about the update and how to download it, see article 907306 in Microsoft's knowledge base."

    I think some of this stuff may be related to IPv6 in Vista?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •