Hi, usually I hate announcements that are made before time. But as we expect to release the stuff this week (and the development has been finished), I would like to attract your attention to an FTP-Proxy that some developers here at SuSE have implemented. This Proxy has been specifically designed for securing any FTP server on your net against malicious clients or other FTP based attacks. Of course the SCP approach is to be preferred, but sometimes you can't go without FTP -- and if it only were because your mainframe has no SSH :-) And SSH tunneling to port 21 secures your CONTROL connection, but not your DATA connection. Unless you have invented "Inline-FTP". Hmmm. The highlights of the OpenSource (GPL) project are: + FTP-Proxy relays FTP connections, and provides a host of security and + auditing features. It can switch active/passive connections, provides + auditing (via syslog or rotating log files; both for user actions and + for technical issues) and command restrictions. Command restrictions, + together with a full range of other configuration options like port + ranges or argument checks (with regular expressions) can be dynamically + adjusted for every user by utilizing the LDAP protocol. FTP-Proxy is + believed to be immune against buffer overflow or "sprintf"-like attacks. + And it is fully RFC 959, 1123, 1579 and 2428 compliant. The "SuSE Proxy-Suite" project will be announced publicly during the next few days. Maybe it will help you. Using FTP-Proxy you can hide any server you like (and are able to administer most easily) from the clients. Volker On Fri, 17 Sep 1999, Matthias Pigulla wrote:
"Johann G. Hautzinger" wrote:
not that i am a security specialist, but i'd recommend the ssh-suite for _every_ connection to your server (well ... nearly every ;-) ... using ssh you could do scp, even from one host you are not connected to to another host you are not connected to either (yup, really works) to copy files, every thing neat and secure, or even tunnel insecure connections like ftp or pop ...
Well, I already use SSH for all connections over "insecure" networks. The problem is that I have to provide FTP on a production machine, for there are external scripts pushing data onto the machine.
I have no way of changing this - these scripts are run by different companies and part of their systems. I cannot force them to use ssh, so I can only try to secure our FTP services.
Matthias
-- Volker Wiegand Phone: +49 (0) 6196 / 50951-24 SuSE Rhein/Main AG Fax: +49 (0) 6196 / 40 96 07 Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76 D-65760 Eschborn E-Mail: Volker.Wiegand@suse.de ++ Only users lose drugs. Or was it the other way round? ++