FTP security...

older
RE: [suse-security] FTP security...

Michael Garabedian

13 Mar 2002 13 Mar '02

17:23

...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas... Thanks. Mike

Show replies by date

Sven Michels

13 Mar 13 Mar

17:32

New subject: [suse-security] FTP security...

Michael Garabedian wrote:

...

...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;) but if you need it: choose and ftpd who has only features you need. check out the suse version of wu-ftpd, it was reviewed by the suse staff. if wu-ftpd doesn't fit for you, take alook to other servers. Check lists like this one for bad news about the ftpd you want to use. keep your system up-to-date, close all services you don't need, install sec-check scripts from marc heuse (http://www.suse.de /~marc or on the cd's), try harden_suse also. Your system will never be 'secure' but you can try to best to keep it secure as possible. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

Brian Topping

17:35

New subject: [suse-security] FTP security...

----- Original Message ----- From: "Sven Michels" To: Sent: Wednesday, March 13, 2002 12:32 PM Subject: Re: [suse-security] FTP security...

...

Michael Garabedian wrote:

...
...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;)

Use SCP. I just learned it. It rocks! HTH, Brian

Sven Michels

17:39

New subject: [suse-security] FTP security...

Brian Topping wrote:

...

----- Original Message ----- From: "Sven Michels" To: Sent: Wednesday, March 13, 2002 12:32 PM Subject: Re: [suse-security] FTP security...

...
Michael Garabedian wrote:

...
...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;)

Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows? -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

Ralf Koch

17:49

New subject: Re[2]: [suse-security] FTP security...

Give PSCP from the PuTTY project a try....

...

Brian Topping wrote:

...
----- Original Message ----- From: "Sven Michels" To: Sent: Wednesday, March 13, 2002 12:32 PM Subject: Re: [suse-security] FTP security...

...
Michael Garabedian wrote:

...
...I am setting up a linux machine to do ftp and was wondering if

there

...
...
...
was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;)

Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows?

-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

* * Ralf 'coko' Koch * mailto:info@formel4.de * --- 75% der Internet-Nutzer sehen sich regelmäßig Sex-Seiten an - die restlichen 25% haben ihr Passwort vergessen.....

Tilman Mueller-Gerbes

18:00

New subject: [suse-security] FTP security...

Try http://winscp.vse.cz/eng/ from the web-page, it supports SSH1 and SSH2 protocols, though RSA authentication seems only to be available for SSH1. It is a very good replacement for simple FTP, though ;) cu, Tilman Am Mit, 2002-03-13 um 18.39 schrieb Sven Michels:

...

Brian Topping wrote:

...
----- Original Message ----- From: "Sven Michels" To: Sent: Wednesday, March 13, 2002 12:32 PM Subject: Re: [suse-security] FTP security...

...
Michael Garabedian wrote:

...
...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;)

Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows?

-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- Tilman Müller-Gerbes Everything's .. under .. control (Hardware)

Henri Yandell

18:11

New subject: [suse-security] FTP security...

There is also PSCP (you'll have to google for it). Both sit on top of putty which is an SSH 1 + 2 client which MS should make default on all Windows machines. I dumped telnet and ftp, told my users that they had to use scp/ssh and things seem to be going well. They barely noticed when I turned off SSH1. Hen On 13 Mar 2002, Tilman Mueller-Gerbes wrote:

...

Try

http://winscp.vse.cz/eng/

from the web-page, it supports SSH1 and SSH2 protocols, though RSA authentication seems only to be available for SSH1.

It is a very good replacement for simple FTP, though ;)

cu, Tilman

Am Mit, 2002-03-13 um 18.39 schrieb Sven Michels:

...
Brian Topping wrote:

...
----- Original Message ----- From: "Sven Michels" To: Sent: Wednesday, March 13, 2002 12:32 PM Subject: Re: [suse-security] FTP security...

...
Michael Garabedian wrote:

...
...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

FTP is mostly insecure ... ftp sucks at all ;)

Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows?

-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- Tilman M�ller-Gerbes Everything's .. under .. control (Hardware)

Sven Michels

18:23

New subject: [suse-security] FTP security...

Henri Yandell wrote:

...

There is also PSCP (you'll have to google for it). Both sit on top of putty which is an SSH 1 + 2 client which MS should make default on all Windows machines.

I dumped telnet and ftp, told my users that they had to use scp/ssh and things seem to be going well. They barely noticed when I turned off SSH1.

the only problem i had was that pscp doesn't work with ssh2 dsa keys.. execpt from that, putty is really nice -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

foez

19:24

New subject: [suse-security] FTP security...

You dont want ssh1 dsa its readable by tools as ettercap Sven Michels wrote:

...

Henri Yandell wrote:

...
There is also PSCP (you'll have to google for it). Both sit on top of putty which is an SSH 1 + 2 client which MS should make default on all Windows machines.

I dumped telnet and ftp, told my users that they had to use scp/ssh and things seem to be going well. They barely noticed when I turned off SSH1.

the only problem i had was that pscp doesn't work with ssh2 dsa keys.. execpt from that, putty is really nice

Lentila de Vultur

14 Mar 14 Mar

07:52

New subject: [suse-security] FTP security...

...

...
Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows?

Timo Dotzauer

09:54

New subject: AW: [suse-security] FTP security...

Hello, i have the same problems with ssh2 and dsa keys. I use it primary for cvs but i also want to use it for scp or sftp. I spend a lot of time for searching, but i found no tool that works. I have tested the follow tools: - pscp - psftp - WinSCP2 - SSHWinClient 3 - putty - PenguiNET - SecureFX - Shaolin SecureFTP - Secexc and many more. I only accept pubkey authentication but putty, WinSCP, etc. want always a password for authentication. Has anyone a solution? Mit freundlichen Gru?en, Timo Dotzauer Systemadministration inovex GmbH Karlsruher Stra?e 71 D-75179 Pforzheim Tel: +49-(0)72 31 - 31 91 79 Fax: +49-(0)72 31 - 31 91 91 mailto:t.dotzauer@inovex.de http://www.inovex.de -----Ursprungliche Nachricht----- Von: Lentila de Vultur [mailto:ledeve@gmx.net] Gesendet: Donnerstag, 14. Marz 2002 08:53 An: Sven Michels Cc: suse-security@suse.com Betreff: Re: [suse-security] FTP security...

...

...
Use SCP. I just learned it. It rocks!

i don't want any user as real systemuser on my boxes, so scp doesn't work cause it needs real accounts (or you try to hack a pam module for auth against a db like mysql etc.). And you've still the problem with windows users, or do you know any free implementation of ssh2 for scp under windows?

use winscp2 - graphical scp client google for it -- Lentila de Vultur CDTT & CGA "Daca mai multe persoane imi spun ca sunt beat ma duc sa-mi curatz ochelarii." GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Tilman Mueller-Gerbes

10:23

New subject: AW: [suse-security] FTP security...

You could try http://cygwin.com/ which includes the "real" openssh code. I have not tested it myself, though, but expect it to work. No GUI, though, but plain old shell commands [sorry, I am not a regular windows user ;)] cu, Tilman Am Don, 2002-03-14 um 10.54 schrieb Timo Dotzauer:

...

Hello,

i have the same problems with ssh2 and dsa keys. I use it primary for cvs but i also want to use it for scp or sftp. I spend a lot of time for searching, but i found no tool that works.

-- Tilman Müller-Gerbes Everything's .. under .. control (Hardware)

Timo Dotzauer

10:51

New subject: AW: AW: [suse-security] FTP security...

i using the openssh3 client and it works realy good. But i need a GUI for some non technical users, like marketing- or salesmanager. A shell is a bit to tricky for this kind of users. I only need a tool with GUI that supported dsa keys with pubkey authentication. It is so extraordinari what i do and what i want? Mit freundlichen Grüßen, Timo Dotzauer Systemadministration inovex GmbH Karlsruher Straße 71 D-75179 Pforzheim Tel: +49-(0)72 31 - 31 91 79 Fax: +49-(0)72 31 - 31 91 91 mailto:t.dotzauer@inovex.de http://www.inovex.de -----Ursprüngliche Nachricht----- Von: Tilman Mueller-Gerbes [mailto:tmg@saar.de] Gesendet: Donnerstag, 14. März 2002 11:23 An: Timo Dotzauer Cc: suse-security@suse.com Betreff: Re: AW: [suse-security] FTP security... You could try http://cygwin.com/ which includes the "real" openssh code. I have not tested it myself, though, but expect it to work. No GUI, though, but plain old shell commands [sorry, I am not a regular windows user ;)] cu, Tilman Am Don, 2002-03-14 um 10.54 schrieb Timo Dotzauer:

...

Hello,

i have the same problems with ssh2 and dsa keys. I use it primary for cvs but i also want to use it for scp or sftp. I spend a lot of time for searching, but i found no tool that works.

-- Tilman Müller-Gerbes Everything's .. under .. control (Hardware)

Leppo von Arenfels

13:26

New subject: AW: AW: [suse-security] FTP security...

Am Donnerstag, 14. März 2002 11:51 schrieben Sie:

...

I only need a tool with GUI that supported dsa keys with pubkey authentication. It is so extraordinari what i do and what i want?

Mit freundlichen Grüßen,

Timo Dotzauer

Hi, I know the problem. There's WinSCP out there, a free Czech Tool on http://winscp.vse.cz/eng/, but the stable version 1.x needs ssh1 compatibility mode, and that's exactly what we don't want anymore. WinSCP 2.0 is beta. Anyhow, it still doesn't support all we would like to see. Take a look at http://winscp.vse.cz/eng/requirements.php But so far, it seems compatible to graphic desingners and the management;) For the Unix world I don't know any. Greetings, Leppo. -- "Bloß weil du nicht paranoid bist, heißt das noch lange nicht, daß sie nicht hinter dir her sind." (Populäres Sprichwort in den 90ern)

Timo Dotzauer

13:51

New subject: AW: AW: AW: [suse-security] FTP security...

I using WinSCP 2.0 but i think it can only handle ssh1 keys. If i try to use my key, i must enter a password. But my server not permit login with password. Mit freundlichen Grüßen, Timo Dotzauer Systemadministration inovex GmbH Karlsruher Straße 71 D-75179 Pforzheim Tel: +49-(0)72 31 - 31 91 79 Fax: +49-(0)72 31 - 31 91 91 mailto:t.dotzauer@inovex.de http://www.inovex.de -----Ursprüngliche Nachricht----- Von: Leppo von Arenfels [mailto:leppo@arenfels.de] Gesendet: Donnerstag, 14. März 2002 14:27 An: Timo Dotzauer Cc: suse-security@suse.com Betreff: Re: AW: AW: [suse-security] FTP security... Am Donnerstag, 14. März 2002 11:51 schrieben Sie:

...

I only need a tool with GUI that supported dsa keys with pubkey authentication. It is so extraordinari what i do and what i want?

Mit freundlichen Grüßen,

Timo Dotzauer

Andreas Baetz

12:13

New subject: AW: [suse-security] FTP security...

On Thursday 14 March 2002 11:23, Tilman Mueller-Gerbes wrote:

...

You could try

http://cygwin.com/

which includes the "real" openssh code.

I have not tested it myself, though, but expect it to work. No GUI, though, but plain old shell commands [sorry, I am not a regular windows user ;)] I can confirm it does work with dsa keys, both ssh and scp.

Andreas ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************

Robert Szentmihalyi

13 Mar 13 Mar

23:13

New subject: [suse-security] FTP security...

On Wednesday, 13. March 2002 18:23, Michael Garabedian wrote:

...

...I am setting up a linux machine to do ftp and was wondering if there was a secure way to set this up so it is not hacked. I used a Windows machine and it took someone two days to hack it. Any ideas...

How about WebDAV over https? This is much more secure than FTP.

...

Thanks.

Mike

hth, Robert -- Where do you want to be tomorrow? Entracom. Building Linux systems. http://www.entracom.de

8085

Age (days ago)

8086

Last active (days ago)

List overview

Download

16 comments

12 participants

participants (12)

Andreas Baetz
Brian Topping
foez
Henri Yandell
Lentila de Vultur
Leppo von Arenfels
Michael Garabedian
Ralf Koch
Robert Szentmihalyi
Sven Michels
Tilman Mueller-Gerbes
Timo Dotzauer

FTP security...

Michael Garabedian

Sven Michels

Brian Topping

Sven Michels

Ralf Koch

Tilman Mueller-Gerbes

Henri Yandell

Sven Michels

foez

Lentila de Vultur

Timo Dotzauer

Tilman Mueller-Gerbes

Timo Dotzauer

Leppo von Arenfels

Timo Dotzauer

Andreas Baetz

Robert Szentmihalyi

tags

participants (12)