Hello susers (SuSE users:) ), Our providers network is kind of "hackers heaven" - lots of hacked servers. And we making connections only trough ssh and ftp (doh). Shh is ok. ftp is a problem. We can accept fact that somebody sniffs ftp username/pass , because we closed all services from all other nets than ours, except in.ftpd. We can`t use tcpd or ipchains, there because some users are connecting to server from some dial-ups. The question would be: how to restrict in.ftpd access depending on username/remote_host pairs? example scheme: user1:* #all (we conditionaly dont care about users data, we have backups) user2:some.domain.com #only one IP - rest is denied (we have backups but we would like to make one more small securety step) user3:none #deny all (he does not need ftpaccess at all) ok i can include user3 to ftpusers, but how about user1 and user2? Any ideas? which of ftpd`s has such feature? alternate solution? Thanks! -- Best regards, Gediminas Grigas
Hello susers (SuSE users:) ),
Our providers network is kind of "hackers heaven" - lots of hacked servers. And we making connections only trough ssh and ftp (doh). Shh is ok. ftp is a problem. We can accept fact that somebody sniffs ftp username/pass , because we closed all services from all other nets than ours, except in.ftpd. We can`t use tcpd or ipchains, there because some users are connecting to server from some dial-ups. The question would be: how to restrict in.ftpd access depending on username/remote_host pairs?
ftpusers, PAM, etc. www.sysadminmag.com check the september feature. Also the LSKB covers this, also the ftp documentation for wuftpd/proftpd/etc covers this.
Gediminas Grigas
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
Hi,
Our providers network is kind of "hackers heaven" - lots of hacked servers. And we making connections only trough ssh and ftp (doh). Shh is ok. ftp is a problem. alternate solution? Why can't you use SSH for file transfer as well?
- Using scp -- a bit different than ftp, but works well (like cp even with wildcats) - Using sftp -- requires SSH 2 (not OpenSSH on both sides) - Using hsftp (my favoured). Uses SSH (1 or 2) but looks like FTP. I think you need a complete account and SSH on the other side, but else it works fine (but has no graphical interface) http://freshmeat.net/projects/hsftp/?highlight=hsftp - Tunneling FTP yourself vie SSH - Using AFS or other not so common solutions. Tobias PS: I would like to see hsftp beeing included in SuSE Linux.
participants (3)
-
Gediminas Grigas
-
Kurt Seifried
-
Tobias Burnus