INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: OT FTP  (Read 2227 times)

benn600

  • Citizen of the Universe
  • *****
  • Posts: 3849
  • Living: Santa Monica CA Hometown: Cedar Rapids IA
OT FTP
« on: March 15, 2007, 11:54:24 am »

I just now discovered that FTP may be the best solution for my situation.  It seems like it offers the simple file upload/download capabilities I want without all the confusion and lack of work-a-bility (lol) of sites like box.net which seem to be giving me trouble.

My question is...theoretically, I could honestly give full FTP read access to my WHOLE 4.5 TB server drive and then I could access any files any time with a simple username and password.  The biggest problem is that someone could probably easily break into the system.  Any ideas on the best option?  As of now, I'm thinking I'll just make a special FTP folder, perhaps where I store my document files.  It appears Word can work directly over an FTP server and in that case, I could open files right from my FTP server, work on them, and save them back home.

The biggest reason for all this effort is because I recently misplaced my 4 GB flash drive and I REFUSE to use a 1 GB or 2 GB flash drive I have laying around.  I demand that I find my flash drive.

But this seems like a great solution anyway!  It also seems like an easy way to offer storage to anyone else!  Anyone here want a lil' space to store stuff?  I can't guarantee any security or safety but it would be good for neutral storage of files...and the FTP program I'm using doesn't appear to limit each user so you'd have 1.6 TB of free FTP space (lol).
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OT FTP
« Reply #1 on: March 15, 2007, 12:07:49 pm »

I use Filezilla Server to access my media RAID volume from elsewhere.  Works great.  Can be a slight bit troublesome to get it set up to work through the firewall, but not too bad.

I'd be wary of enabling write access via FTP though....  If someone does get in, they'd be able to delete everything!  I'd also look into using sFTP instead of vanilla FTP, which sends everything over the net in the clear (including passwords).  Filezilla Server can handle both varieties.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

hit_ny

  • Citizen of the Universe
  • *****
  • Posts: 3310
  • nothing more to say...
Re: OT FTP
« Reply #2 on: March 15, 2007, 12:43:37 pm »

Use a ftpd that enforces IP address check. Not on the whitelist, don't get in.

How secure is your firewall etc ?

After that the question becomes how robust is the ftpd, there you need to check on vulnerabilities on bugtraq & the like etc., keep it regularly patched etc. How to run it on a locked down windows box.

If you are not afraid of the cmd line, you might find the most secure solution would be something along the lines of BSD for the OS along with a corresponding ftpd, there are many to choose from, have fun.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OT FTP
« Reply #3 on: March 15, 2007, 01:28:31 pm »

IP address based securing is not only inconvenient (because, for me at least, the entire point is to be able to access my media when at random mom's house or wireless access point from my laptop), but really only provides a false sense of security.

Any idea how simple it is to spoof your address to get around those types of security systems?  If you don't use sFTP, since everything transmits in cleartext, all you have to do is sniff the network traffic, find an "allowed" address range, spoof the address (and you probably already grabbed the password), and you're in...

sFTP is definitely the way to go.  I also agree... Locking down the box is a good idea.  Of course, on mine, the system only has read access to the files, and the files are just my media stuff.  If someone gets in.... Oh well.  They can pirate my stuff if they want!
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

John Gateley

  • Citizen of the Universe
  • *****
  • Posts: 4957
  • Nice haircut
Re: OT FTP
« Reply #4 on: March 15, 2007, 01:35:34 pm »

Any idea how simple it is to spoof your address to get around those types of security systems?  If you don't use sFTP, since everything transmits in cleartext, all you have to do is sniff the network traffic, find an "allowed" address range, spoof the address (and you probably already grabbed the password), and you're in...

Agree: cleartext + passwords = bad.

Disagree: spoofing is simple. Spoofing is a "blind" attack. You send packets, but you never receive a response. The response is sent to the fake address, so you never see it. Spoofing *is* done, and is actually fairly common, but I would not qualify it as simple. And in this case you'd be limited to deleting files, or trying to exploit a buffer overrun to install some sort of backdoor that you *could* access without spoofing.

j

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OT FTP
« Reply #5 on: March 15, 2007, 01:56:35 pm »

Disagree: spoofing is simple. Spoofing is a "blind" attack. You send packets, but you never receive a response. The response is sent to the fake address, so you never see it. Spoofing *is* done, and is actually fairly common, but I would not qualify it as simple. And in this case you'd be limited to deleting files, or trying to exploit a buffer overrun to install some sort of backdoor that you *could* access without spoofing.

Very true.  However, those two things "deleting files" and "exploiting security vulnerability in the server software" are the two things I'd be most concerned with.  If they just want to get in to download some files?  I don't really care.  Have at it!
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

hit_ny

  • Citizen of the Universe
  • *****
  • Posts: 3310
  • nothing more to say...
Re: OT FTP
« Reply #6 on: March 15, 2007, 02:30:20 pm »

Allrighty, complete change of tactics. Setup a ssh server.

On the client side use a ftp bridge like bitvise tunnelier, then use your ftp client to connect to tunnelier and download everything (encrypted)  over ssh via your ftp client

No ftpd required :)

PS.
you can use AUTH TLS or similar for secure ftpd, ctrl channel is default crypted i think, but you need a ftpd that supports this as well as an ftp client that can do AUTH TLS
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OT FTP
« Reply #7 on: March 15, 2007, 03:13:17 pm »

SSH File Transfer Protocol == sFTP   ;D

http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

KingSparta

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 20063
Re: OT FTP
« Reply #8 on: March 15, 2007, 06:32:24 pm »

I Use The Gene6 Pro FTP Server, I Am Also A Beta Tester For Them.

It Works Well, And Allows For Many Ways To Encode Your Log-On Information, And Also Supports SSL.

What Ever You Do I Would Stay Away From Bullet Proof FTP, There Has Been No Real Development Since It Was Sold Off About 4 Years Ago.
Logged
Retired Military, Airborne, Air Assault, And Flight Wings.
Model Trains, Internet, Ham Radio, Music
https://MyAAGrapevines.com
https://centercitybbs.com
Fayetteville, NC, USA

johnnyboy

  • Regular Member
  • Citizen of the Universe
  • *****
  • Posts: 626
Re: OT FTP
« Reply #9 on: March 15, 2007, 06:40:55 pm »

I Use The Gene6 Pro FTP Server, I Am Also A Beta Tester For Them.

It Works Well, And Allows For Many Ways To Encode Your Log-On Information, And Also Supports SSL.

What Ever You Do I Would Stay Away From Bullet Proof FTP, There Has Been No Real Development Since It Was Sold Off About 4 Years Ago.

I use Bullet Proof FTP Server and although there's been no real development, thats fine. It does exactly what I want it to do.
If your the paranoid type then just set it up with read only access, then worst case scenario, some hacker decides to try crack your system out of the millions out there, he spends ages, gets your password and logs in and can see your files and read them - big deal? Do you really care that much IF someone decides to hack you, IF they get your password, they can then view your files? oh wow - end of the world :P lol.

I have my whole computer shared via my ftp server.
BP ftp server is great because its a stand alone server I just load up whenever I want and so has absolutely ZERO system impact when its not being used or loaded.

I even have write access set to most of my files and I only use normal ftp.
Is it dangerous - sure, but then again so is stepping out to cross the road - everything in life has risks, the real secret is learning how big these are and balancing them with getting on with your life.
In your case you have everything backed up anyway - someone decides to pick on you, they then manage to actually get in, they delete some files - you then restore them - not a big issue.

Also, most ftp servers have options to ban IP addresses after X invalid attempts or at any sign of an attack. They then just ignore everything that comes from that IP so your pretty safe.
Logged
Pages: [1]   Go Up