Date: Tue, 6 Mar 2007 15:13:04 -0800 (PST) From: Paulette McGee <paulette_mcgee@yahoo.com> To: Bill Moran <wmoran@potentialtech.com>, Vizion <vizion@vizion.occoxmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ftp set up Message-ID: <904298.74508.qm@web62315.mail.re1.yahoo.com> In-Reply-To: <20070306082414.dc4ccb09.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Bill Moran <wmoran@potentialtech.com> wrote: > > Please wrap your lines around 72 characters. > > In response to Vizion <vizion@vizion.occoxmail.com>: > > > > I wonder if someone could point me to a reliable > detailed resource for > > configuring an ftp server on freebsd 6.1 for both > incoming and outgoing > > files (including anonymous ftp). > > > > I do not want anonymous uploaders to view existing > file names in > > ftp/incoming or be able to download from incoming. > I want the server as > > secure as is reasonably practicable. The notes in > the freebsd handbook are > > not really comprehensive enough for me. > > Please don't do this. Please don't even try. > > Never try to use the word "secure" in the same > sentence as "ftp". They don't > fit in the same sentence. > > Set up ssh, then have Windows users use WinSCP. > > Let me tell a little story. A few years back I was > asked to set up "secure > ftp" for a client. I argued, but he insisted, and > "the customer is always > right", so I set it up for him. > > The plan, to keep it secure, was to enable the FTP > server when it was needed, > and disable it when the transfer was complete. > > Well, one day he forgot to turn it off. A few weeks > later he went to enable > it for another transfer and noticed a bunch of files > on the server he didn't > recognize. > > Someone had guessed the password and was using his > FTP server to transfer files > of a most unsavory nature. > > After we destroyed the files, changed the passwords, > etc -- he decided to keep > using the FTP (in spite of the incident). The only > problem, he argued, was > that we'd forgot to turn it off. > > But the crook now had our address. The next time he > enabled that server, it > wasn't more than a few hours before the crook was > using it to move around > his files again. The guy must have set up some > monitoring to alert him when > the FTP site came up, then he either had a sniffer > to get the password or > he was able to brute-force it really fast. > > I tell that story when people tell me that the data > their transferring isn't > sensitive, and therefore using FTP isn't a security > risk. It still is. The > only time it's OK to use FTP is when it's download > only and the files are > publicly available. Any other time, FTP is a > liability. > > -- > Bill Moran > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Just an informational bit for the windows users that will transfer files: WinSCP http://winscp.net/eng/index.php Filezilla http://filezilla.sourceforge.net/ Portable FileZilla http://portableapps.com/ PS: The portable version of FileZilla doesn't require an install on Windows. ____________________________________________________________________________________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?904298.74508.qm>