Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / secure ftp

Author
Message
Karlos
21
Years of Service
User Offline
Joined: 18th Nov 2002
Location: United Kingdom
Posted: 25th Apr 2004 12:21 Edited at: 25th Apr 2004 12:54
Link
Ok,
I have an auto patching system running which connects via ftp to download.
The problem is that the username/password fot the folder can be intercepted allowing anyone to modify/delete the files on the server.

Server is apache/linux.

Any thoughts on how to make this safer?


chmod half works - but anyone can change the chmod settings to 777 should they wish to be evil.
Cheers

Karlos

If it ain't broke - try harder.
XP Pro - Radeon 9000 Mobility- P4 3.0ish
Football management - Football Manager
Back to top
Profile PM Website
Richard Davey
Retired Moderator
22
Years of Service
User Offline
Joined: 30th Apr 2002
Location: On the Jupiter Probe
Posted: 25th Apr 2004 15:26
Link
Why not just make your program do any anonymous login? I see no reason at all why it would ever need to have a full FTP login if all it does is download updates.

Cheers,

Rich

With our species on the edge of extermination,
with no prospect but a horrible death,
we actually played games.
Back to top
Profile PM Email Website
Karlos
21
Years of Service
User Offline
Joined: 18th Nov 2002
Location: United Kingdom
Posted: 25th Apr 2004 17:07
Link
Cheers Rich - i#ll see if my host allows it - not too sure at the moment

Karlos

If it ain't broke - try harder.
XP Pro - Radeon 9000 Mobility- P4 3.0ish
Football management - Football Manager
Back to top
Profile PM Website
spooky
22
Years of Service
User Offline
Joined: 30th Aug 2002
Location: United Kingdom
Posted: 25th Apr 2004 19:41
Link
Remember that FTP users logins can have all sorts of different rights. Just have one that is read-only, so that the FTP user you program uses can only download files. You can even make it so it cannot list the files on the server but has to know what they are called. So if anyone does get your FTP username and password using a network packet sniffer of some sort, it will be next to useless for them.

You can always have an admin FTP user that you use yourself to upload files.

Boo!
Back to top
Profile PM Website
Martyn Pittuck
22
Years of Service
User Offline
Joined: 27th Aug 2002
Location: United Kingdom
Posted: 26th Apr 2004 14:25
Link
maybe u should use a http download instead?

FTP is very, very unsecure. I proved it to a 'client' the other day, just used a packet sniffer and the password was mine.

The problem these days is not protecting your fancy server, but protecting the the people who use it from trojans. It only takes a couple of account passwords to make a DOS attack which will cripple the server.

The thing is i still get phone calls from people in cyber cafes asking me to check out the changes they made to their site (in error i pointed them to a online FTP tool to allow them to use their server as a emergancy file backup tool).

Some people never learn...

Whats so good about living anywho?
Back to top
Profile PM Email Website
Karlos
21
Years of Service
User Offline
Joined: 18th Nov 2002
Location: United Kingdom
Posted: 26th Apr 2004 15:39
Link
Cheers all,
Does look like http is the way - I'm sure that there's a http download function in one of the windows dlls somewhere. Need to control it myself as I am showing a progress bar amngst other things when patching.

Karlos

If it ain't broke - try harder.
XP Pro - Radeon 9000 Mobility- P4 3.0ish
Football management - Football Manager
Back to top
Profile PM Website
Richard Davey
Retired Moderator
22
Years of Service
User Offline
Joined: 30th Apr 2002
Location: On the Jupiter Probe
Posted: 26th Apr 2004 16:51
Link
Quote: "FTP is very, very unsecure."


FTP *can* be very very unsecure - if the ISP doesn't know jack about server security or configuration. With the right sys admin, it's no more/less secure than anything else. It's also far more efficient than HTTP which was never designed for large file transfer and consequently can clog up entire web servers just by opening too many connections.

Host with someone decent (Pair Pair Pair) and you needn't worry yourself about this.

With our species on the edge of extermination,
with no prospect but a horrible death,
we actually played games.
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-09-21 21:20:01
Your offset time is: 2024-09-21 21:20:01