Secure FTP

*ZendURL* · 10-16-2006, 07:49 PM

Is using standard FTP a security risk, and if so should I switch to Secure FTP? I've had a user bring this question to me (about switching) and I am unsure if it would make any difference.

jcink · 10-18-2006, 12:59 AM

Hmm my box is CentOS... I don't know what you mean by standard FTP?

I use Pure-FTPd which is very secure. The one that came with the box though was VSFTPd which stands for "Very Secure FTPd" and that is secure too. I didn't use vsftpd because I couldn't find a place to set quotas.

Pro-FTPd is the one FTP server that has had serious problems.

It's been a while since then, though.

Proftpd exploits found: (6)
http://secunia.com/product/1250/?task=advisories

Pureftpd exploits found: (1)
http://secunia.com/product/3655/

vsftpd exploits found: (a whopping... 0 )
http://secunia.com/product/6396/

Or do you mean like... FTPS

http://en.wikipedia.org/wiki/FTPS

*ZendURL* · 10-18-2006, 05:21 PM

I use Pure-FTPd as well, and it is very secure. However my user quoted this forum post:

Quote:

FTP is insecure. Passwords are sent in plaintext for anyone to snoop.
SFTP is secure, but to use SFTP you generally have to give a user SSH access. Which is not always desirable.

So, to give a user SFTP access without SSH access, set their shell to /usr/libexec/openssh/sftp-server instead of /bin/sh or /bin/bash.

If your sftp-server is not there, use locate sftp-server to find it.

Basically through SSH. I personally do not want to install it since it gives a user SSH access. Really I was wondering if there were any REAL advantages to it (I understand the SSH disadvantage).

xeepo · 10-18-2006, 05:52 PM

Your user is totally correct, standard FTP send passwords in plain text so they could be 'sniffed' out.

I use SFTP for my personal sites but you definitely have to allow SSH access for the user. This is very unlikely with free hosting.

jcink · 10-18-2006, 08:32 PM

he is right...

but, I honestly don't think it's that big of a deal.

*ZendURL* · 10-18-2006, 08:58 PM

Okay, that was mainly my question: Is it worth looking into? And it seems the answer is no.
Thanks

jcink · 10-19-2006, 01:54 AM

threads like this make me really curious about this stuff, so this is what i've done.

i went and downloaded a packet sniffer, WinDump. I played around with it and I see how this thing works. I THINK this is the MAX that it can do (if not someone please correct me):

You can basically use it to monitor peoples stuff if you're on their same network. I did,

windump -a -w file.txt -i 2 -nN -xX -s 1500 host 192.168.1.(my number) and not port 5631

And it started monitoring my computer. I tried signing into FTP and viewing webpages and stuff, and checked file.txt and well... all that stuff was logged.... I could see my passes, etc. I did the same thing to my brother whos on my local network and got the same results.

I tried doing it to a friends IP address and they went to pages, but I couldn't see anything. Appears that this thing is a local network thing only.

So I can see this being a prob:

-If people DON'T take care of their wireless (cuz I could hookup to my neighbors thing right now which I know is insecure and probably steal info :S)
-If you have bad people on your local network (<_<)
-If someone installs a packet sniffer on your computer without you knowing it and has the info sent to them.

*ZendURL* · 10-19-2006, 06:19 PM

Thanks for all of this info. I think I now understand it fully with what you just posted. Thanks

Utrust-Hosting · 12-11-2006, 03:52 AM

For ssl secure ftp you would need a dedicated ip address and ssl installed on your site there priced at about $49 per year and you cant get them free