[Cialug] SSH w/ chroot

Josh More morej at alliancetechnologies.net
Thu Feb 21 14:28:01 CST 2008


It's a tad out of date, but this is a wonderful reference anyway.  
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

"as securely as possible" will vary dramatically based on
implementation needs, so you'll not find a standard document.

However, my suggestions in a nutshell:

1) If you are supporting non-technical people, do a PHP upload form and
secure apache to force https and prevent reading of the target
directory.
2) If you are supporting technical people in multiple environments, use
ftps and only support a handful of FTP clients.  Lock your ftps server
to only accept the strong encryption protocols.  Proftpd is good for
this.
3) If you are supporting technical people that are in house, use
openssh and scp or sftp.  Lock it down with the standard openssh rules
(version 2 only, limit access with both /etc/hosts.deny and iptables,
etc etc etc).


 

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701



>>> "Stuart Thiessen" <sthiessen at passitonservices.org> 02/21/08 2:18 PM
>>> 
I am curious. I do try to avoid ftp where possible. Is there a place
that describes the various alternatives and the pros and cons of each
along with recommendations how to set it up as securely as possible?

Stuart
--------------------
Stuart Thiessen
Voice: 800-919-8853
SVP-Work: 515-278-6382
Sent from my BlackBerry* wireless device

-----Original Message-----
From: "Matthew Nuzum" <newz at bearfruit.org>

Date: Thu, 21 Feb 2008 13:51:24 
To:"Central Iowa Linux Users Group" <cialug at cialug.org>
Subject: Re: [Cialug] SSH w/ chroot


On Thu, Feb 21, 2008 at 9:46 AM, David Champion
<dchampion at visionary.com <mailto:dchampion at visionary.com> > wrote:

 So, uh, this happened...
 
 http://undeadly.org/cgi?action=article&amp;sid=20080220110039
<http://undeadly.org/cgi?action=article&amp;sid=20080220110039> 
 
 -dc
 
That looks exciting! FTP is so dead (to me) and the only secure,
firewall friendly alternative is dav over https which has a host of
other complications associated with it.

-- 
Matthew Nuzum
newz2000 on freenode _______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug




More information about the Cialug mailing list