Webmaster forum - FTP and Security

Author

FTP and Security

Byron

2005-05-20, 8:14 am

Hi,

Normally I host sites off of my own server, but I have a new client who
has a W2k dedicated server at a big hosting company. The IT guy at this
company is really reluctant to give us FTP access to the site for
security reasons.

At first he only wanted to give us Remote Desktop access. When I asked
for FTP, he gave us an FTP to an empty folder -- not the site root
folder. So he wants us to Remote Desktop in to the server, copy the site
files to this test folder, and then FTP back and forth from our local
dev machines to this temp folder (which doesn't have a web site for us
to check our work on the live environment), and then go back in with RDC
to copy the changed files in the temp folder over the live folder. Oh,
and he wants us to turnoff the FTP site when we aren't using it.

This sounded convoluted to me; I mean whatever security issues he fears
with FTP are quadrupled in RDC, right?

And why anyone this paranoid about security is using a Windows machine
surprises me. Most of those guys refuse outright to work with Microsoft
products.

Anyway, since I'm a web developer but not a security expert by any
means, I was wondering if his work plan sounded bizarre to anyone else,
and what FTP security problems he might be trying to avoid, and
alternate, more work-friendly schemes I might be able to propose (other
than, "Chill out and let us FTP to the fricking site root already!"

Thanks.

Matt Probert

2005-05-20, 8:14 am

Once upon a time, far far away Byron <spamagnet@dorrk.com> spluttered

>Hi,
>
>Normally I host sites off of my own server, but I have a new client who
>has a W2k dedicated server at a big hosting company. The IT guy at this
>company is really reluctant to give us FTP access to the site for
>security reasons.

He should give your client FTP access, and he can then give it to you.

Matt

--
The Probert Encyclopaedia - Beyond Britannica
http://www.probertencyclopaedia.com

Toby Inkster

2005-05-20, 7:38 pm

Byron wrote:

> This sounded convoluted to me; I mean whatever security issues he fears
> with FTP are quadrupled in RDC, right?

RDC is encrypted. FTP is not encrypted -- passwords are passed across the
Internet in clear text.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

George Sexton

2005-05-20, 7:39 pm

Karim

2005-05-20, 7:39 pm

On Fri, 20 May 2005 01:04:57 -0700, Byron wrote:

> Hi,
>
> Normally I host sites off of my own server, but I have a new client who
> has a W2k dedicated server at a big hosting company. The IT guy at this
> company is really reluctant to give us FTP access to the site for
> security reasons.
>
> At first he only wanted to give us Remote Desktop access. When I asked
> for FTP, he gave us an FTP to an empty folder -- not the site root
> folder. So he wants us to Remote Desktop in to the server, copy the site
> files to this test folder, and then FTP back and forth from our local
> dev machines to this temp folder (which doesn't have a web site for us
> to check our work on the live environment), and then go back in with RDC
> to copy the changed files in the temp folder over the live folder. Oh,
> and he wants us to turnoff the FTP site when we aren't using it.
>
> This sounded convoluted to me; I mean whatever security issues he fears
> with FTP are quadrupled in RDC, right?

Not really. FTP passes information in clear text which can be sniffed out.
A sinffer can pick up the username and password you used to login.
Remote control programs use encryption, ssl..etc. You can either use Secure
FTP (both ftp client and server need to have the same implementation). You
can also VPN to the server.

> And why anyone this paranoid about security is using a Windows machine
> surprises me. Most of those guys refuse outright to work with Microsoft
> products.

Windows is very safe if you know how to harden it. Otherwise all Windows
servers will be hacked and be down all the time, which is certainly not the
case. If any hacker thinks he's really good, go hack hackiis6.com.

> Anyway, since I'm a web developer but not a security expert by any
> means, I was wondering if his work plan sounded bizarre to anyone else,
> and what FTP security problems he might be trying to avoid, and
> alternate, more work-friendly schemes I might be able to propose (other
> than, "Chill out and let us FTP to the fricking site root already!"

He's paranoid. At least what he can do is tell you that if you want to use
ftp, he's not responsible for any ftp security issues.

Karim
--
http://www.cheapesthosting.com - Innovative Web Hosting since 1998
Spam and Virus protected email - Online calendars with email notification
Camera phone photos automatic transfers to your photo album (RSS Enabled

Gandalf Parker

2005-05-20, 7:39 pm

Byron <spamagnet@dorrk.com> wrote in
news:MPG.1cf739e1afb1e19e9897d7@newshost.allthenewsgroups.com:

> At first he only wanted to give us Remote Desktop access. When I asked
> for FTP, he gave us an FTP to an empty folder -- not the site root
> folder. So he wants us to Remote Desktop in to the server, copy the
> site files to this test folder, and then FTP back and forth from our
> local dev machines to this temp folder (which doesn't have a web site
> for us to check our work on the live environment), and then go back in
> with RDC to copy the changed files in the temp folder over the live
> folder. Oh, and he wants us to turnoff the FTP site when we aren't
> using it.

None of my honeypots have had hits from ftp or telnet for years, yet
killing them hangs on as a "good suggestion". Altho Ive added "if you
dont really need them"

You will find that windows admins have a distrust of text modes. They
feel that admining in the gui allows you to see errors before you make
them. So if he set you up with an ftp to a directory, then wants you to
move things around with the remote, then that would "feel" safer and
more controlled to him.

HOPEFULLY he set you up with a way to ftp using an account and login
competely seperate from the ones you would use when you come in with the
remote access connect. Otherwise his paranoia about ftp served no
purpose whatsoever.

Operating that way isnt too bad. Graphics and large files can be moved to
where they need to go in a single action if you are familiar with the
windows gui environment. And for texty things like web-page code I find
it easier to ctrl-A (highlight all) and Ctrl-C (copy all) on my machine,
then in remote access open a file where I want it then Ctrl-V (paste) it
into that. Easier then uploading the web page and moving it.

Gandalf Parker

William Tasso

2005-05-20, 7:39 pm

Forging a path through the Usenet jungle, armed only with a rusty
Xnews/5.04.25, Gandalf Parker stumbled into alt.www.webmaster and said:

> ...
> None of my honeypots have had hits from ftp or telnet for years,

Really? I just beat off a dictionary attack on FTP. Unfortunately, the
only way to protect FTP is to keep moving - even then a port scan will
find you soon enough.

> ...
> HOPEFULLY he set you up with a way to ftp using an account and login
> competely seperate from the ones you would use when you come in with the
> remote access connect.

You'd like to think so.

--
Whatever you do - do something.

Gandalf Parker

2005-05-20, 7:39 pm

"William Tasso" <SpamBlocked@tbdata.com> wrote in
news:op.sq284mq3m9g4qz-wnt@tbdata.com:

> Forging a path through the Usenet jungle, armed only with a rusty
> Xnews/5.04.25, Gandalf Parker stumbled into alt.www.webmaster and
> said:
>
>
> Really? I just beat off a dictionary attack on FTP. Unfortunately,
> the only way to protect FTP is to keep moving - even then a port scan
> will find you soon enough.

Yeah those are fun. But then a dictionary attack isnt really particular
to FTP. Its just as effective against ssh or remote access or any other
login protocol.

Are you on linux? There are some good scripts around for spotting an
attack and adding the IP address to blocking programs automatically.

>
> You'd like to think so.

I find where many KNOW the reasons for not having ftp and telnet. But
they dont seem to really understand them. They consider it an absolute
(as in, never use them), and they fail to look at the same reasons in
reference to email, web sites, forums, chats, anything that has a
login/password combination. Too often, what they do makes their giving up
the user of ftp and telnet seem fanatical and worthless

Gandalf Parker

nospam@geniegate.com

2005-05-20, 7:39 pm

In: <MPG.1cf739e1afb1e19e9897d7@newshost.allthenewsgroups.com>, Byron <spamagnet@dorrk.com> wrote:
>Hi,
>
>Normally I host sites off of my own server, but I have a new client who
>has a W2k dedicated server at a big hosting company. The IT guy at this
>company is really reluctant to give us FTP access to the site for
>security reasons.

Ditch the company right now, then ditch FTP.

Yes FTP is insecure, HOWEVER if it's your $!@? machine, then one would
assume you should be allowed to do whatever you wanted to it. (including
compromise it) Fact, maybe they should let you compromise it because they
could make a bundle of ca$h un-hacking it. :-)

I can see some policies regarding hacked machines, once someone is "in" they
could send spam or do other nasties behind the respective ISP's network. So,
if/when your machine is hacked, I can see them shutting it down. Thats a
differen't ball of wax.

Far as FTP being insecure, the reason is your password is sent plain-text,
so, while you're at it, ditch POP and any other protocol that sends
plain-text passwords. (Most have SSL variants)

>At first he only wanted to give us Remote Desktop access. When I asked
>for FTP, he gave us an FTP to an empty folder -- not the site root
>folder. So he wants us to Remote Desktop in to the server, copy the site
>files to this test folder, and then FTP back and forth from our local
>dev machines to this temp folder (which doesn't have a web site for us
>to check our work on the live environment), and then go back in with RDC
>to copy the changed files in the temp folder over the live folder. Oh,
>and he wants us to turnoff the FTP site when we aren't using it.

Blah blah blah.. Once you've used FTP, you've compromised your password,
it's that simple. (I suppose he could have you FTP'ing into some networked
machine with the drive exported or something, but then you should use a
different userid/password for FTP)

I'd say ditch the ISP. If it's your machine, you should be able to do whatever
you want with it, including smash it into the ground. I wouldn't tolerate that
from an ISP in UNIX land.

Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13) User Management Solutions

William Tasso

2005-05-20, 7:39 pm

Forging a path through the Usenet jungle, armed only with a rusty
Xnews/5.04.25, Gandalf Parker stumbled into alt.www.webmaster and said:

> "William Tasso" <SpamBlocked@tbdata.com> wrote in
> news:op.sq284mq3m9g4qz-wnt@tbdata.com:
>
>
> Yeah those are fun. But then a dictionary attack isnt really particular
> to FTP. Its just as effective against ssh or remote access or any other
> login protocol.

Well in this case the aim of the defence was to keep the attack outside
the firewall - there's enough legitimate traffic whizzing around inside
that network already.

> Are you on linux? There are some good scripts around for spotting an
> attack and adding the IP address to blocking programs automatically.

The firwall is an embeded linux unit
(http://www.cyberguard.com/products/...mily/SG710.html), but
the servers on this particular network are all windows boxes.

Currently building a network with both WS3 and Debian units.
Unfortunately FTP will be required again so I guess a search for SFTP Win
servers will detain me shortly.

>
> I find where many KNOW the reasons for not having ftp and telnet. But
> they dont seem to really understand them. They consider it an absolute
> (as in, never use them),

It's a good place to start :)

> and they fail to look at the same reasons in
> reference to email, web sites, forums, chats, anything that has a
> login/password combination.

It's a balance between convenience and security - actually the security of
the server and the convenience of the user. As soon as a user has a login
the server is compromised, the task then becomes containment.

> Too often, what they do makes their giving up
> the user of ftp and telnet seem fanatical and worthless

Well in the case above there are two networks (two nics in each box), the
public side is easy enough to protect. It's the private/management
network that is tricky, client (developers mostly) haven't really got the
hang of this internet thingie and can't understand why I've disabled file
sharing etc. I offered to host a VPN end point on the firewall (PPtP or
IPSec) for them but I don't think they understand. I know PPtP has its
critics but has to be better than the alternative of exposing a variety of
ports to the big scary world outside.

--
Whatever you do - do something.

Byron

2005-05-20, 7:39 pm

In article <Lucy1116617235141640xc8d6c4@air.tunestar.net>,
nospam@geniegate.com says...
> In: <MPG.1cf739e1afb1e19e9897d7@newshost.allthenewsgroups.com>, Byron <spamagnet@dorrk.com> wrote:
>
> Ditch the company right now, then ditch FTP.
>
> Yes FTP is insecure, HOWEVER if it's your $!@? machine, then one would
> assume you should be allowed to do whatever you wanted to it. (including
> compromise it) Fact, maybe they should let you compromise it because they
> could make a bundle of ca$h un-hacking it. :-)
>

Thanks for all the input. Sorry if I was a littlee unclear. We have our
own server, but this issue is with a server leased by the client and
hosted elsewhere. The paranoid IT guy works for the client not the
hosting company. We're hired to do web site maintenance on that server.

He did give us the same password for FTP and RDC, which makes all of his
other fears seem a little arbitrary. I'll ask him to look into SFTP.
That sounds simplest. Thanks.

Gandalf Parker

2005-05-20, 7:39 pm

"William Tasso" <SpamBlocked@tbdata.com> wrote in
news:op.sq3gdhxdm9g4qz-wnt@tbdata.com:

> Forging a path through the Usenet jungle, armed only with a rusty
> Xnews/5.04.25, Gandalf Parker stumbled into alt.www.webmaster and
> said:
>
> Currently building a network with both WS3 and Debian units.
> Unfortunately FTP will be required again so I guess a search for SFTP
> Win servers will detain me shortly.

Debian is sweet. Ive had to stop using it for honeypots tho. Could never
get anyone to break in :)

If an FTP login uses a login and password which cant be used for anything
else then any possible damage is easier to manage. Of course thats true
for any other service which uses login/passwd

> It's a balance between convenience and security - actually the
> security of the server and the convenience of the user. As soon as a
> user has a login the server is compromised, the task then becomes
> containment.

Totally true. "That which security shall do, the desire for easy admin
shall undo"

>
> Well in the case above there are two networks (two nics in each box),
> the public side is easy enough to protect. It's the
> private/management network that is tricky, client (developers mostly)
> haven't really got the hang of this internet thingie and can't
> understand why I've disabled file sharing etc.

Ive seen good results with a seperate machine and NFS'd directorys. Not
that its massively more secure but it is more confusing to those who
might abuse it.

> I offered to host a
> VPN end point on the firewall (PPtP or IPSec) for them but I don't
> think they understand. I know PPtP has its critics but has to be
> better than the alternative of exposing a variety of ports to the big
> scary world outside.

Pros and cons. At the moment VPN is getting alot more attention which can
be good or bad. (the attention is on both sides of the fence)

Gandalf Parker

William Tasso

2005-05-20, 7:39 pm

Forging a path through the Usenet jungle, armed only with a rusty
Xnews/5.04.25, Gandalf Parker stumbled into alt.www.webmaster and said:

> ...
> Debian is sweet. Ive had to stop using it for honeypots tho. Could never
> get anyone to break in :)

LOL - but seriously, that's good to hear.

> ...
> Ive seen good results with a seperate machine and NFS'd directorys. Not
> that its massively more secure but it is more confusing to those who
> might abuse it.

I was recently introduced to Subversion. Running the client on a control
server once every minute to pick up changes and then replicating to the
farm. Hacking the web server is a complete waste of time/effort.

> ...
> At the moment VPN is getting alot more attention which can
> be good or bad. (the attention is on both sides of the fence)

Ahh - anyplace you can recommend to lurk-a-while as the discussion rages.

My take on this is that site to site vpn will shake out as the preferred
method of connecting to remote networks. Maybe not in the current form,
but a tunnel makes more sense than individual connections.

Politically convenient too - management still likes to see bums on seats
and site-to-site could mean they control where folk work.
--
Whatever you do - do something.

Gandalf Parker

2005-05-20, 11:38 pm

"William Tasso" <SpamBlocked@tbdata.com> wrote in
news:op.sq3ifmpjm9g4qz-wnt@tbdata.com:

>
> Ahh - anyplace you can recommend to lurk-a-while as the discussion
> rages.

Not really. The black-hats and white-hats dont get together often. But some
of the back and forth people mention the "attention on" subjects so we can
keep up with what the other guys are looking at.

> My take on this is that site to site vpn will shake out as the
> preferred method of connecting to remote networks. Maybe not in the
> current form, but a tunnel makes more sense than individual
> connections.

Its good for such purposes. And some users think its great that it appears
as though their traffic is not coming from (not "giving away") their home
IP address but thats causing some logging headaches

Gandalf Parker