[BlueOnyx:05728] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Chuck Tetlow chuck at tetlow.net
Mon Nov 8 19:27:53 -05 2010 

I can see two major problems with the idea.

1) We have TCP Port 22 access into our internal networks locked down at the main router.  Only the company administrators can SSH into our networks.  But if you want to replace FTP with SSH/SFTP - we'd have to remove that.  Then we'd either have to put in a ALLOW for each individual file transfer user or leave our servers open to hacking attempts from all around the world again (that's why we implemented the controls in the first place).

2) I've tested SSH/SFTP with the CoreFTP client into our BX servers in the past.  Unlike FTP - there are no controls once authenticated into the server.  With FTP - the user can only navigate their own directory, or their own site if they are a administrator.  But with SSH/SFTP - the user was able to browse the entire file system, including system files and files on other virtual websites.  NOT very secure, and not something that could be allowed.  And that's the second reason for the TCP Port 22 access controls to our servers.

Unless that second problem could be resolved - there is NO way to allow SSH/SFTP access to our BX servers. 

And even if you fix that second problem - it leaves me having to put in ALLOW IP access rules for each site's users who want to move files up/down. 

NO THANK YOU!  We'll stick with FTP.

Chuck

---------- Original Message -----------
From: Jeff Jones <jeffrhysjones at mac.com> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Mon, 08 Nov 2010 22:53:42 +0000 
Subject: [BlueOnyx:05727] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

> This is a teeny bit off topic, but how about BX using proftp with mod_sftp? 
> 
> Using this would mean you get full secure file transfer, plus, unlike using OpenSSL for ssh / sftp, you don't have to worry about giving shell access, jails etc. 
> 
> Some clear instructions here: 
> 
> http://www.directadmin.com/forum/showthread.php?t=30607 
> 
> Any see any reason why this method would not work with BX? How tricky would this be to build in? 
> 
> Jeff 
> 
> Sent from my iPhone 
> 
> On 8 Nov 2010, at 22:27, Michael Stauber <mstauber at blueonyx.it> wrote: 
> 
> > Hi Jerry, 
> > 
> >> http://bugs.proftpd.org/show_bug.cgi?id=3521 
> >> 
> >> 1.3.3c released 
> >> [29/Oct/2010] 
> >> The ProFTPD Project team has released 1.3.3c to the community. This is an 
> >> important security release, containing fixes for a Telnet IAC handling 
> >> vulnerability and a directory traversal vulnerability in the mod_site_misc 
> >> module. The RELEASE_NOTES and NEWS files contain the full details. 
> > 
> > We weren't affected by the mod_site_misc vulnerability, as our ProFTPd didn't 
> > contain that module. But yeah, the Telnet IAC handling issue was an item. 
> > 
> > An updated ProFTPd is just hitting the mirrors. 
> > 
> > -- 
> > With best regards 
> > 
> > Michael Stauber 
> > _______________________________________________ 
> > Blueonyx mailing list 
> > Blueonyx at blueonyx.it 
> > http://www.blueonyx.it/mailman/listinfo/blueonyx 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101108/fd51d0f7/attachment.html>

More information about the Blueonyx mailing list