[BlueOnyx:07622] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

[Darrell D. Mobley]

From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Chuck Tetlow
Sent: Monday, November 08, 2010 7:28 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:05728] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

 

I can see two major problems with the idea. 

1) We have TCP Port 22 access into our internal networks locked down at the
main router.  Only the company administrators can SSH into our networks.
But if you want to replace FTP with SSH/SFTP - we'd have to remove that.
Then we'd either have to put in a ALLOW for each individual file transfer
user or leave our servers open to hacking attempts from all around the world
again (that's why we implemented the controls in the first place). 

2) I've tested SSH/SFTP with the CoreFTP client into our BX servers in the
past.  Unlike FTP - there are no controls once authenticated into the
server.  With FTP - the user can only navigate their own directory, or their
own site if they are a administrator.  But with SSH/SFTP - the user was able
to browse the entire file system, including system files and files on other
virtual websites.  NOT very secure, and not something that could be allowed.
And that's the second reason for the TCP Port 22 access controls to our
servers. 

Unless that second problem could be resolved - there is NO way to allow
SSH/SFTP access to our BX servers.  

And even if you fix that second problem - it leaves me having to put in
ALLOW IP access rules for each site's users who want to move files up/down.


NO THANK YOU!  We'll stick with FTP. 



Chuck 




---------- Original Message ----------- 
From: Jeff Jones <jeffrhysjones at mac.com> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Mon, 08 Nov 2010 22:53:42 +0000 
Subject: [BlueOnyx:05727] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521 

> This is a teeny bit off topic, but how about BX using proftp with
mod_sftp? 
> 
> Using this would mean you get full secure file transfer, plus, unlike
using OpenSSL for ssh / sftp, you don't have to worry about giving shell
access, jails etc. 
> 
> Some clear instructions here: 
> 
> http://www.directadmin.com/forum/showthread.php?t=30607 
> 
> Any see any reason why this method would not work with BX? How tricky
would this be to build in? 
> 
> Jeff 
> 
> Sent from my iPhone 
> 
> On 8 Nov 2010, at 22:27, Michael Stauber <mstauber at blueonyx.it> wrote: 
> 
> > Hi Jerry, 
> > 
> >> http://bugs.proftpd.org/show_bug.cgi?id=3521 
> >> 
> >> 1.3.3c released 
> >> [29/Oct/2010] 
> >> The ProFTPD Project team has released 1.3.3c to the community. This is
an 
> >> important security release, containing fixes for a Telnet IAC handling 
> >> vulnerability and a directory traversal vulnerability in the
mod_site_misc 
> >> module. The RELEASE_NOTES and NEWS files contain the full details. 
> > 
> > We weren't affected by the mod_site_misc vulnerability, as our ProFTPd
didn't 
> > contain that module. But yeah, the Telnet IAC handling issue was an
item. 
> > 
> > An updated ProFTPd is just hitting the mirrors. 
> > 
> > -- 
> > With best regards 
> > 
> > Michael Stauber 
> > _______________________________________________ 
> > Blueonyx mailing list 
> > Blueonyx at blueonyx.it 
> > http://www.blueonyx.it/mailman/listinfo/blueonyx 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message ------- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110705/b96054d1/attachment.html>