[BlueOnyx:10664] Re: FTPS on Blueonyx?

Matt James matt at rainstormconsulting.com
Fri May 25 08:49:47 -05 2012 

I've been wondering about this for a while and wondering what the best way would be to prevent such security issues while still maintaining SFTP.

In my research, I found this link: http://blog.hackedexistence.com/locking-down-sftp-user-without-ssh-on-centos-5

Has anyone tried this kind of technique before?  Are there any loopholes you can think of that the author didn't reference?

Having said all of this, I hadn't heard of FTPS before, so I'll look into that as another option as well.

Thanks for the info, guys!

--
Matt James
Web Programmer
RainStorm Consulting
(207) 866-3908



On May 24, 2012, at 1:00 PM, Chuck Tetlow wrote:

> Yes there is a difference.  And SFTP can be a BAD thing!  Because while the FTP server limits where a site user or admin can go - SFTP doesn't. 
> 
> If you FTP in as a site admin, you can only go up to the site's root / directory - which translates to /home/sites/www.domain1.tld/.  In the FTP session - a user or admin can't even see there is anything higher, let alone get into it. 
> 
> But if you SFTP in as that same site admin, you can go all the way up to the system's root directory.  They can browser the entire server's directory tree, and read anything that has readable permissions.  Whether they can write files elsewhere in the system or modify them depends on the directory permissions.  But that's plausible, especially in the /tmp directory.  (Can you imagine what could be done by someone placing executable code in the /tmp directory and then executing it by calling it from a PHP script in their website??) 
> 
> Also with SFTP, a site admin can also down from /home/sites/ into other site's /home/site/www.domain2.tld directories and read anything in there that has world read permissions.  Potentially things that the owners of domain2 didn't want others to see. 
> 
> So its a security issue.  That's why I won't allow SFTP by users or site admins on my server.  I trust those guys, but only so far.  Just have them use FTP or FTPS. 
> 
> 
> 
> Chuck 
> 
> 
> ---------- Original Message ----------- 
> From: Wayne Michael <wrmichael at hotmail.com> 
> To: <blueonyx at mail.blueonyx.it> 
> Sent: Thu, 24 May 2012 12:32:52 -0400 
> Subject: [BlueOnyx:10660] Re: FTPS on Blueonyx? 
> 
> > There is a difference with FTPS and SFTP isn't there? 
> > 
> > one uses SSH and other does not. 
> > 
> > I use SFTP and that requires SSH to be turned on (Shell access). 
> ------- End of Original Message ------- 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120525/8cf53f49/attachment.html>

More information about the Blueonyx mailing list