From owner-freebsd-questions@FreeBSD.ORG Tue Mar 6 13:24:18 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13D1B16A401 for ; Tue, 6 Mar 2007 13:24:18 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id D8CB113C461 for ; Tue, 6 Mar 2007 13:24:17 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from vanquish.pgh.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTP id 0A2F6EBC62; Tue, 6 Mar 2007 08:24:14 -0500 (EST) Date: Tue, 6 Mar 2007 08:24:14 -0500 From: Bill Moran To: Vizion Message-Id: <20070306082414.dc4ccb09.wmoran@potentialtech.com> In-Reply-To: <20070306124823.FBPY2045.dukecmmtao03.coxmail.com@dukecmmtao03> References: <20070306124823.FBPY2045.dukecmmtao03.coxmail.com@dukecmmtao03> X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ftp set up X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2007 13:24:18 -0000 Please wrap your lines around 72 characters. In response to Vizion : > > I wonder if someone could point me to a reliable detailed resource for > configuring an ftp server on freebsd 6.1 for both incoming and outgoing > files (including anonymous ftp). > > I do not want anonymous uploaders to view existing file names in > ftp/incoming or be able to download from incoming. I want the server as > secure as is reasonably practicable. The notes in the freebsd handbook are > not really comprehensive enough for me. Please don't do this. Please don't even try. Never try to use the word "secure" in the same sentence as "ftp". They don't fit in the same sentence. Set up ssh, then have Windows users use WinSCP. Let me tell a little story. A few years back I was asked to set up "secure ftp" for a client. I argued, but he insisted, and "the customer is always right", so I set it up for him. The plan, to keep it secure, was to enable the FTP server when it was needed, and disable it when the transfer was complete. Well, one day he forgot to turn it off. A few weeks later he went to enable it for another transfer and noticed a bunch of files on the server he didn't recognize. Someone had guessed the password and was using his FTP server to transfer files of a most unsavory nature. After we destroyed the files, changed the passwords, etc -- he decided to keep using the FTP (in spite of the incident). The only problem, he argued, was that we'd forgot to turn it off. But the crook now had our address. The next time he enabled that server, it wasn't more than a few hours before the crook was using it to move around his files again. The guy must have set up some monitoring to alert him when the FTP site came up, then he either had a sniffer to get the password or he was able to brute-force it really fast. I tell that story when people tell me that the data their transferring isn't sensitive, and therefore using FTP isn't a security risk. It still is. The only time it's OK to use FTP is when it's download only and the files are publicly available. Any other time, FTP is a liability. -- Bill Moran http://www.potentialtech.com