[AuckLUG] Which Distro for small website/FTP

Guy K. Kloss G.Kloss at massey.ac.nz
Fri Aug 3 17:05:05 NZST 2007 

On Friday 03 August 2007 4:40:41 pm Martin Bähr wrote:
> On Fri, Aug 03, 2007 at 04:25:52PM +1200, Guy K. Kloss wrote:
> > And: Do you REALLY need an ftp server? FTP is usually one of the single
> > most vulnerable services on the net.
>
> really?
> doesn't that depend on the ftp software you use?

Well, of course it does as well.

> i don't believe that ftp is inherently more insecure than eg http with
> basic authentication.

No clear text auth is trustworthy!

> the only insecurity of ftp comes from sending passwords unencrypted.
> http does the same.

Not myself, but one of the security gurus we used to have in our department at 
my former employer did tell stories that pretty much all FTP servers 
available were extremely vulnerable.

> > And setting up a proper FTP server (if one
> > must) with security in mind is not simple (chroot environment is highly
> > suggested), and goes well beyond installing and configuring a server
> > package.
>
> that again depends on the server software you use.
> if you trust webservers, then you should also trust any ftp server that
> comes as part of a webserver. (there are a few)

Usually HTTP servers don't depend on authentication, wheres an FTP server 
does. And authentication on the HTTP servers as Apache is located in some 
modules that have been quite well audited. Not so sure about the FTP 
counterparts.

As far as I think a major problem is also that FTP often uses system users by 
default, whereas Webservers use their own little authentication, but then do 
not write anything with a user's privileges.

As I said, speaking from (A) what I've heard a lot in the community, and (B) 
what someone I really trust in these aspects of security has communicated 
into my direction.

If someone wants to upload things I usually set up a WebDAV server (HTTP 
server with WebDAV extensions) talking SSL (https), so it is usually not an 
issue. WebDAV is called M$ Web Folders in Micro$oft lingo, and is extremely 
easily used on Linux and Macs as well. I usually just use the konqueror 
with "webdavs://server.domain/path" URI and can do everything like commonly 
done on the konqueror.

For WebDAV the simplest and good setup used the default Apache mod_dav, a more 
sophisticated setup using a variety of optional WebDAV features on Apache is 
Catacomb (uses also MySQL as a storage backend). Also Jakarta Slide can be 
used for increased features, but creating quite some overhead on the server. 
It's all handled in Java with multiple http interfaces also internally.

Guy


-- 
Guy K. Kloss
Institute of Information and Mathematical Sciences
Room 2.63, Quad Block A Building
Massey University, Auckland, Albany
Private Bag 102 904, North Shore Mail Centre
voice: +64 9 414-0800 ext. 9585   fax: +64 9 441-8181
eMail: G.Kloss at massey.ac.nz  http://iims.massey.ac.nz

More information about the AuckLUG mailing list