Setting up a web server with FTP
Hi, I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext). Any recipes/ideas that have worked in the past? Thanks. Andrew.
Well I’m just throwing this out there but what about ssh or sftp? That helps with the security. Else I would run your FTP process with in a jail so you don’t have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc. Thanks Scott On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I concur with Scott; SFTP or SSH/SCP is a much more secure solution. On 8/11/2014 2:01 PM, Scott Granados wrote:
Well I’m just throwing this out there but what about ssh or sftp? That helps with the security.
Else I would run your FTP process with in a jail so you don’t have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc.
Thanks Scott
On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, We used SFTP a lot for this and it worked fine, but I need to use FTP because the users are using an authoring package that supports FTP only, so I moved to using it. I will look at ProFTPD as I am currently trying to implement it with VSFTPD and I can't get my users logged in. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 11 August 2014 19:02 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP Well I'm just throwing this out there but what about ssh or sftp? That helps with the security. Else I would run your FTP process with in a jail so you don't have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc. Thanks Scott On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, We used SFTP a lot for this and it worked fine, but I need to use FTP because the users are using an authoring package that supports FTP only, so I moved to using it. I will look at ProFTPD as I am currently trying to implement it with VSFTPD and I can't get my users logged in. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 11 August 2014 19:02 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP Well I'm just throwing this out there but what about ssh or sftp? That helps with the security. Else I would run your FTP process with in a jail so you don't have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc. Thanks Scott On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
The proftpd server is the way you want to go especially if you’re trying to set up a virtual host type environment. It uses the apache file format so you should find it familiar. Let me know if you need any setup pointers. On Aug 11, 2014, at 5:58 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
We used SFTP a lot for this and it worked fine, but I need to use FTP because the users are using an authoring package that supports FTP only, so I moved to using it. I will look at ProFTPD as I am currently trying to implement it with VSFTPD and I can't get my users logged in.
Andrew.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 11 August 2014 19:02 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP
Well I'm just throwing this out there but what about ssh or sftp? That helps with the security.
Else I would run your FTP process with in a jail so you don't have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc.
Thanks Scott
On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, In the end I went back to ProFTPD, and used the chroot option to chroot everyone to their home folders. I have users set up with the home folder of /var/www/sitename, and set up the owner of that folder to the user who is FTPing. I never had an issue with this setup before, but I just wanted to try and limit it a bit. Story behind this is that I have users who use a web authoring package and it supports FTP only, and I was fed up of forever changing the files all the time. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 12 August 2014 14:33 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP The proftpd server is the way you want to go especially if you're trying to set up a virtual host type environment. It uses the apache file format so you should find it familiar. Let me know if you need any setup pointers. On Aug 11, 2014, at 5:58 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
We used SFTP a lot for this and it worked fine, but I need to use FTP because the users are using an authoring package that supports FTP only, so I moved to using it. I will look at ProFTPD as I am currently trying to implement it with VSFTPD and I can't get my users logged in.
Andrew.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 11 August 2014 19:02 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP
Well I'm just throwing this out there but what about ssh or sftp? That helps with the security.
Else I would run your FTP process with in a jail so you don't have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc.
Thanks Scott
On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, In the end I went back to ProFTPD, and used the chroot option to chroot everyone to their home folders. I have users set up with the home folder of /var/www/sitename, and set up the owner of that folder to the user who is FTPing. I never had an issue with this setup before, but I just wanted to try and limit it a bit. Story behind this is that I have users who use a web authoring package and it supports FTP only, and I was fed up of forever changing the files all the time. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 12 August 2014 14:33 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP The proftpd server is the way you want to go especially if you're trying to set up a virtual host type environment. It uses the apache file format so you should find it familiar. Let me know if you need any setup pointers. On Aug 11, 2014, at 5:58 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
We used SFTP a lot for this and it worked fine, but I need to use FTP because the users are using an authoring package that supports FTP only, so I moved to using it. I will look at ProFTPD as I am currently trying to implement it with VSFTPD and I can't get my users logged in.
Andrew.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: 11 August 2014 19:02 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP
Well I'm just throwing this out there but what about ssh or sftp? That helps with the security.
Else I would run your FTP process with in a jail so you don't have someone get to far out of bounds in your server. Another option is to set up proftpd which is a fairly secure ftp server that uses apache style files to control access etc.
Thanks Scott
On Aug 11, 2014, at 1:56 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I think it depends on what you mean when you say that you've done this before but it wasn't the best option. Plain old ftp is subject to man in the middle attacks but the vast majority of stolen passwards are gotten through social engineering, key loggers, and brute force password guessing programs, not by man in the middle attacks. Of course, these days there is little reason not to use sftp instead of plain old ftp because most clients support sftp. but that isn't going to prevent most of the break-ins. It's not usually the technology that fails, it's usually the end users. They respond to a phishing message, they install a virus, or they use the same password for everything. Usually the problem is more one of end user management than setting up the server. Are we talking about a handful of end users and you have to make sure the bad guys don't get access to files that contain private information or are we talking about a large number of end users and you're worried that someone will start using your site as a porn server? Your approach will depend more on the number and sophistication of your end users than it does on the technology. On 08/11/2014 12:56 PM, Andrew Hodgson wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, No it is only around 3-5 users accessing a specific virtual host directory. For example, I want user1 tied to /var/www/mysite, user2 tied to /var/www/bestsite etc. Thanks. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G. Heim Sent: 11 August 2014 22:39 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP I think it depends on what you mean when you say that you've done this before but it wasn't the best option. Plain old ftp is subject to man in the middle attacks but the vast majority of stolen passwards are gotten through social engineering, key loggers, and brute force password guessing programs, not by man in the middle attacks. Of course, these days there is little reason not to use sftp instead of plain old ftp because most clients support sftp. but that isn't going to prevent most of the break-ins. It's not usually the technology that fails, it's usually the end users. They respond to a phishing message, they install a virus, or they use the same password for everything. Usually the problem is more one of end user management than setting up the server. Are we talking about a handful of end users and you have to make sure the bad guys don't get access to files that contain private information or are we talking about a large number of end users and you're worried that someone will start using your site as a porn server? Your approach will depend more on the number and sophistication of your end users than it does on the technology. On 08/11/2014 12:56 PM, Andrew Hodgson wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, No it is only around 3-5 users accessing a specific virtual host directory. For example, I want user1 tied to /var/www/mysite, user2 tied to /var/www/bestsite etc. Thanks. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G. Heim Sent: 11 August 2014 22:39 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Setting up a web server with FTP I think it depends on what you mean when you say that you've done this before but it wasn't the best option. Plain old ftp is subject to man in the middle attacks but the vast majority of stolen passwards are gotten through social engineering, key loggers, and brute force password guessing programs, not by man in the middle attacks. Of course, these days there is little reason not to use sftp instead of plain old ftp because most clients support sftp. but that isn't going to prevent most of the break-ins. It's not usually the technology that fails, it's usually the end users. They respond to a phishing message, they install a virus, or they use the same password for everything. Usually the problem is more one of end user management than setting up the server. Are we talking about a handful of end users and you have to make sure the bad guys don't get access to files that contain private information or are we talking about a large number of end users and you're worried that someone will start using your site as a porn server? Your approach will depend more on the number and sophistication of your end users than it does on the technology. On 08/11/2014 12:56 PM, Andrew Hodgson wrote:
Hi,
I want to set up a web server with FTP on a Debian box. Idea is that users log in and get access to /var/www/host, but that is it. I have done this before but it wasn't the best option, and I need this to be as secure as possible (realising that the password for FTP connections go over plaintext).
Any recipes/ideas that have worked in the past? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
participants (4)
-
Andrew Hodgson -
John G. Heim -
Matthew White -
Scott Granados