Thread: vsftpd and iptables
View Single Post

   
  #10 (permalink)  
Old 01-18-2008, 05:22 PM
Menno Duursma
 
Posts: n/a
Default Re: vsftpd and iptables
On Fri, 10 Mar 2006 07:21:41 -0500, Nico Kadel-Garcia wrote:
> Menno Duursma wrote:
>> On Thu, 09 Mar 2006 18:35:06 +0000, Bill Davidsen wrote:
>>> Nico Kadel-Garcia wrote:
>>
>>>> I'd actually moving away from FTP to HTTPS for authenticated
>>>> downloads,

This you can do either way.

>>>> and WebDAV over HTTPS for uploads. It's a lot easier to configure for
>>>> firewalls for various reasons, and there's little chance of having
>>>> your traffic sniffed as there is with FTP,
>>
>> Why then, not just enable FTPS instead?
>
> Because there is none.

http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

(Note if you want Vsftpd supporting port 990 control / 989 data aswell,
just configure 'stunnel' for it. However very few clients can use that
anyways so you probably don't have to support it.)

> Seriously: there are easily half-a-dozen different protocols, each
> called "sftp"

Which is an FTP-like commands accepting proxy to scp, which in turn is
just rcp over ssh... Neither Vsftpd, Proftpd, or Pureftpd do this.

> or "ftps",

And this is what i'd suggest the OP enable (the firewall need only allow
incomming on port 21 and outgoing on port 20 plus the passive port range.)

> and many of which have their own adventures in security (such as the
> OpenSSH sftp failing to keep the users in a chroot cage and allowing
> access to system files outside the target directory),

"It should not be confused with SSH file transfer protocol":
http://en.wikipedia.org/wiki/FTPS

> clients that don't support it the particular way you mention, etc., etc.

Well i've had some users complain how WebDAV, and WinSCP and pretty much
anything but the FTP client they're used to useing sucks. Now both Vsftpd
and Proftpd atleast support with SSL/TLS enabled: wsftp, filezilla,
kasablanca, gftp, lftp and curl clients.

[snip]

>> Pureftpd can (currently) only encript the control connection, not the
>> data, and as such doesn't work with some clients that implicitly expect
>> otherwize...
>
> You see what I mean.

Than don't use Pureftpd? The OP is about Vsftpd so that shouldn't be much
of a problem. And anyways plenty of clients _do_ work with AUTH TLS (which
is the method Pureftpd currently _does_ support.)

If the lack of GUI for Vsftpd is a problem maybe look the Webmin module:
http://groups.google.nl/group/alt.os...51d53002559cbe

Otherwize maybe switch to Proftpd, for which there are plenty of GUI tools:
http://www.debianhelp.co.uk/proftpweb.htm

Gproftpd (not mensioned above) even allows for SSL/TLS cert creation:
http://mange.dynalias.org/linux.html

Cheers.

--
-Menno.

Reply With Quote