[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] SafeTP RAQ installation
- Subject: Re: [cobalt-users] SafeTP RAQ installation
- From: Kul <WebMaster@xxxxxxx>
- Date: Wed Apr 11 12:44:23 2001
- Organization: Qax
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Landon Jenkins wrote:
> >If you would like to completly disable FTP from being able
> >to be accessed IN-securley (you should have already chosen
> >that above), you will need a couple or three minor alterations
> >to some file (its easy):
>
> What if you don't want to disable FTP altogether? I've installed SafeTP per
> your instructions and selected 'y' for "Accept unencrypted". However, if I
> try to establish a non-encrypted session, I am refused and I see (in
> /var/log/messages):
>
> proftpd[600]: ns.domain.com (host.domain.com[xx.xxx.xx.x]) - SECURITY
> VIOLATION: Passive connection from xx.xxx.xxx.xxx rejected.
>
> Also, how is a good way to uninstall SafeTP from the RAQ and restore
> standard FTP?
>
> Thanks!
> Landon
Hi Landon,
FTP is still around, but its port has been moved, its now at 351 (default), and the secure version is on 21 (ftp was on 21)
Its obviously important that secure ftp uses a port, and by default it is intendid to allow secure connections to encypt the passwords and other data-channel stuff. In doing this, it needs to move ftp to another port (351). I beleive you can move the ports around as you wish, but I havn't tried this myself, and have no intentions of trying !!!
I have installed mine to STOP insecure access via FTP all-together, so my proftpd is no-longer directly available, and port 351 & 21 tells the visitor to go-away (politly) if they try an insecure connection. Secure connections are still accepted on 21, and the ftp is re-routed by sftp through to port 351 where proftpd picks it up and process as normal, and none-the-wiser to sftp being around. This also makes 351 only directly available from my raq (sort of internal transferring), and not really accessible from the outside world. Only port 21 is directly available to the world, and this HAS to have a secure data-channel enabled or they will immediatly get rejected. Whilst it wont stop hacking, it will stop people snooping for NORMALLY plain text passwords that ftp always transmitts. Now they will have some serious fun trying to crack the encryption, whilst my users can continue to use their favorite FTP client (free or otherwise), and I can feel a little safe each night knowing that ftp is unlikely to be the culprit for revealling plain text passwords to any would be snoopers.
I seem to remember reading their was some uninstall details on the site, it may be worth having a look there. Personally I wasn't taking too much notice of the uninstall, because that the last thing I want to do. I did however notice them during the initial 2-3 hour investigation into this software. Which is brilliant IMHO. Normal proftpd is still there on your raq, except it is intercepted by sftp, which passed unencypted details onto it locally (within the raq)
Anyway to switch it off (not unistall it) a guess would be to undo the edits in these 4 files and change their settings back to the defaults:
/etc/services
/etc/inetd.conf
/etc/host.deny
/etc/host.allow
Just a guess tho,
You can probably look at swapping the ports over, a good place to start would be the manuals/instructions etc at: http://www.cs.berkeley.edu/~smcpeak/safetp/
and then, maybe altering the above files to swap the ports over, and dont forget the kill HUP.... thingy to get it all restarting again.
After all that I think this is probably the best bit of free software iv'e seen in a long while, and I take my hat of to the 2 guys that wrote it at berkeley !