Internet Related/Filtering/Firewall Thread, FTP - secure, or a better way? in Technical; This is a personal matter, not related to work at all.
I am currently running an FTP server so that ...
10th May 2011, 05:23 PM #1
FTP - secure, or a better way?
This is a personal matter, not related to work at all.
I am currently running an FTP server so that my Dad in Cyprus can log in and 'collect' photos and what have you that we put in the FTP folder on my machine.
We found this to be better than email as some of the pictures are quite large in size, particularly recent wedding shots we posted for him and I don't have to resize files to get them under quotas.
However, this morning I noticed someone had tried to log into the FTP server - I checked the logs, and they made 'hundreds' of attempts with different usernames and passwords, none of which worked as there is only one account, and that is my Dad's, and his password is of a secure combination anyway.
Firstly, I'm wondering how they found the FTP server in the first place, but secondly, and more importantly, is this the best and most secure way for me to get large files to my Dad?
I would prefer to not have to upload them to the 'cloud' for him to retrieve them, as that then puts some onus on me to upload them - our present system he can just log in and get them at his leisure. Is there a more secure yet just as direct way to share a folder with him so he can get to my 'stuff', and not too complicated for me to set up or him to understand? Someone mentioned a VPN to me, but I have no idea as to how I could set that up.
Or do I need not worry about this drive-by attack? The fact that they couldn't get in hasn't left me entirely happy though.
Would appreciate some thoughts.
10th May 2011, 05:28 PM #2
could you not use the likes of FlickR and photo bucket ?
10th May 2011, 05:31 PM #3
You could use Dropbox for it. That way you just need to copy the files into the folder that is shared with your Dad and then they sync with server and download to his machine.
10th May 2011, 05:31 PM #4
These sorts of random brute-force attacks are fairly common on the internet: usually a program iterates over a set of IP addresses and common service ports, identifies any that are open as a potential method of gaining entry, and will then try many password combinations until they give up, fail, or are blocked.
The most simple way to reduce these attacks is to move the FTP server on to a non-standard port, (e.g. 2100, 2121 or something).
10th May 2011, 05:40 PM #5
I currently have a photo library in excess of 85Gb, online services aren't practical for me.
Originally Posted by cpjitservices
FlickR has upload limits, unless I pay. Not sure about the other one, presume there are also some limitations.
No, I would prefer to share a folder on my machine, that way I have all the files locally and don't have to worry about uploading them.
10th May 2011, 05:44 PM #6
Cost is a factor too, I should have mentioned it. I want free, non-cloud where possible, secure.
Originally Posted by stevehill06
No one can take me down the VPN route?
10th May 2011, 05:45 PM #7
Originally Posted by theeldergeek
Is it not possible to do this over a VPN ( hamachi ?? ) https://secure.logmein.com/products/.../download.aspx
If not then is it not possible to do FTP or SFTP over SSH ?
Think with the free version you have to use un-managed otherwise I think you have to pay for the managed version ??
10th May 2011, 05:47 PM #8
Three more (non-cloud) options...
- FreeFTPd - A free FTP server which supports SFTP and FTPS.
- Windows Live Mesh - Like DropBox, but lets you sync more than 2GBs worth of data between computers for free.
- HTTP File Server
10th May 2011, 05:48 PM #9
FTP is inherently insecure, but this has to be taken with a few caveats... the reason it is insecure is that user credentials are generally transmitted in the clear. This is exploited by sniffing packets along the network route between user (your dad) and ftp server. Obviously this hasn't happened - if they had sniffed a password they would not be brute forcing. As such, there's no "problem" with insecure FTP as long as you are vigilant (it seems you are) and your dad keeps his machine looked after (some viruses install keyloggers that look for ftp creds).
Back up the photos - if someone does break in, they are more likely to add than remove, but this wont hurt
Make sure no accounts are enabled with "standard" names like root, anonymous, guest
Make sure your dad's password is better than trivially complex
Slightly harder suggestions, depending on your FTP server
SecureFTP (doesn't mitigate this issue, may help others, less likely to )
Block all IPs not in the netblock of your Dad's ISP (assume he's on a dynamic IP)
Use a nonstandard port (yick, makes your dad have to work something... if hes anything like my dad, thats a non-starter)
Check his password with John The Ripper
Use something like denyhosts (is denyhosts ssh only...? meh..)
Use SSH/SCP - would require him to use winscp
Run the ftp daemon in a chroot jail to protect the rest of your server
Dont show the welcome banner until after user auth
2 Thanks to tom_newton:
mac_shinobi (10th May 2011), theeldergeek (11th May 2011)
10th May 2011, 05:49 PM #10
[QUOTE=theeldergeek;671626]Firstly, I'm wondering how they found the FTP server in the first place
They scanned your IP address and FTP's port number.
SFTP? Just install an SSH server on your machine (it does work on Windows too) and find an SFTP client for your Dad to use.
Is there a more secure yet just as direct way to share a folder with him
Thanks to dhicks from:
tom_newton (10th May 2011)
10th May 2011, 05:50 PM #11
Originally Posted by theeldergeek
10th May 2011, 05:51 PM #12
^^^ what tom_newton said lol
10th May 2011, 05:52 PM #13
Team Viewer lets you remote access a Pc it's free and simple to set up and it even has file transfer which is pretty neat!
10th May 2011, 10:54 PM #14
Mr hicks is right (sorry, meant to answer that too... one of those "at work" posts where i get interrupted 6-8 times during writing)... this will have been a random portscan looking for something to attack. What malware types want is an ftp site to which they can upload stuff that will be served on the web. This isn't because they cant afford their own bandwidth, but to leverage "url trust" somewhere else - say they manage to put malware payload on a company's website, they can reliably hope that won't be blocked by "dumb" url filters and it might get plenty of passing visitors to infect.
They'll pick a block of IPs, and scan for services, sometimes selling IP:service lists to others who then do the attack, sometimes they do the attack themselves. You are more likely to be attacked if you have a dns entry, or you're on a static IP as these are decently indicitave of value.
Just to re-iterate earlier advice... FTP probably _is_ the tool for the job (especially if a break in would be quickly noticed and little harm could be done as you are backed up) - online services will prove costly for your data volumes, and vpn is overkill (especially if your dad is not uber-savvy). The only options i'd table if you're concerned are scp and sftp, but neither of these directly mitigate brute force attacks like the one seen - though pubkey ssh auth does, it is again subject to marginal setup overhead.
Oh.. and you could make your ftp directory readonly. That sounds like "a plan".
Best of luck
11th May 2011, 09:48 AM #15
Although, I did think it might be a copyright-scanning tool from a record company or similar?
Originally Posted by tom_newton
By wesleyw in forum Windows Server 2008 R2
Last Post: 12th May 2010, 11:20 AM
By chazzy2501 in forum Windows
Last Post: 22nd March 2010, 03:12 PM
By FN-GM in forum Windows
Last Post: 13th April 2009, 07:29 PM
By marvin in forum Windows
Last Post: 6th April 2008, 03:22 PM
By Jobos in forum Wireless Networks
Last Post: 2nd July 2007, 11:02 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)