+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 25
Internet Related/Filtering/Firewall Thread, FTP - secure, or a better way? in Technical; This is a personal matter, not related to work at all. I am currently running an FTP server so that ...
  1. #1
    theeldergeek's Avatar
    Join Date
    Jul 2010
    Location
    Eastbourne, East Sussex
    Posts
    161
    Thank Post
    30
    Thanked 22 Times in 6 Posts
    Rep Power
    29

    FTP - secure, or a better way?

    This is a personal matter, not related to work at all.

    I am currently running an FTP server so that my Dad in Cyprus can log in and 'collect' photos and what have you that we put in the FTP folder on my machine.

    We found this to be better than email as some of the pictures are quite large in size, particularly recent wedding shots we posted for him and I don't have to resize files to get them under quotas.

    However, this morning I noticed someone had tried to log into the FTP server - I checked the logs, and they made 'hundreds' of attempts with different usernames and passwords, none of which worked as there is only one account, and that is my Dad's, and his password is of a secure combination anyway.

    Firstly, I'm wondering how they found the FTP server in the first place, but secondly, and more importantly, is this the best and most secure way for me to get large files to my Dad?

    I would prefer to not have to upload them to the 'cloud' for him to retrieve them, as that then puts some onus on me to upload them - our present system he can just log in and get them at his leisure. Is there a more secure yet just as direct way to share a folder with him so he can get to my 'stuff', and not too complicated for me to set up or him to understand? Someone mentioned a VPN to me, but I have no idea as to how I could set that up.

    Or do I need not worry about this drive-by attack? The fact that they couldn't get in hasn't left me entirely happy though.

    Would appreciate some thoughts.

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,490
    Thank Post
    519
    Thanked 290 Times in 266 Posts
    Rep Power
    82
    could you not use the likes of FlickR and photo bucket ?

  3. #3
    Devontechie's Avatar
    Join Date
    Nov 2007
    Location
    UK
    Posts
    896
    Thank Post
    181
    Thanked 200 Times in 163 Posts
    Rep Power
    71
    You could use Dropbox for it. That way you just need to copy the files into the folder that is shared with your Dad and then they sync with server and download to his machine.

    Steve

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    640
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324
    These sorts of random brute-force attacks are fairly common on the internet: usually a program iterates over a set of IP addresses and common service ports, identifies any that are open as a potential method of gaining entry, and will then try many password combinations until they give up, fail, or are blocked.

    The most simple way to reduce these attacks is to move the FTP server on to a non-standard port, (e.g. 2100, 2121 or something).

  5. #5
    theeldergeek's Avatar
    Join Date
    Jul 2010
    Location
    Eastbourne, East Sussex
    Posts
    161
    Thank Post
    30
    Thanked 22 Times in 6 Posts
    Rep Power
    29
    Quote Originally Posted by cpjitservices View Post
    could you not use the likes of FlickR and photo bucket ?
    I currently have a photo library in excess of 85Gb, online services aren't practical for me.
    FlickR has upload limits, unless I pay. Not sure about the other one, presume there are also some limitations.

    No, I would prefer to share a folder on my machine, that way I have all the files locally and don't have to worry about uploading them.

  6. #6
    theeldergeek's Avatar
    Join Date
    Jul 2010
    Location
    Eastbourne, East Sussex
    Posts
    161
    Thank Post
    30
    Thanked 22 Times in 6 Posts
    Rep Power
    29
    Quote Originally Posted by stevehill06 View Post
    You could use Dropbox for it. That way you just need to copy the files into the folder that is shared with your Dad and then they sync with server and download to his machine.

    Steve
    Cost is a factor too, I should have mentioned it. I want free, non-cloud where possible, secure.
    No one can take me down the VPN route?

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,787
    Thank Post
    3,296
    Thanked 1,054 Times in 975 Posts
    Rep Power
    365
    Quote Originally Posted by theeldergeek View Post
    I currently have a photo library in excess of 85Gb, online services aren't practical for me.
    FlickR has upload limits, unless I pay. Not sure about the other one, presume there are also some limitations.

    No, I would prefer to share a folder on my machine, that way I have all the files locally and don't have to worry about uploading them.
    SFTP ?

    Is it not possible to do this over a VPN ( hamachi ?? ) https://secure.logmein.com/products/.../download.aspx

    If not then is it not possible to do FTP or SFTP over SSH ?

    Think with the free version you have to use un-managed otherwise I think you have to pay for the managed version ??

  8. #8


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,029
    Thank Post
    231
    Thanked 2,699 Times in 1,994 Posts
    Rep Power
    792
    Three more (non-cloud) options...

    1. FreeFTPd - A free FTP server which supports SFTP and FTPS.
    2. Windows Live Mesh - Like DropBox, but lets you sync more than 2GBs worth of data between computers for free.
    3. HTTP File Server

  9. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    FTP is inherently insecure, but this has to be taken with a few caveats... the reason it is insecure is that user credentials are generally transmitted in the clear. This is exploited by sniffing packets along the network route between user (your dad) and ftp server. Obviously this hasn't happened - if they had sniffed a password they would not be brute forcing. As such, there's no "problem" with insecure FTP as long as you are vigilant (it seems you are) and your dad keeps his machine looked after (some viruses install keyloggers that look for ftp creds).

    Easy Suggestions:
    Back up the photos - if someone does break in, they are more likely to add than remove, but this wont hurt
    Make sure no accounts are enabled with "standard" names like root, anonymous, guest
    Make sure your dad's password is better than trivially complex

    Slightly harder suggestions, depending on your FTP server
    SecureFTP (doesn't mitigate this issue, may help others, less likely to )
    Block all IPs not in the netblock of your Dad's ISP (assume he's on a dynamic IP)
    Use a nonstandard port (yick, makes your dad have to work something... if hes anything like my dad, thats a non-starter)
    Check his password with John The Ripper
    Use something like denyhosts (is denyhosts ssh only...? meh..)
    Use SSH/SCP - would require him to use winscp
    Run the ftp daemon in a chroot jail to protect the rest of your server
    Dont show the welcome banner until after user auth

  10. 2 Thanks to tom_newton:

    mac_shinobi (10th May 2011), theeldergeek (11th May 2011)

  11. #10

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,648
    Thank Post
    1,256
    Thanked 781 Times in 678 Posts
    Rep Power
    236
    [QUOTE=theeldergeek;671626]Firstly, I'm wondering how they found the FTP server in the first place

    They scanned your IP address and FTP's port number.

    Is there a more secure yet just as direct way to share a folder with him
    SFTP? Just install an SSH server on your machine (it does work on Windows too) and find an SFTP client for your Dad to use.

  12. Thanks to dhicks from:

    tom_newton (10th May 2011)

  13. #11

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,648
    Thank Post
    1,256
    Thanked 781 Times in 678 Posts
    Rep Power
    236
    Quote Originally Posted by theeldergeek View Post
    No one can take me down the VPN route?
    OpenVPN?

  14. #12

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,787
    Thank Post
    3,296
    Thanked 1,054 Times in 975 Posts
    Rep Power
    365
    ^^^ what tom_newton said lol

  15. #13
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,490
    Thank Post
    519
    Thanked 290 Times in 266 Posts
    Rep Power
    82
    Team Viewer lets you remote access a Pc it's free and simple to set up and it even has file transfer which is pretty neat!

  16. #14


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Mr hicks is right (sorry, meant to answer that too... one of those "at work" posts where i get interrupted 6-8 times during writing)... this will have been a random portscan looking for something to attack. What malware types want is an ftp site to which they can upload stuff that will be served on the web. This isn't because they cant afford their own bandwidth, but to leverage "url trust" somewhere else - say they manage to put malware payload on a company's website, they can reliably hope that won't be blocked by "dumb" url filters and it might get plenty of passing visitors to infect.

    They'll pick a block of IPs, and scan for services, sometimes selling IP:service lists to others who then do the attack, sometimes they do the attack themselves. You are more likely to be attacked if you have a dns entry, or you're on a static IP as these are decently indicitave of value.

    Just to re-iterate earlier advice... FTP probably _is_ the tool for the job (especially if a break in would be quickly noticed and little harm could be done as you are backed up) - online services will prove costly for your data volumes, and vpn is overkill (especially if your dad is not uber-savvy). The only options i'd table if you're concerned are scp and sftp, but neither of these directly mitigate brute force attacks like the one seen - though pubkey ssh auth does, it is again subject to marginal setup overhead.

    Oh.. and you could make your ftp directory readonly. That sounds like "a plan".

    Best of luck

  17. #15

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,648
    Thank Post
    1,256
    Thanked 781 Times in 678 Posts
    Rep Power
    236
    Quote Originally Posted by tom_newton View Post
    this will have been a random portscan looking for something to attack
    Although, I did think it might be a copyright-scanning tool from a record company or similar?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. FTP Server
    By wesleyw in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 12th May 2010, 10:20 AM
  2. FTP: in explorer!
    By chazzy2501 in forum Windows
    Replies: 2
    Last Post: 22nd March 2010, 02:12 PM
  3. Replies: 6
    Last Post: 13th April 2009, 06:29 PM
  4. FTP Problems
    By marvin in forum Windows
    Replies: 3
    Last Post: 6th April 2008, 02:22 PM
  5. FTP problems
    By Jobos in forum Wireless Networks
    Replies: 6
    Last Post: 2nd July 2007, 10:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •