[lug] Replacing FTP with a Web App?

Nick Golder purenrg at hiveportal.net
Fri Feb 28 12:32:16 MST 2003


On 03-02-28 10:52 -0500, the infamous Paul Nowosielski uttered:
> Siegfried,
> 
>  I would say FTP is only a security issue if you allow it to be.
> For example I got my last job as system admin because the admin before
> me didn't keep up with minimal updates and the server was hacked via
> Wu-FTPD.
>  I see a lot of FTP exploits through anonymous servers but I get most of
> my software through the same. So you must decide.
>  I run Pro-FTP and have never had a problem.
> 
>  It would be incredibly easy to implement the file
> upload/listing/authentication with PHP.
>  If you have a lot of users you may even want to implement some type of
> database integration (MySQL).
>  If this is for a small number of users you could just use apache
> .htaccess files for authentication. shell$ man htpasswd 
> 
>  I have some code snippets for this sort of thing let me know if you
> would like them.
> 
> Paul Nowosielski
> 
> On Thu, 2003-02-27 at 23:54, Richard Heintze wrote:
> > My client is presently running a public FTP server on
> > a windows box.
> > 
> > Is it true that FTP is a security risk? 
> > 
> > He wants to abandon FTP in favor of a more user
> > friendly web application. I suggested WebDAV but he
> > thougth that was too complicated for his users. 
> > 
> > Since he wants to eventually abandon Windows in favor
> > of Linux, how would you suggest I write a secure web
> > app that emulates only the login/password/security,
> > "put" and "ls" features of FTP?
> > 
> > J2EE (and therefor TOMCAT/JBoss) implements
> > authentication and authorization and they run well on
> > windows and linux.
> > 
> > I think Apache HTTPD implements authentication and
> > authorization too -- probably with perl.
> > 
> > Are there any other approaches you might recommend?
> > 
> >  Thanks,
> >          Siegfried
> > 
> > 

FTP without some level of security in the way of encryption is asking
for trouble (unless it is purely for anonymous access).  Once you get
into authenticating users it is time you start exploring FTP
over SSL/TLS, Kerberos V (IV is slowly going away), or even tunneling
via ssh (or better yet, moving away from FTP all together).
I think one of the most basic rules of network security is to not be
throwing around cleartext passwords on ANY network much less an
untrusted/insecure one.
I think that you are on to something with the WebDAV -AS- long as you
don't exchange cleartext service for another cleartext service.  You can
tunnel http via ssh or just plain use https.
Paul also has some great ideas but again, without having encrpted
sessions, it is all pretty much a shot in the bucket (what ever that
means).

-- 
-Nick Golder
http://www.hiveportal.net



More information about the LUG mailing list