Showing posts with label FTP. Show all posts
Showing posts with label FTP. Show all posts

Securing FTP-How

 Securing FTP
You can make your FTP uploads and downloads more secure in one of two
ways: through Secure File Transfer Protocol SFTP or Transport Layer
Security TLS.

SFTP
SFTP is a more secure way of uploading and downloading files than FTP.
When you use FTP, data is sent unencrypted, so someone who intercepts the
data can easily read it. SFTP encrypts the commands and the data to provide
a much more secure form of transport.

To use SFTP (also known as secure FTP or SSH file transfer protocol), your
host has to have configured the server to be able to accept a secure connection from you. Most shared hosts do not allow this because giving clients SSH
access opens doors for clients to get into areas of the server that the host
does not want them messing with.

The FTP and SFTP protocols work quite differently, and your host needs to
have opened a specific port and allowed you SSH login permission to be able
to connect with SFTP. If you do have SFTP access, the following steps show
how to make a connection using FileZilla. Other clients may differ slightly in
layout but require that you enter the same information

1. In your FTP client, select File➪Site Manager and create a new site.
2. Select the Protocol drop-down box and click SFTP.
The Site Manager dialog box opens, as shown in Figure 4-4.
3. Enter the Host name, Username, and Password, which are normally
the same as you would use with FTP.
4. Enter the correct setting in the Port field.
5. Click Connect and your client attempts to negotiate a secure connection.
If the client cannot connect, check with your host to confirm whether it
allows SFTP connections.
TLS
TLS offers a similar level of security to SFTP but is favored more highly by
hosts because it does not require that the client have SSH access to the
server.

The following steps describe how to connect using TLS and FileZilla:
1. Choose File➪Site Manager and create a new site or select an
existing one.
2. Enter your FTP details as normal.
www.it-ebooks.info
69 Chapter 4: Managing Files
3. Click in the Encryption drop-down box (see Figure 4-5) and select
either Explicit TLS or Implicit TLS.
See the “Explicit TLS versus Implicit TLS” sidebar for more information.
4. Connect as normal.

Setting and managing file permissions

File permissions are a powerful security tool created to give the server
administrator the capability to define exactly who can read, write, and execute any given file.
Each file has its own permissions, which are either expressed in a textual
form drwxrwxrwx or in numerical form, such as 755.
permissions shown in three-digit format in FileZilla.
The permissions are set for
 The owner:Usually the owner is the creator of the file, but that can be
changed, if necessary.

 The group:Groups are set up in UNIX/Linux to manage permissions.
Each user can be added to multiple groups, and each file can be in one
group. This enables you to restrict who has access to the file.

The public:Anybody who has access to the system is classed as a
member of the public group. That means all users are in the public group.

Session Hijacking-Protection

Session hijacking isn't new to computer security. The term is most commonly used to describe the process of a TCP connection taken over by a sequence prediction attack. In such an attack, the attacker gains control of an already established TCP connection. When applied to Web application security, session hijacking refers to the takeover of a Web application session.

HTTP is a stateless protocol with its origins in information dissemination. Clients request a particular resource, which eventually is delivered by the server hosting that particular resource. The goal of the World Wide Web in its early days was to provide a uniform medium of information dissemination via HTTP and rendering of the information via HTML. The information could also be cross-referenced by using hyperlinks. As time went by, servers were developed with the ability to handle dynamically generated content and execute programs that generated HTML. Soon enough, the need for interactivity increased. Because of its ability to handle text and graphics, the browser took the place of a universal client. Small-scale applications began to be hosted on Web servers with the use of CGI scripting, which extended the ability of universal participation to all Internet users who had a browser. No longer was an underlying operating system an issue. So long as you had a browser, you could use the application. Application development went from a central mainframe–terminal based concept to the client-server model, and back to the central Web server–browser based concept again.

These days, Web application servers host complex applications, such as an entire office productivity suite. Microsoft Outlook for the Web is an example of delivering a fully featured e-mail client over a Web browser. Lotus Domino servers provide a Web interface that lets users perform more or less the same tasks as can be performed via a Lotus Notes client.

All multiuser applications embody the concept of a user session. Each user interacts with the application via a separate user session. The application keeps track of all who are currently using the application via sessions. This capability is essential for segregating user activity.

Despite rapid changes in Web server technology, the HTTP protocol remained the same. Currently, HTTP 1.1 is still the most widely used HTTP protocol. The greatest hurdle in designing and hosting Web-based applications is to get around the statelessness of HTTP. There are no standards governing how a Web-based application should provide its own state-maintaining mechanism over HTTP. Developers tackle state preservation in different ways. There are poor and good ways of approaching this problem, although both approaches result in a workable application. The poor ways of implementing session states lead to attacks such as session hijacking.

FTP 550 Access is denied Error

Probably the Firewall from Client A which is preventing this. FTP also requires a data channel to send its information

How to list directory content of remote FTP, recursively?

IT can do almost everything bash can do, albeit remotely.


$ lftp mirror.3fl.net.au
lftp mirror.3fl.net.au:~> ls                          
drwxr-xr-x  14 root     root         4096 Nov 27  2007 games
drwx------   2 root     root        16384 Apr 13  2006 lost+found
drwxr-xr-x  15 mirror   mirror       4096 Jul 15 05:20 pub
lftp mirror.3fl.net.au:/> cd games/misc
lftp mirror.3fl.net.au:/games/misc>find
./
./dreamchess/
./dreamchess/full_game/                                                      
./dreamchess/full_game/dreamchess-0.2.0-win32.exe                                      
./frets_on_fire/
./frets_on_fire/full_game/                                                      
./frets_on_fire/full_game/FretsOnFire-1.2.451-macosx.zip                                  
./frets_on_fire/full_game/FretsOnFire-1.2.512-win32.zip
./frets_on_fire/full_game/FretsOnFire_ghc_mod.zip
./gametap_setup.exe
......
lftp mirror.3fl.net.au:/games/misc> du gametap_setup.exe 
32442   gametap_setup.exe
lftp mirror.3fl.net.au:/games/misc> du -sh gametap_setup.exe 
32M     gametap_setup.exe
lftp mirror.3fl.net.au:/games/misc> 

Difference between active and passive FTP?


Active and passive are the two modes that FTP can run in. FTP uses two channels between client and server, the command channel and the data channel, which are actually separate TCP connections. The command channel is for commands and responses, the data channel is for actually transferring files. It's a nifty way of sending commands to the server without having to wait for the current data transfer to finish.
In active mode, the client establishes the command channel (from client port X to server port 21(b)) but the server establishes the data channel (from server port 20(b) to client port Y, where Y has been supplied by the client).
In passive mode, the client establishes both channels. In that case, the server tells the client which port should be used for the data channel.
Passive mode is generally used in situations where the FTP server is not able to establish the data channel. One of the major reasons for this is network firewalls. While you may have a firewall rule which allows you to open up FTP channels to ftp.microsoft.com, Microsoft's servers may not have the power to open up the data channel back through your firewall.


Active mode:
  • Client opens up command channel from client port 2000(a) to server port 21(b).
  • Client sends PORT 2001(a) to server and server acknowledges on command channel.
  • Server opens up data channel from server port 20(b) to client port 2001(a).
  • Client acknowledges on data channel.
Passive mode:
  • Client opens up command channel from client port 2000(a) to server port 21(b).
  • Client sends PASV to server on command channel.
  • Server sends back (on command channel) PORT 1234(a) after starting to listen on that port.
  • Client opens up data channel from client 2001(a) to server port 1234(a).
  • Server acknowledges on data channel.