These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Security issue with FTP/SFTP on the new forum.
Web Hosting and Cloud Computing Control Panels
hi just quick note to you ftp IS NOT SFTP ergo sftp is ssh which have nothing to do with ftp which is stand alone insecure server. You can google it out.
I think you mean or referring to ftp secured by ssl and it calls ftpS which is ftp secured but not the same thing..
side note: im no virtualmin staff, thanks.
Configuring/troubleshooting Debian servers is always great fun
Thank you @unborn for the information about SFTP.
So specifically in FTP connection, is it normal that user1 login to FTP and he can see the folders user1, user2, user3 within the /home directory?
(Personally I see no problem, it is just how the user permission works in linux, since user1 cannot click one more step to view the content of /home/user2 or /home/user3)
normally that depends on your proftpd server setup.. its a bit different from ssh.. ssh beauty is security taken way up.. regards the proftpd or any ftpd server you need to setup so called jail.. its there in virtualmin settings, basically you bound user to its /public_html folder where it will stays locked in. or you can bound him to be locked in his /home folder.. please understand locked in means he would not be able to go up in folder that it is locked up for that user in no way...I admit that should be right in a place but since we all setup virtualmin/webmin differently there is no way to set this up as an pre-set.. its usually left on know-how of sysops out there....anyway its nothing hard to accomplish - if you need some screenshot guid or video guid I would do it for you.. tell me - thanks.
Configuring/troubleshooting Debian servers is always great fun
Thanks, so does it mean that the default setup of virtualmin - proftpd is not secured, and it have to be jailed in production server?
it means on any linux and any ftpd or proftpd - you need to know what are you doing, basically before any domain or first before any domain is deployed you should click on proftpd or any ftpd server of your choice installed settings and configured correctly. This means you set up your own rules there etc.. regards the sftp aka ssh that is different story and ssh aka sftp should give you confidence very much that any user logged in cannot access others personal files means if you use sftp or ssh you can leave it unchanged and if you use proftpd or any other ftpd server you should look always onto settings before you deployed. It means proftpd or any ftpd is secured by it all means regardless of virtualmin setup - keep in mind that ftpd is transfer over the text so no secure at all by any means - not an virtualmin fail or anything its just an old protocol - very old. Its your duty as an sysops to know this and also set this up correctly.. another helpful info for you would be ftp it self is old very old and its dangerous.. I would not use this unless fail2ban is deployed and also 'jail' config in a place - which is know-how and not virtualmin nor webmin fail - remember its just awful old stuff older then my grampa.
to my advice is - if you are an business - tell clients to use filezilla - sftp and ssh is well supported even in native windows or mac or linux user
...dont use ftp :) it saves you your ram and other headaches and THE TIME - trust me.
Configuring/troubleshooting Debian servers is always great fun
Actually my question is not that broad, it is just that the default configuration of FTP has any significant difference (in term of security) compared to the jailed config. Other things, like unsecure protocol I am fully aware of.
So extracting the information from your answer, I don't see the significant difference between jailed and non-jailed (default) proFTPd configuration, since you say "It means proftpd or any ftpd is secured by it all means regardless of virtualmin setup". The jailed config is just to cover the eye of the user, but PHP script still can see the immediate subdir of /home.
This is just my expected answer, so that I can show this thread to my user.
If my understanding is wrong, please kindly let me know.
Thanks for your great help.
okay.. give me one moment to show you how you can 'secure' your users over ftpd without securing the login.. basically what you asked for in first place.. (i have to take some screenshots.. be with me)
Configuring/troubleshooting Debian servers is always great fun
hey thanks for the waiting here :)
here are your settings how to setup so called 'jail' out there on any ftpd server regards gui.. virtualmin/webmin. I am using proftpd which is disabled anyway as it is not secure at all. See the screenshot... I think thats all you need it :)
ps click on image and open in new tab as image if you need to see it bigger.
Configuring/troubleshooting Debian servers is always great fun
I knew about jailed config of proftp before asking this question. What I wanted to ask was more clearly addressed in post #7, so if there is any other things to better secure, please advise me.
Thank you very much
Well, that is it, you actually are guiding me on how to do the jailed configuration, which I didn't ask about
ah well - php is different thing then ftps or ftp :) you know that.. also put you back in a line - see your initial post.. I did guide you correctly...read this for your self...
''Hi,
I have installed a virtualmin server. I created a virtual server for a user (let say his username is user1. The user can login ftp into his account. He can view the /home folder (which list the username of other users also, e.g. /home/user2, /home/user3, but he can only click on /home/user1, NOT able to click/open the /home/user2 ...) and a few other folders (/var, etc).
He is concerned about the security with virtualmin.
Any virtualmin staff can confirm this is a normal thing?
Thank you for any clarification.''
Configuring/troubleshooting Debian servers is always great fun
@quacky ftp is not secure.. password or ssl cert will only give you false feeling.. it is not virtualmin nor webmin fail its the old very bloody old protocol to transfer the files.. I would suggest you to google it and do your research.. I cannot help you any more if you do not understand how ftp protocol works.. ftp is not secure at all, its just like saying your user name and password a loud and I repeat its not virtualmin fail its ftp as an old protocol fail..
have good day.
ps: perhaps virtualmin guys would be able to reply to your php issue much wisely .. im webdev as well.. to just note you... :)
Configuring/troubleshooting Debian servers is always great fun
I see cPanel also use ftp, so I guess it is still very popular. I was aware of the security with ftp (some network scripts/software can easily capture the unencrypted information), but I guess I would let it go, since I have reminded my users to use to use filemin or sftp. So I think just inform them and let them have a choice :)
Thanks!
yes ftp will be popular for home users still as long as windows supports it. did you try to connect to ftp with android or applexos or linux recently? - I guess not.. even its still supported - you need to think about your own ass in your business.. - I hope so you feel me what I am talking about.. and yes its all about telling and spread the word out there :)
anyway i would go with sftp which is ssh.. much better choice buddy! ;)
Configuring/troubleshooting Debian servers is always great fun