Security issue with FTP/SFTP

15 posts / 0 new
Last post
#1 Fri, 07/14/2017 - 10:12
quacky

Security issue with FTP/SFTP

Hi,

I have installed a virtualmin server. I created a virtual server for a user (let say his username is user1. The user can login ftp into his account. He can view the /home folder (which list the username of other users also, e.g. /home/user2, /home/user3, but he can only click on /home/user1, NOT able to click/open the /home/user2 ...) and a few other folders (/var, etc).

He is concerned about the security with virtualmin.

Any virtualmin staff can confirm this is a normal thing?

Thank you for any clarification.

Fri, 07/14/2017 - 10:24
unborn
unborn's picture

hi just quick note to you ftp IS NOT SFTP ergo sftp is ssh which have nothing to do with ftp which is stand alone insecure server. You can google it out.

I think you mean or referring to ftp secured by ssl and it calls ftpS which is ftp secured but not the same thing..

side note: im no virtualmin staff, thanks.

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 10:28
quacky

Thank you @unborn for the information about SFTP.

So specifically in FTP connection, is it normal that user1 login to FTP and he can see the folders user1, user2, user3 within the /home directory?

(Personally I see no problem, it is just how the user permission works in linux, since user1 cannot click one more step to view the content of /home/user2 or /home/user3)

Fri, 07/14/2017 - 10:32 (Reply to #3)
unborn
unborn's picture

normally that depends on your proftpd server setup.. its a bit different from ssh.. ssh beauty is security taken way up.. regards the proftpd or any ftpd server you need to setup so called jail.. its there in virtualmin settings, basically you bound user to its /public_html folder where it will stays locked in. or you can bound him to be locked in his /home folder.. please understand locked in means he would not be able to go up in folder that it is locked up for that user in no way...I admit that should be right in a place but since we all setup virtualmin/webmin differently there is no way to set this up as an pre-set.. its usually left on know-how of sysops out there....anyway its nothing hard to accomplish - if you need some screenshot guid or video guid I would do it for you.. tell me - thanks.

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 10:37
quacky

Thanks, so does it mean that the default setup of virtualmin - proftpd is not secured, and it have to be jailed in production server?

Fri, 07/14/2017 - 10:49
unborn
unborn's picture

it means on any linux and any ftpd or proftpd - you need to know what are you doing, basically before any domain or first before any domain is deployed you should click on proftpd or any ftpd server of your choice installed settings and configured correctly. This means you set up your own rules there etc.. regards the sftp aka ssh that is different story and ssh aka sftp should give you confidence very much that any user logged in cannot access others personal files means if you use sftp or ssh you can leave it unchanged and if you use proftpd or any other ftpd server you should look always onto settings before you deployed. It means proftpd or any ftpd is secured by it all means regardless of virtualmin setup - keep in mind that ftpd is transfer over the text so no secure at all by any means - not an virtualmin fail or anything its just an old protocol - very old. Its your duty as an sysops to know this and also set this up correctly.. another helpful info for you would be ftp it self is old very old and its dangerous.. I would not use this unless fail2ban is deployed and also 'jail' config in a place - which is know-how and not virtualmin nor webmin fail - remember its just awful old stuff older then my grampa.

to my advice is - if you are an business - tell clients to use filezilla - sftp and ssh is well supported even in native windows or mac or linux user

...dont use ftp :) it saves you your ram and other headaches and THE TIME - trust me.

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 10:57
quacky

Actually my question is not that broad, it is just that the default configuration of FTP has any significant difference (in term of security) compared to the jailed config. Other things, like unsecure protocol I am fully aware of.

So extracting the information from your answer, I don't see the significant difference between jailed and non-jailed (default) proFTPd configuration, since you say "It means proftpd or any ftpd is secured by it all means regardless of virtualmin setup". The jailed config is just to cover the eye of the user, but PHP script still can see the immediate subdir of /home.

This is just my expected answer, so that I can show this thread to my user.

If my understanding is wrong, please kindly let me know.

Thanks for your great help.

Fri, 07/14/2017 - 11:01 (Reply to #7)
unborn
unborn's picture

okay.. give me one moment to show you how you can 'secure' your users over ftpd without securing the login.. basically what you asked for in first place.. (i have to take some screenshots.. be with me)

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 11:08
unborn
unborn's picture

hey thanks for the waiting here :)

here are your settings how to setup so called 'jail' out there on any ftpd server regards gui.. virtualmin/webmin. I am using proftpd which is disabled anyway as it is not secure at all. See the screenshot... I think thats all you need it :)

ps click on image and open in new tab as image if you need to see it bigger.

Imgur

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 11:09
quacky

I knew about jailed config of proftp before asking this question. What I wanted to ask was more clearly addressed in post #7, so if there is any other things to better secure, please advise me.

Thank you very much

Fri, 07/14/2017 - 11:11
quacky

Well, that is it, you actually are guiding me on how to do the jailed configuration, which I didn't ask about

Fri, 07/14/2017 - 11:11
unborn
unborn's picture

ah well - php is different thing then ftps or ftp :) you know that.. also put you back in a line - see your initial post.. I did guide you correctly...read this for your self...

''Hi,

I have installed a virtualmin server. I created a virtual server for a user (let say his username is user1. The user can login ftp into his account. He can view the /home folder (which list the username of other users also, e.g. /home/user2, /home/user3, but he can only click on /home/user1, NOT able to click/open the /home/user2 ...) and a few other folders (/var, etc).

He is concerned about the security with virtualmin.

Any virtualmin staff can confirm this is a normal thing?

Thank you for any clarification.''

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 11:23
unborn
unborn's picture

@quacky ftp is not secure.. password or ssl cert will only give you false feeling.. it is not virtualmin nor webmin fail its the old very bloody old protocol to transfer the files.. I would suggest you to google it and do your research.. I cannot help you any more if you do not understand how ftp protocol works.. ftp is not secure at all, its just like saying your user name and password a loud and I repeat its not virtualmin fail its ftp as an old protocol fail..

have good day.

ps: perhaps virtualmin guys would be able to reply to your php issue much wisely .. im webdev as well.. to just note you... :)

Configuring/troubleshooting Debian servers is always great fun

Fri, 07/14/2017 - 11:29
quacky

I see cPanel also use ftp, so I guess it is still very popular. I was aware of the security with ftp (some network scripts/software can easily capture the unencrypted information), but I guess I would let it go, since I have reminded my users to use to use filemin or sftp. So I think just inform them and let them have a choice :)

Thanks!

Fri, 07/14/2017 - 11:32 (Reply to #14)
unborn
unborn's picture

yes ftp will be popular for home users still as long as windows supports it. did you try to connect to ftp with android or applexos or linux recently? - I guess not.. even its still supported - you need to think about your own ass in your business.. - I hope so you feel me what I am talking about.. and yes its all about telling and spread the word out there :)

anyway i would go with sftp which is ssh.. much better choice buddy! ;)

Configuring/troubleshooting Debian servers is always great fun

Topic locked