[SECURTY NOTICE:] FTP vs jailed SFTP

4 posts / 0 new
Last post
#1 Fri, 12/06/2013 - 02:43
oobajeeba

[SECURTY NOTICE:] FTP vs jailed SFTP

I'm actually rather shocked that FTP is still being used as the primary means for users to upload material to their accounts with no option in the gui to configure jailed sftp.

FTP transmits usernames and passwords in clear text. This is a huge security risk that is easily avoidable and for a server administrator this could actually be considered a negligent liability depending upon the damages cause by the interception of user account credentials.

openssh-server provides all the function for secure file transfers that anyone could ever need.

jailing the sftp is also important because without it an attacker has access to the entire filesystem, they may not have access to make damaging changes, but it still allows them to gather information about the filesystem and or user account to aid in further attacks.

I really like virtualmin but it has several security flaws that users must manually correct in order to secure their systems. The FTP vs Jailed SFTP is just the biggest one.

Please consider adding this to your list of to-do's. Its really very important.

Note: PHP is also by default configured to allow users to include any file on the filesystem and view its contents via a web browser. To prevent this administrators have to manually fine tune every users php.ini to jail it to their home directories. As well as lock out php features that would allow an attacker to launch scripts and or attacks via PHP.

Fri, 12/06/2013 - 03:41
alancolyer

I agree in general, there are alot of areas where Virtualmin's default settings are what most developers would consider unsecure and in some cases dangerous.

However the same is true of a vanilla install of whatever OS you are running it on - there is significant work involved to harden the system to attacks regardless ( eg disabling root login on SSH, stop it responding to pings, change SSH port, put some brute force IP banning software in place ).

I think I'd like to see some more secure defaults, it might help the reputation Virtualmin has in some circles of being too unsecure to be used professionally. Not my own opinion as I think it can be sufficiently secured with a bit of time and effort, but if you ask about it on certain stackexchange sites you tend to get downvoted into oblivion (not that I'm bitter.... ) :)

Fri, 12/06/2013 - 08:31
andreychek

Howdy,

We're just as surprised that people are using FTP :-)

Jailing FTP users seems to make folks happy for some reason, and that feature was reluctantly added into Virtualmin at some point, as ProFTPd makes that super simple to do.

The issue though is that users can see the entire filesystem when accessing the system any other way, such as via a web app.

Data belonging to other users is protected, as the permissions are not readable by other users, but files that are world readable can be viewed via a web app.

So a user can upload a web-based file browser, and see every file on the filesystem that is world readable.

There's some thoughts on all that here in the article titled "How can I prevent other types of users from browsing the entire filesystem":

https://www.virtualmin.com/documentation/security/faq

Even knowing all that, do you guys still prefer to jail SSH users?

If so, did you configure your current servers to do that? If so, did you do that with SSH's built in mechanism?

-Eric

Fri, 12/06/2013 - 11:42
jimdunn

I'm yet to see a HOWTO on "SFTP JAIL"... none of my attempts have worked.

oobajeeba, please submit one! Thx!! : )