Hi there,

I am hoping someone can help me solve a problem I have with data upload to my Linode.

I have to get some log files uploaded from a basic web server which only supports non-S - FTP. I know I can setup vsftp to do this. But everywhere I read about it people say it is very insecure.

Is there some way to create a closed sandbox area of the linode where I can allow the web server to upload via FTP without compromising the security of the whole Linode?

Thanks a bunch!

Best Regards,
Ro

What do you mean exactly mean by "secure"? Are you referring to the fact that everything is in plain-text, or do you think the vsftpd service itself is inherently insecure?

If you are concerned with encryption, etc. then transfer the files over SSH. If you just want to have a vsftpd installation that's more "secure" than the default options, look into chrooting users, disabling anonymous access, etc. Its all described in the config file.

FTP is said to be "insecure" because the login credentials, as well as the files, are transmitted in plain text. So somebody sitting between the two computers could read the passwords and the files.

You might not need to care about password security if it's a one-off account that you're only using for FTP and not for anything else, or if you set up vsftpd for anonymous FTP only. Just don't use your regular administrator account.

Whether you care about the file contents being exposed depends on what the files contain. Credit card numbers? No way. Funny cat pictures? Perfectly OK. Old log files? Probably OK.

As long as you're using the latest version of all programs and not transmitting confidential data, you won't get your server hacked just because you turned FTP on. It's not "insecure" in that sense.

It should be noted that somebody doesn't need to break into your ISP's datacenter to get your FTP password. A far more likely attack vector is somebody sniffing your password on a wifi network, since anybody can see any data anybody sends over any wifi network. If it's unencrypted (and WEP is pretty much counting as unencrypted these days, even WPA1 is pretty easily cracked), it's trivial for somebody to run a packet sniffer looking for things like FTP authentications.

Thanks for the help guys!

I am working with non confidential data, so I basically resolved creating one user with a fixed home directory, solely allowing that user to login to vsftpd (allowed_users). And chroot that user.

That seems to work alright.

Thanks again for your input!

Cheers,
Ro

vsftpd does support TLS and SSL encryption, though it needs to be configured on the host machine....

_________________
sleddog

Folks, from my understanding he has an embedded-type device that "dials into" his Linode via plaintext FTP, and doesn't support anything more secure than that...

_________________
rsk, providing useless advice on the Internet since 2005.

chroot virtual ftp accounts w/ jail might contain any breakins but I would find another way. ssh is really what you want (scp, rsync over ssh, etc.) to upload files.