[luau] Secure FTP to RedHat 7.3 box?

Brian Chee chee at hawaii.edu
Mon Dec 9 14:29:01 PST 2002 

So as a quick summary for others.....what Sharky is trying to do is the so
called "holy grail" for dreamweaver users....macromedia dreamweaver like
many other web design applications tend to think that everyone is on a
secure internet and that unencrypted logins is perfectly ok....we all now
know that this is wishful thinking. So the idea is, since Macromedia refuses
to integrate SFTP/SCP into their application, and we all have users that
refuse to just publish to a local disk and then upload with SFTP....well
sysadmins all over the net have needed a compromise.

The compromise is to tunnel the FTP request to the target server through an
SSH tunnel...think of it as putting the FTP envelope inside an SSH
envelope...then when it gets to the other side, the SSH envelope is torn
open, and then the FTP envelope is routed through the internal company snail
mail system. This way the un-encrypted FTP login never gets out onto the
network, because it's only sent over the internal data bus of the linux/unix
box.

The big issue is the pasv port theft problem....because the macromedia "site
synchronize" feature is pointed at the SSH tunnel (ie. ftp to 127.0.0.1
which is the local host port and TCP port#2021 as an example) the source
address is changed from the 127.0.0.1 port 2021 to 128.171.10.160 port 21 at
the destination server. This is commonly a problem with machines that have
illegally been turned into a reflector for denial of service attacks,
smurfs, etc.... lots of possible mischief. So to make this work, you have to
allow this type of address change as indicated in the config file (snippet)
below.

Lastly, we now have the SSH tunneling working on uhunix just fine, but only
on the commercial SSH and on the wintel platform.  It doesn't work on linux
and mac osX yet....this is a problem with wu-ftpd.  I've got it working on
all platforms with proftpd just fine.  The only stuff I had to add out of
the norm is listed below in the cutout...



Here's the section of the proftpd.conf file that you really need....

# Allow foreign addresses to support SSH tunneling
AllowForeignAddress on

# Port 21 is the standard FTP port.
Port                            21

# This is an attempt to limit access only from the localhost so that users
are
# forced to use the SSH tunnels to access the FTP service
<Limit LOGIN>
Order                           allow, deny
Allow from 128.171.10.160, 127.0.01
Deny from all
</Limit>

So this will allow you to setup ssh with a listen port on your local machine
like:

ssh -L2021:128.171.10.160:21 chee at 128.171.10.160

The passv error is what we've been getting on the wu-ftpd and by moving to
proftpd the problem goes away...the docs on the macromedia site is nearly
worthless...but at least pointed me in the correct direction.....

/brian chee

University of Hawaii ICS Dept
Advanced Network Computing Lab
1680 East West Road, POST rm 311
Honolulu, HI  96822
808-956-5797 voice, 808-956-5175 fax

----- Original Message -----
From: "Erich S." <sharky at websharx.com>
To: <luau at videl.ics.hawaii.edu>
Sent: Monday, December 09, 2002 9:48 AM
Subject: [luau] Secure FTP to RedHat 7.3 box?


> Hi Folks!
>
> I'd like to use Dreamweaver's Remote folder facility for working with
> files that are on my RedHat 7.3 server. Dreamweaver is set up so that
> it'll use SSH to connect to the remote server. They even provide links to
> putty.exe and plink.exe. (I've used putty for SSH connections and like it
> very much)
>
> The documentation on the Dreamweaver side gets sketchy at that point, only
> dealing with what has to be done on the client side. They advise "Check
> with your ISP" for server side issues :( Seeing that this is my own server
> I guess that leaves me as the clueless "ISP".
>
> I have very minimal services set up on my machine and FTP by default is
> turned off.
>
> Is there a safe way to open FTP or to open it up only for SSH tunneled
> connections? Has anyone else set their Linux boxes to work with
> Dreamweaver MX?
>
> Thanks in advance,
> Sharky
>
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>

More information about the LUAU mailing list