|
Brought to you by:
Suppliers of:
|
|
|
| |
Most hosts on the Internet provide their users with access to FTP services (FTP is short for File Transfer Protocol. In plain English, this is a service that allows retrieving and storing of files stored on a remote server).
FTP does not provide any standard security mechanism to prevent malicious attackers from sniffing out usernames and passwords, which are sent by the client to the server (These usernames and passwords are sent in clear text). This means that an attacker on the local network can use a simple sniffer to grab the username and password.
Many administrators bother to install SSH (But usually do not implement Secure Tunneling) in order to avoid using telnet (which also incorporates a cleartext login mechanism), but forget that their username and password is sent in clear-text whenever they download or upload files tp their FTP Server.
This guide will try to help administrators implement an Secure SSH Tunnel between the FTP server and the FTP client. |
| |
Credit:
See our other guide regarding securing your site, Who guards your front doors? (A practical guide to securing POP3 under Linux).
SSH Tunnel&Terminal client can be downloaded from:
http://www.datafellows.com/
|
| |
SSH is a packet-based binary protocol that works on top of any transport that will pass a stream of binary data. Normally, TCP/IP is used as the transport, but the implementation of the SSH protocol also permits the use of an arbitrary proxy program to forward confidential data through an encrypted connection. The packet mechanism and the related mechanisms for authentication, key exchange, encryption, and integrity protection implement a transport-layer security mechanism. This mechanism is in turn used to implement secure connections.
If you already have an SSH implementation working to enable secure Telnet connections you should allow your users to upload and download files securely off your site (This guide, can be used to protect any other TCP based protocol).
1) Make sure you have a working SSH Server account, and SSH Client (We used SSH Tunnel&Terminal 2.0.12 build 9, but other version should work just as well).
2) Chose configuration of a Local Tunnel (Go to Edit -> Properties -> Local Tunneling).
3) Add a new Tunnel (if one does not already exist).
4) 'Source Port' should be configured to one that isn't currently used (Under Windows you can use netstat command line utility with the parameter '-a' to see which port numebrs are taken), usually (in the case of FTP) 2121 is free.
5) 'Destionation Host' should be set to the remote host you want connections to be forwarded to, this can be the host you are connecting to, or any other host, you want your SSH server to tunnel you to.
6) 'Destionation Port' should be set in the case of FTP to 21.
7) 'Application to Start' in the case FTP should be left empty.
Now simply connect as always to your SSH Server, once the authentication has been completed, start your faviourte FTP Client (The client must support PASV mode, and it should be enabled), and point it to 'localhost' using port number 2121 (If you chose that TCP port number). You should now be able to successfully connect to the desired server.
Note that if TCP Wrappers has been enabled on the remote host, you might be unable to connect due to the fact that 'localhost' connections might be disabled (Check your log file), to enable it, edit the /etc/hosts.allow.
Important Note:
FTP uses two channels for communication. The first is the 'control' tunnel (where the login information and the commands are passed) and the second is the 'data' channel, where the actual data (i.e. the files that are downloaded or uploaded) go through. Using this form of tunneling will not encrypt the data channel, but rather only the control channel. This is enough for encrypting the FTP username and password, but will not encrypt the actual data that is being transferred.
If you need to encrypt both channels, and you are using the complete SSH package, than you should have a file called SFTP2 (Secure FTP) which is a command line based FTP Client. This is a complete solution since it encrypts both the control channel and the data channel. However, it doesn't have some of the nifty features that other Windows based FTP clients have.
|
|
|
|
|
