• Advertisement
Sign in to follow this  

secure way to upload files to webserver

This topic is 3310 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

edit: sorry for the empty post, the forum buged when i was posting yesterday Im having some trouble with my app, on a specific event i have to upload some 100~200kb files to a webserver, my first try was using ftp, but i also discovered that using ftp to do this is 100% unsecure, since with a simple packet sniffer someone can get my login details and hack me.... there is a secure way to do that? thanks in advance, and sorry my english, i'm from brazil. [Edited by - arthurprs on December 26, 2008 2:08:55 PM]

Share this post


Link to post
Share on other sites
Advertisement
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.

The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.

Marc

Share this post


Link to post
Share on other sites
Quote:
Original post by marcjulian
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.

The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.

Marc

but using this method people can upload anything to my ftp, or not?

Share this post


Link to post
Share on other sites
Quote:
Original post by marcjulian
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.

What do you mean ? Sniffing the password from an SFTP stream is impossible, since it is public-key encrypted. Of course a hacker can break into your server and try to steal/forge the RSA fingerprints. But if someone rooted your server in such a way, then he doesn't even need your password anymore, since he has full control over the system anyway. And that is totally independent of the file transfer protocol used.

Quote:
Original post by marcjulian
The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.

This is most certainly the best way to get your system transformed into a porn or warez fileserver in no time... Don't do that. It's an invitation to script kiddies. And of course every piece of transfered data can be sniffed and copied without any hassle by, well, basically anyone.

Anyway, SFTP is a good and pretty secure option here. Make sure to use an FTP login that is separate from your actual system account. In that way, should anyone aquire your FTP password by any means, the damage will be restricted to the FTP sandbox. He still cannot access the system itself by SSH or similar.

Share this post


Link to post
Share on other sites
Either the key will have to be encoded into the binary or you'll have to encode a password. I think Yann L misunderstood because there's no possible way you can protect against people uploading stuff, independently of the protocol used. The best way if you absolutely have to allow someone to upload stuff is to simply move it once it's uploaded and then manually verify that the uploaded content is acceptable and then move it to a public place. This way no one will be abusing your server since they won't be able to access uploaded material anyways.

I would use a HTTP POST form if you really need a simple scaling solution. Then audit what is POSTed if you intend to expose it to the public.

Share this post


Link to post
Share on other sites
I believe more detail is required.

Who (as in, what human individual) is going to upload data to your server with your application?

If you're the only one, then use SFTP: since SFTP authentication relies on public-private key pairs, no password is ever needed (or transmitted over the wire, encrypted or not), and it works out-of-the-box on any recent Linux.

If there are several people, but you have a finite list under your control, then give each of them a public-private key pair and use SFTP with distinct logins.

If anyone who downloads your app can upload data to the server, you're screwed, since you're freely distributing all the authentication information anyone needs to access your server, so anyone could connect to it.

Of course, you could also go for HTTP or SMTP instead of FTP: both of these allow "upload" operations without an associated "download" operation or just about anything else.

Share this post


Link to post
Share on other sites
Quote:
Original post by asp_
Either the key will have to be encoded into the binary or you'll have to encode a password.

?

Quote:

I think Yann L misunderstood because there's no possible way you can protect against people uploading stuff, independently of the protocol used.

Of course there is. Ever tried to upload something to Microsofts internal (yet publicly accesible) FTP recently ? SFTP layers an FTP-like protocol over SSH2 (usually). SSH2 does never transfer a plain text password over the line, even if you don't use an RSA identity.

Quote:

The best way if you absolutely have to allow someone to upload stuff is to simply move it once it's uploaded and then manually verify that the uploaded content is acceptable and then move it to a public place. This way no one will be abusing your server since they won't be able to access uploaded material anyways.

As far as I understood the OP, he doesn't want to give untrusted users (ie. anyone without a legally obtained SFTP account on his box) the possibility to upload. Correct me if I misinterpreted that.

Share this post


Link to post
Share on other sites
Toohr, Ah you're right.. that's a usage scenario as well.. He's distributing his application to people he trust and doesn't want his password exposed. I interpreted it as an application anyone could download which needed to upload data.

Yann, Yeah if the scenario is that he trusts the end users then SCP/SFTP or HTTP POST over SSL is probably the correct solution. The way I interpreted it he has a general anonymous account which many people are uploading data to.

Share this post


Link to post
Share on other sites
Of course the password can not be sniffed from the sftp transfer stream,
but from the application itself - you have to deliver the password to the user so he
can upload stuff..

And if he has the password from your binary nothing stops him from downloading all other uploaded files.

So I still think having an anonymous account and moving uploaded files is the best way to go.
If someone tries to use the anonymous account he won't see any files because they are moved,
so no warez / adult movie problem.

Perhaps some rules for the upload moving script like limits in file size / sanity checks should be in place too.

Marc

Share this post


Link to post
Share on other sites
Quote:

So I still think having an anonymous account and moving uploaded files is the best way to go. If someone tries to use the anonymous account he won't see any files because they are moved, so no warez / adult movie problem.

In certain situations, an anonymous transfer with server-side validation can be useful. However, never use plain FTP for that. At the very least, authenticate the traffic as coming from your application, and use a proprietary protocol. Then do validation checks on incoming data packages themselves, and drop the connection on the first validation failure. Temporarily ban the originating IP after that. Yes, it can still be hacked. But offering a wide open high-bandwidth FTP upload is just asking for being rooted and turned into a warez distributor.

Well, before hypothesizing further, we should probably wait for the OP to clarify the situation.

Share this post


Link to post
Share on other sites
Hi guys thanks for all the answers, let me give some info

I don't have acess to a dedicated server, so the only protocols avaliable are smtp, http, ftp and probably sftp,
and the incoming files should be only be acepted from my application,
the software is distributed to everyone, so i need to have at least some security

after reading the answers, i think the only viable ways are sftp and http(post)

but i have a question, using sftp for this is secure? Anyway i will probably stick with some kind of http POST, but any ideas on how to do that?

Share this post


Link to post
Share on other sites
Well, if you publicly distribute the application without any user-specific coding, then there is no way to make it secure. As others have mentioned, in this case (which I misinterpreted from your original post), anything you do can be reverse-engineered from your application. You can only protect against a man in the middle attack. But that's about it.

In order to make it more secure, you need to include per-user information. For example through a server-side activation system that assigns specific public/private key pairs to specific users. That's essentially what systems like Steam do. It can still be cracked (because the user keys can be extracted), but you can easily disable compromised accounts without risking damage to other users or your server.

Of course, if all you have is an ISP-supplied or rented webspace host, who gave you a single login for your (S)FTP access, then forget it. You need at least a dedicated or a virtual private server where you can create specific key pairs per user in order to do something even remotely secure. Ie. you need the ability to configure the SFTP server, the SSH server, the authentication layer, as well as the ability to add/remove key pairs to the used authentication mechanism.

Share this post


Link to post
Share on other sites
Quote:
Original post by Yann L
Well, if you publicly distribute the application without any user-specific coding, then there is no way to make it secure. As others have mentioned, in this case (which I misinterpreted from your original post), anything you do can be reverse-engineered from your application. You can only protect against a man in the middle attack. But that's about it.

In order to make it more secure, you need to include per-user information. For example through a server-side activation system that assigns specific public/private key pairs to specific users. That's essentially what systems like Steam do. It can still be cracked (because the user keys can be extracted), but you can easily disable compromised accounts without risking damage to other users or your server.

Of course, if all you have is an ISP-supplied or rented webspace host, who gave you a single login for your (S)FTP access, then forget it. You need at least a dedicated or a virtual private server where you can create specific key pairs per user in order to do something even remotely secure. Ie. you need the ability to configure the SFTP server, the SSH server, the authentication layer, as well as the ability to add/remove key pairs to the used authentication mechanism.

:| so i will have to stick with http post,

i found this recipe http://code.activestate.com/recipes/146306/
it's python, but i think i can port the code with not much trouble

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement