secure way to upload files to webserver
Author
edit: sorry for the empty post, the forum buged when i was posting yesterday
Im having some trouble with my app, on a specific event i have to upload some 100~200kb files to a webserver, my first try was using ftp, but i also discovered that using ftp to do this is 100% unsecure, since with a simple packet sniffer someone can get my login details and hack me....
there is a secure way to do that?
thanks in advance,
and sorry my english, i'm from brazil.
[Edited by - arthurprs on December 26, 2008 2:08:55 PM]
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.
The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.
Marc
simply getting your password from the binary.
The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.
Marc
Author
Quote:Original post by marcjulian
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.
The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.
Marc
but using this method people can upload anything to my ftp, or not?
Quote:Original post by marcjulian
Even with SFTP you won't be secured against a hacker
simply getting your password from the binary.
What do you mean ? Sniffing the password from an SFTP stream is impossible, since it is public-key encrypted. Of course a hacker can break into your server and try to steal/forge the RSA fingerprints. But if someone rooted your server in such a way, then he doesn't even need your password anymore, since he has full control over the system anyway. And that is totally independent of the file transfer protocol used.
Quote:Original post by marcjulian
The best way would be an anonymous upload account (FTP/FTPS),
and then the ftp server would move all uploaded files when finished
in a not publicly viewable folder.
This is most certainly the best way to get your system transformed into a porn or warez fileserver in no time... Don't do that. It's an invitation to script kiddies. And of course every piece of transfered data can be sniffed and copied without any hassle by, well, basically anyone.
Anyway, SFTP is a good and pretty secure option here. Make sure to use an FTP login that is separate from your actual system account. In that way, should anyone aquire your FTP password by any means, the damage will be restricted to the FTP sandbox. He still cannot access the system itself by SSH or similar.
Either the key will have to be encoded into the binary or you'll have to encode a password. I think Yann L misunderstood because there's no possible way you can protect against people uploading stuff, independently of the protocol used. The best way if you absolutely have to allow someone to upload stuff is to simply move it once it's uploaded and then manually verify that the uploaded content is acceptable and then move it to a public place. This way no one will be abusing your server since they won't be able to access uploaded material anyways.
I would use a HTTP POST form if you really need a simple scaling solution. Then audit what is POSTed if you intend to expose it to the public.
I would use a HTTP POST form if you really need a simple scaling solution. Then audit what is POSTed if you intend to expose it to the public.
I believe more detail is required.
Who (as in, what human individual) is going to upload data to your server with your application?
If you're the only one, then use SFTP: since SFTP authentication relies on public-private key pairs, no password is ever needed (or transmitted over the wire, encrypted or not), and it works out-of-the-box on any recent Linux.
If there are several people, but you have a finite list under your control, then give each of them a public-private key pair and use SFTP with distinct logins.
If anyone who downloads your app can upload data to the server, you're screwed, since you're freely distributing all the authentication information anyone needs to access your server, so anyone could connect to it.
Of course, you could also go for HTTP or SMTP instead of FTP: both of these allow "upload" operations without an associated "download" operation or just about anything else.
Who (as in, what human individual) is going to upload data to your server with your application?
If you're the only one, then use SFTP: since SFTP authentication relies on public-private key pairs, no password is ever needed (or transmitted over the wire, encrypted or not), and it works out-of-the-box on any recent Linux.
If there are several people, but you have a finite list under your control, then give each of them a public-private key pair and use SFTP with distinct logins.
If anyone who downloads your app can upload data to the server, you're screwed, since you're freely distributing all the authentication information anyone needs to access your server, so anyone could connect to it.
Of course, you could also go for HTTP or SMTP instead of FTP: both of these allow "upload" operations without an associated "download" operation or just about anything else.
Quote:Original post by asp_
Either the key will have to be encoded into the binary or you'll have to encode a password.
?
Quote:
I think Yann L misunderstood because there's no possible way you can protect against people uploading stuff, independently of the protocol used.
Of course there is. Ever tried to upload something to Microsofts internal (yet publicly accesible) FTP recently ? SFTP layers an FTP-like protocol over SSH2 (usually). SSH2 does never transfer a plain text password over the line, even if you don't use an RSA identity.
Quote:
The best way if you absolutely have to allow someone to upload stuff is to simply move it once it's uploaded and then manually verify that the uploaded content is acceptable and then move it to a public place. This way no one will be abusing your server since they won't be able to access uploaded material anyways.
As far as I understood the OP, he doesn't want to give untrusted users (ie. anyone without a legally obtained SFTP account on his box) the possibility to upload. Correct me if I misinterpreted that.
Toohr, Ah you're right.. that's a usage scenario as well.. He's distributing his application to people he trust and doesn't want his password exposed. I interpreted it as an application anyone could download which needed to upload data.
Yann, Yeah if the scenario is that he trusts the end users then SCP/SFTP or HTTP POST over SSL is probably the correct solution. The way I interpreted it he has a general anonymous account which many people are uploading data to.
Yann, Yeah if the scenario is that he trusts the end users then SCP/SFTP or HTTP POST over SSL is probably the correct solution. The way I interpreted it he has a general anonymous account which many people are uploading data to.
Of course the password can not be sniffed from the sftp transfer stream,
but from the application itself - you have to deliver the password to the user so he
can upload stuff..
And if he has the password from your binary nothing stops him from downloading all other uploaded files.
So I still think having an anonymous account and moving uploaded files is the best way to go.
If someone tries to use the anonymous account he won't see any files because they are moved,
so no warez / adult movie problem.
Perhaps some rules for the upload moving script like limits in file size / sanity checks should be in place too.
Marc
but from the application itself - you have to deliver the password to the user so he
can upload stuff..
And if he has the password from your binary nothing stops him from downloading all other uploaded files.
So I still think having an anonymous account and moving uploaded files is the best way to go.
If someone tries to use the anonymous account he won't see any files because they are moved,
so no warez / adult movie problem.
Perhaps some rules for the upload moving script like limits in file size / sanity checks should be in place too.
Marc
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
