1 |
On Wed, May 3, 2017 at 1:40 AM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
> On Monday 01 May 2017 22:36:00 Nils Freydank wrote: |
3 |
>> On Sat, 30 Apr 2017 19:04:06 +0200 Andrew Savchenko wrote: |
4 |
>> > [...] |
5 |
>> > I fail to see why FTP needs to be replaced: it works, it is |
6 |
>> > supported, it is secure when used with care, it is damn fast. |
7 |
>> |
8 |
>> I’ll just drop the somewhat popular rant “FTP must die“[1] and a follow-up |
9 |
>> discussion about it[2]. IMHO the main reasons are missing data integrity and |
10 |
>> authentication security issues. The latter one can be solved with FTPS[3] - |
11 |
>> but honestly I never saw FTPS somewhere actually used in the wild. |
12 |
> |
13 |
> I'm not sure what you mean "used in the wild". I use lftp to connect via ftps |
14 |
> with a number of webservers for updates and backups on a daily basis. Some of |
15 |
> the connections are scripted. |
16 |
> |
17 |
> |
18 |
>> [1] http://mywiki.wooledge.org/FtpMustDie |
19 |
>> [2] https://news.ycombinator.com/item?id=11251907 |
20 |
>> [3] i.e. FTP over SSL/TLS (not to mix up with SFTP, which comes from the SSH |
21 |
>> family) |
22 |
>> |
23 |
>> Greetings, |
24 |
>> Nils |
25 |
> |
26 |
|
27 |
That was an interesting read. The only RFC as bad as FTP's that I know |
28 |
of might be IRC's. |
29 |
|
30 |
|
31 |
On Sat, May 13, 2017 at 8:48 PM, lee <lee@××××××××.de> wrote: |
32 |
> Kai Krakow <hurikhan77@×××××.com> writes: |
33 |
> |
34 |
>> Am Sat, 29 Apr 2017 20:30:03 +0100 |
35 |
>> schrieb lee <lee@××××××××.de>: |
36 |
>> |
37 |
>>> Danny YUE <sheepduke@×××××.com> writes: |
38 |
>>> |
39 |
>>> > On 2017-04-25 14:29, lee <lee@××××××××.de> wrote: |
40 |
>>> >> Hi, |
41 |
>>> >> |
42 |
>>> >> since the usage of FTP seems to be declining, what is a replacement |
43 |
>>> >> which is at least as good as FTP? |
44 |
>>> >> |
45 |
>>> >> I'm aware that there's webdav, but that's very awkward to use and |
46 |
>>> >> missing features. |
47 |
>>> > |
48 |
>>> > What about sshfs? It allows you to mount a location that can be |
49 |
>>> > accessed via ssh to your local file system, as if you are using |
50 |
>>> > ssh. |
51 |
>>> |
52 |
>>> Doesn't that require ssh access? And how do you explain that to ppl |
53 |
>>> finding it too difficult to use Filezilla? Is it available for |
54 |
>>> Windoze? |
55 |
>> |
56 |
>> Both, sshfs and scp, require a full shell (that may be restricted but |
57 |
>> that involves configuration overhead on the server side). |
58 |
> |
59 |
> I wouldn't want them to have that. |
60 |
> |
61 |
>> You can use sftp (FTP wrapped into SSH), which is built into SSH. It |
62 |
>> has native support in many Windows clients (most implementations use |
63 |
>> PuTTY in the background). It also has the advantage that you can |
64 |
>> easily restrict users on your system to SFTP-only with an easy |
65 |
>> server-side configuration. |
66 |
> |
67 |
> From what I've been reading, sftp is deprecated and has been replaced by |
68 |
> ftp with TLS. |
69 |
> |
70 |
>>> > Also samba can be a replacement. I have a samba server on my OpenWRT |
71 |
>>> > router and use mount.cifs to mount it... |
72 |
>>> |
73 |
>>> Does that work well, reliably and securely over internet connections? |
74 |
>> |
75 |
>> It supports encryption as transport security, and it supports kerberos |
76 |
>> for secure authentication, the latter is not easy to setup in Linux, |
77 |
>> but it should work with Windows clients out-of-the-box. |
78 |
>> |
79 |
>> But samba is a pretty complex daemon and thus offers a big attack |
80 |
>> surface for hackers and bots. I'm not sure you want to expose this to |
81 |
>> the internet without some sort of firewall in place to restrict access |
82 |
>> to specific clients - and that probably wouldn't work for your scenario. |
83 |
> |
84 |
> At least it's a possibility. I don't even know if they have static IPs, |
85 |
> though. |
86 |
> |
87 |
>> But you could offer access via OpenVPN and tunnel samba through that. |
88 |
> |
89 |
> I haven't been able yet to figure out what implications creating a VPN |
90 |
> has. I understand it's supposed to connect networks through a secured |
91 |
> tunnel, but what kind of access to the LAN does someone get who connects |
92 |
> via VPN? Besides, VPN is extremely complicated and difficult to set |
93 |
> up. I consider it an awful nightmare. |
94 |
> |
95 |
> Wireguard seems a lot easier. |
96 |
> |
97 |
|
98 |
I had some problems setting up OpenVPN that were solved by using |
99 |
per-client public keys. That seems to be the best supported |
100 |
configuration (as well as the most secure). Windows-side using |
101 |
OpenVPN-GUI is very easy. |
102 |
|
103 |
OpenVPN tends to have poor bandwidth due to overhead, but that may be |
104 |
in large part due to my connection. |
105 |
|
106 |
>> By that time, you can as easily offer FTP, too, through the tunnel |
107 |
>> only, as there should be no more security concerns now: It's encrypted |
108 |
>> now. |
109 |
> |
110 |
> The ftp server already doesn't allow unencrypted connections. |
111 |
> |
112 |
> Now try to explain to ppl for whom Filezilla is too complicated how to |
113 |
> set up a VPN connection and how to secure their LAN once they create the |
114 |
> connection (if we could ever get that to work). I haven't been able to |
115 |
> figure that out myself, and that is one of the main reasons why I do not |
116 |
> have a VPN connection but use ssh instead. The only disadvantage is |
117 |
> that I can't do RDP sessions with that --- I probably could and just |
118 |
> don't know how to --- but things might be a lot easier if wireguard |
119 |
> works. |
120 |
> |
121 |
>> OpenVPN also offers transparent compression which can be a big |
122 |
>> plus for your scenario. |
123 |
> |
124 |
> Not really, a lot of data is images, usually JPEG, some ZIP files, some |
125 |
> PDF. All that doesn't compress too well. |
126 |
> |
127 |
>> OpenVPN is not too difficult to setup, and the client is available for |
128 |
>> all major OSes. And it's not too complicated to use: Open VPN |
129 |
>> connection, then use your file transfer client as you're used to. Just |
130 |
>> one simple extra step. |
131 |
> |
132 |
> I'm finding it a horrible nightmare, see above. It is the most |
133 |
> difficult thing you could come up with. I haven't found any good |
134 |
> documentation that explains it, the different types of it, how it works, |
135 |
> what to use (apparently there are many different ways or something, some |
136 |
> of which require a static IP on both ends, and they even give you |
137 |
> different disadvantages in performance ...), how to protect the |
138 |
> participants and all the complicated stuff involved. So far, I've |
139 |
> managed to stay away from it, and I wouldn't know where to start. Of |
140 |
> course, there is some documentation, but it is all confusing and no |
141 |
> good. |
142 |
> |
143 |
|
144 |
Feel free to start a thread on it. As above, I recommend |
145 |
one-key-per-client and running your own CA. |
146 |
|
147 |
> The routers even support it. In theory, it shouldn't be difficult to |
148 |
> set up, but that's only theory. They do not have any documentation as |
149 |
> to how to protect the connected networks from each other. I could |
150 |
> probably get it to work, but I wouldn't know what I'm doing, and I don't |
151 |
> like that. |
152 |
> |
153 |
|
154 |
Routers often ship with extremely outdated packages. Highly recommend |
155 |
using purpose-built "appliances" for this. |
156 |
|
157 |
> I admit that I don't really want to know how VPN works because it's |
158 |
> merely an annoyance and not what I need. What's needed is a simple, |
159 |
> encrypted connection between networks, and VPN is anything but that. |
160 |
> |
161 |
> Wireguard sounds really simple. Since I need to set up a VPN or |
162 |
> VPN-like connection sooner than later, I'm considering using it. |
163 |
> |
164 |
|
165 |
WireGuard seems to solve every major exception that could be had with |
166 |
existing transport security solutions. I have been keeping my eye on |
167 |
it ever since noticing it in eix-sync's output. |