| 1 |
On Wed, May 3, 2017 at 1:40 AM, Mick <michaelkintzios@×××××.com> wrote: |
| 2 |
> On Monday 01 May 2017 22:36:00 Nils Freydank wrote: |
| 3 |
>> On Sat, 30 Apr 2017 19:04:06 +0200 Andrew Savchenko wrote: |
| 4 |
>> > [...] |
| 5 |
>> > I fail to see why FTP needs to be replaced: it works, it is |
| 6 |
>> > supported, it is secure when used with care, it is damn fast. |
| 7 |
>> |
| 8 |
>> I’ll just drop the somewhat popular rant “FTP must die“[1] and a follow-up |
| 9 |
>> discussion about it[2]. IMHO the main reasons are missing data integrity and |
| 10 |
>> authentication security issues. The latter one can be solved with FTPS[3] - |
| 11 |
>> but honestly I never saw FTPS somewhere actually used in the wild. |
| 12 |
> |
| 13 |
> I'm not sure what you mean "used in the wild". I use lftp to connect via ftps |
| 14 |
> with a number of webservers for updates and backups on a daily basis. Some of |
| 15 |
> the connections are scripted. |
| 16 |
> |
| 17 |
> |
| 18 |
>> [1] http://mywiki.wooledge.org/FtpMustDie |
| 19 |
>> [2] https://news.ycombinator.com/item?id=11251907 |
| 20 |
>> [3] i.e. FTP over SSL/TLS (not to mix up with SFTP, which comes from the SSH |
| 21 |
>> family) |
| 22 |
>> |
| 23 |
>> Greetings, |
| 24 |
>> Nils |
| 25 |
> |
| 26 |
|
| 27 |
That was an interesting read. The only RFC as bad as FTP's that I know |
| 28 |
of might be IRC's. |
| 29 |
|
| 30 |
|
| 31 |
On Sat, May 13, 2017 at 8:48 PM, lee <lee@××××××××.de> wrote: |
| 32 |
> Kai Krakow <hurikhan77@×××××.com> writes: |
| 33 |
> |
| 34 |
>> Am Sat, 29 Apr 2017 20:30:03 +0100 |
| 35 |
>> schrieb lee <lee@××××××××.de>: |
| 36 |
>> |
| 37 |
>>> Danny YUE <sheepduke@×××××.com> writes: |
| 38 |
>>> |
| 39 |
>>> > On 2017-04-25 14:29, lee <lee@××××××××.de> wrote: |
| 40 |
>>> >> Hi, |
| 41 |
>>> >> |
| 42 |
>>> >> since the usage of FTP seems to be declining, what is a replacement |
| 43 |
>>> >> which is at least as good as FTP? |
| 44 |
>>> >> |
| 45 |
>>> >> I'm aware that there's webdav, but that's very awkward to use and |
| 46 |
>>> >> missing features. |
| 47 |
>>> > |
| 48 |
>>> > What about sshfs? It allows you to mount a location that can be |
| 49 |
>>> > accessed via ssh to your local file system, as if you are using |
| 50 |
>>> > ssh. |
| 51 |
>>> |
| 52 |
>>> Doesn't that require ssh access? And how do you explain that to ppl |
| 53 |
>>> finding it too difficult to use Filezilla? Is it available for |
| 54 |
>>> Windoze? |
| 55 |
>> |
| 56 |
>> Both, sshfs and scp, require a full shell (that may be restricted but |
| 57 |
>> that involves configuration overhead on the server side). |
| 58 |
> |
| 59 |
> I wouldn't want them to have that. |
| 60 |
> |
| 61 |
>> You can use sftp (FTP wrapped into SSH), which is built into SSH. It |
| 62 |
>> has native support in many Windows clients (most implementations use |
| 63 |
>> PuTTY in the background). It also has the advantage that you can |
| 64 |
>> easily restrict users on your system to SFTP-only with an easy |
| 65 |
>> server-side configuration. |
| 66 |
> |
| 67 |
> From what I've been reading, sftp is deprecated and has been replaced by |
| 68 |
> ftp with TLS. |
| 69 |
> |
| 70 |
>>> > Also samba can be a replacement. I have a samba server on my OpenWRT |
| 71 |
>>> > router and use mount.cifs to mount it... |
| 72 |
>>> |
| 73 |
>>> Does that work well, reliably and securely over internet connections? |
| 74 |
>> |
| 75 |
>> It supports encryption as transport security, and it supports kerberos |
| 76 |
>> for secure authentication, the latter is not easy to setup in Linux, |
| 77 |
>> but it should work with Windows clients out-of-the-box. |
| 78 |
>> |
| 79 |
>> But samba is a pretty complex daemon and thus offers a big attack |
| 80 |
>> surface for hackers and bots. I'm not sure you want to expose this to |
| 81 |
>> the internet without some sort of firewall in place to restrict access |
| 82 |
>> to specific clients - and that probably wouldn't work for your scenario. |
| 83 |
> |
| 84 |
> At least it's a possibility. I don't even know if they have static IPs, |
| 85 |
> though. |
| 86 |
> |
| 87 |
>> But you could offer access via OpenVPN and tunnel samba through that. |
| 88 |
> |
| 89 |
> I haven't been able yet to figure out what implications creating a VPN |
| 90 |
> has. I understand it's supposed to connect networks through a secured |
| 91 |
> tunnel, but what kind of access to the LAN does someone get who connects |
| 92 |
> via VPN? Besides, VPN is extremely complicated and difficult to set |
| 93 |
> up. I consider it an awful nightmare. |
| 94 |
> |
| 95 |
> Wireguard seems a lot easier. |
| 96 |
> |
| 97 |
|
| 98 |
I had some problems setting up OpenVPN that were solved by using |
| 99 |
per-client public keys. That seems to be the best supported |
| 100 |
configuration (as well as the most secure). Windows-side using |
| 101 |
OpenVPN-GUI is very easy. |
| 102 |
|
| 103 |
OpenVPN tends to have poor bandwidth due to overhead, but that may be |
| 104 |
in large part due to my connection. |
| 105 |
|
| 106 |
>> By that time, you can as easily offer FTP, too, through the tunnel |
| 107 |
>> only, as there should be no more security concerns now: It's encrypted |
| 108 |
>> now. |
| 109 |
> |
| 110 |
> The ftp server already doesn't allow unencrypted connections. |
| 111 |
> |
| 112 |
> Now try to explain to ppl for whom Filezilla is too complicated how to |
| 113 |
> set up a VPN connection and how to secure their LAN once they create the |
| 114 |
> connection (if we could ever get that to work). I haven't been able to |
| 115 |
> figure that out myself, and that is one of the main reasons why I do not |
| 116 |
> have a VPN connection but use ssh instead. The only disadvantage is |
| 117 |
> that I can't do RDP sessions with that --- I probably could and just |
| 118 |
> don't know how to --- but things might be a lot easier if wireguard |
| 119 |
> works. |
| 120 |
> |
| 121 |
>> OpenVPN also offers transparent compression which can be a big |
| 122 |
>> plus for your scenario. |
| 123 |
> |
| 124 |
> Not really, a lot of data is images, usually JPEG, some ZIP files, some |
| 125 |
> PDF. All that doesn't compress too well. |
| 126 |
> |
| 127 |
>> OpenVPN is not too difficult to setup, and the client is available for |
| 128 |
>> all major OSes. And it's not too complicated to use: Open VPN |
| 129 |
>> connection, then use your file transfer client as you're used to. Just |
| 130 |
>> one simple extra step. |
| 131 |
> |
| 132 |
> I'm finding it a horrible nightmare, see above. It is the most |
| 133 |
> difficult thing you could come up with. I haven't found any good |
| 134 |
> documentation that explains it, the different types of it, how it works, |
| 135 |
> what to use (apparently there are many different ways or something, some |
| 136 |
> of which require a static IP on both ends, and they even give you |
| 137 |
> different disadvantages in performance ...), how to protect the |
| 138 |
> participants and all the complicated stuff involved. So far, I've |
| 139 |
> managed to stay away from it, and I wouldn't know where to start. Of |
| 140 |
> course, there is some documentation, but it is all confusing and no |
| 141 |
> good. |
| 142 |
> |
| 143 |
|
| 144 |
Feel free to start a thread on it. As above, I recommend |
| 145 |
one-key-per-client and running your own CA. |
| 146 |
|
| 147 |
> The routers even support it. In theory, it shouldn't be difficult to |
| 148 |
> set up, but that's only theory. They do not have any documentation as |
| 149 |
> to how to protect the connected networks from each other. I could |
| 150 |
> probably get it to work, but I wouldn't know what I'm doing, and I don't |
| 151 |
> like that. |
| 152 |
> |
| 153 |
|
| 154 |
Routers often ship with extremely outdated packages. Highly recommend |
| 155 |
using purpose-built "appliances" for this. |
| 156 |
|
| 157 |
> I admit that I don't really want to know how VPN works because it's |
| 158 |
> merely an annoyance and not what I need. What's needed is a simple, |
| 159 |
> encrypted connection between networks, and VPN is anything but that. |
| 160 |
> |
| 161 |
> Wireguard sounds really simple. Since I need to set up a VPN or |
| 162 |
> VPN-like connection sooner than later, I'm considering using it. |
| 163 |
> |
| 164 |
|
| 165 |
WireGuard seems to solve every major exception that could be had with |
| 166 |
existing transport security solutions. I have been keeping my eye on |
| 167 |
it ever since noticing it in eix-sync's output. |
Archives