1 |
Am Sun, 14 May 2017 02:48:46 +0100 |
2 |
schrieb lee <lee@××××××××.de>: |
3 |
|
4 |
> Kai Krakow <hurikhan77@×××××.com> writes: |
5 |
> |
6 |
> > Am Sat, 29 Apr 2017 20:30:03 +0100 |
7 |
> > schrieb lee <lee@××××××××.de>: |
8 |
> > |
9 |
> >> Danny YUE <sheepduke@×××××.com> writes: |
10 |
> >> |
11 |
> [...] |
12 |
> [...] |
13 |
> [...] |
14 |
> >> |
15 |
> >> Doesn't that require ssh access? And how do you explain that to |
16 |
> >> ppl finding it too difficult to use Filezilla? Is it available for |
17 |
> >> Windoze? |
18 |
> > |
19 |
> > Both, sshfs and scp, require a full shell (that may be restricted |
20 |
> > but that involves configuration overhead on the server side). |
21 |
> |
22 |
> I wouldn't want them to have that. |
23 |
|
24 |
And I can understand this... |
25 |
|
26 |
> > You can use sftp (FTP wrapped into SSH), which is built into SSH. It |
27 |
> > has native support in many Windows clients (most implementations use |
28 |
> > PuTTY in the background). It also has the advantage that you can |
29 |
> > easily restrict users on your system to SFTP-only with an easy |
30 |
> > server-side configuration. |
31 |
> |
32 |
> From what I've been reading, sftp is deprecated and has been replaced |
33 |
> by ftp with TLS. |
34 |
|
35 |
From what I'm guessing, you're mixing up sftp and ftps. sftp is |
36 |
ssh+ftp, and ftps is ftp with ssl. The latter is probably deprecated in |
37 |
favor of ftp with tls. TLS supports name indication (to show the |
38 |
correct server certificate) and it supports handshaking so the same |
39 |
port can be used for secure and insecure connections. |
40 |
|
41 |
Apparently, many sites on the internet also mix up ftps und sftp, for |
42 |
them both is FTP with SSL. But that's not true. I think that comes from |
43 |
the fact that "secure ftp" often is a synonym for "ssl encryption" as |
44 |
it is with "secure http". But that doesn't mean the acronym is "sftp" |
45 |
as it also is not "shttp". |
46 |
|
47 |
> [...] |
48 |
> >> |
49 |
> >> Does that work well, reliably and securely over internet |
50 |
> >> connections? |
51 |
> > |
52 |
> > It supports encryption as transport security, and it supports |
53 |
> > kerberos for secure authentication, the latter is not easy to setup |
54 |
> > in Linux, but it should work with Windows clients out-of-the-box. |
55 |
> > |
56 |
> > But samba is a pretty complex daemon and thus offers a big attack |
57 |
> > surface for hackers and bots. I'm not sure you want to expose this |
58 |
> > to the internet without some sort of firewall in place to restrict |
59 |
> > access to specific clients - and that probably wouldn't work for |
60 |
> > your scenario. |
61 |
> |
62 |
> At least it's a possibility. I don't even know if they have static |
63 |
> IPs, though. |
64 |
|
65 |
Modern CIFS implementations can be forced to encrypt the transport |
66 |
layer and only accept kerberos authenticated clients. It should be safe |
67 |
to use then if properly firewalled. At least "CIFS" (which is samba) |
68 |
afaik means "common internet file system" - that should at least have a |
69 |
minimal meaning of "intended to be used over internet connections". Of |
70 |
course this really doesn't say anything about transport security. Be |
71 |
sure to apply one, and you should be good to go. |
72 |
|
73 |
> > But you could offer access via OpenVPN and tunnel samba through |
74 |
> > that. |
75 |
> |
76 |
> I haven't been able yet to figure out what implications creating a VPN |
77 |
> has. I understand it's supposed to connect networks through a secured |
78 |
> tunnel, but what kind of access to the LAN does someone get who |
79 |
> connects via VPN? Besides, VPN is extremely complicated and |
80 |
> difficult to set up. I consider it an awful nightmare. |
81 |
|
82 |
You need to first understand how tunnel devices work. Then it becomes |
83 |
very easy to set up. The access to the LAN can be restricted by |
84 |
firewall rules. As long as you don't setup routes from the transfer |
85 |
network (where the tunnel is located) to your LAN, there won't be |
86 |
access. And then there's firewall rules after you set up routing. |
87 |
|
88 |
> Wireguard seems a lot easier. |
89 |
|
90 |
I didn't know that, I will look into it. |
91 |
|
92 |
> > By that time, you can as easily offer FTP, too, through the tunnel |
93 |
> > only, as there should be no more security concerns now: It's |
94 |
> > encrypted now. |
95 |
> |
96 |
> The ftp server already doesn't allow unencrypted connections. |
97 |
> |
98 |
> Now try to explain to ppl for whom Filezilla is too complicated how to |
99 |
> set up a VPN connection and how to secure their LAN once they create |
100 |
> the connection (if we could ever get that to work). I haven't been |
101 |
> able to figure that out myself, and that is one of the main reasons |
102 |
> why I do not have a VPN connection but use ssh instead. The only |
103 |
> disadvantage is that I can't do RDP sessions with that --- I |
104 |
> probably could and just don't know how to --- but things might be a |
105 |
> lot easier if wireguard works. |
106 |
|
107 |
You can always deploy VPN at the edge of the network, so your clients |
108 |
won't need to bother with the details but just use the connection. |
109 |
|
110 |
You can also try using WinSCP instead of filezilla (it supports, |
111 |
despite the name, also FTP). Then put a connection file to their |
112 |
desktop and configure it to run in explorer-mode. Now it should mostly |
113 |
look like a file explorer and they can copy files like they used to. |
114 |
|
115 |
But then again: Ppl want to get paid for their work. That also means |
116 |
they need to invest at least a bit more than just their time... ;-) |
117 |
|
118 |
> > OpenVPN also offers transparent compression which can be a big |
119 |
> > plus for your scenario. |
120 |
> |
121 |
> Not really, a lot of data is images, usually JPEG, some ZIP files, |
122 |
> some PDF. All that doesn't compress too well. |
123 |
|
124 |
Okay, net data is incompressible, but protocol overhead (like directory |
125 |
listings) should compress pretty well. |
126 |
|
127 |
> > OpenVPN is not too difficult to setup, and the client is available |
128 |
> > for all major OSes. And it's not too complicated to use: Open VPN |
129 |
> > connection, then use your file transfer client as you're used to. |
130 |
> > Just one simple extra step. |
131 |
> |
132 |
> I'm finding it a horrible nightmare, see above. It is the most |
133 |
> difficult thing you could come up with. I haven't found any good |
134 |
> documentation that explains it, the different types of it, how it |
135 |
> works, what to use (apparently there are many different ways or |
136 |
> something, some of which require a static IP on both ends, |
137 |
|
138 |
OpenVPN works perfectly with dynamic IPs on both sides. IPsec doesn't |
139 |
do well here. |
140 |
|
141 |
> and they |
142 |
> even give you different disadvantages in performance ...), |
143 |
|
144 |
Every tunnel interface has performance overheads, that's the nature of |
145 |
how they work. |
146 |
|
147 |
> how to |
148 |
> protect the participants and all the complicated stuff involved. |
149 |
|
150 |
Put it on the edge router. |
151 |
|
152 |
> So |
153 |
> far, I've managed to stay away from it, and I wouldn't know where to |
154 |
> start. Of course, there is some documentation, but it is all |
155 |
> confusing and no good. |
156 |
> |
157 |
> The routers even support it. In theory, it shouldn't be difficult to |
158 |
> set up, but that's only theory. They do not have any documentation as |
159 |
> to how to protect the connected networks from each other. I could |
160 |
> probably get it to work, but I wouldn't know what I'm doing, and I |
161 |
> don't like that. |
162 |
|
163 |
Do not use simple routes with cludgy VPN implementations. Such routers |
164 |
have those mostly as free bonus features for selling/marketing |
165 |
purposes. Use a real firewall router. There are even free ones that you |
166 |
can install on supported hardware routers. But maybe better give it a |
167 |
professional touch by buying a real hardware/software bundle with |
168 |
support included, so you can get support setting everything up |
169 |
correctly. |
170 |
|
171 |
> I admit that I don't really want to know how VPN works because it's |
172 |
> merely an annoyance and not what I need. What's needed is a simple, |
173 |
> encrypted connection between networks, and VPN is anything but that. |
174 |
|
175 |
Well, VPN is actually that: It's an encrypting tunnel able to bridge |
176 |
two networks. But I see that you're asking for a single secure |
177 |
connection. You don't want to connect networks. |
178 |
|
179 |
> Wireguard sounds really simple. Since I need to set up a VPN or |
180 |
> VPN-like connection sooner than later, I'm considering using it. |
181 |
|
182 |
I'll look into that, as mentioned earlier. |
183 |
|
184 |
|
185 |
-- |
186 |
Regards, |
187 |
Kai |
188 |
|
189 |
Replies to list-only preferred. |