| 1 |
Am Sun, 14 May 2017 02:48:46 +0100 |
| 2 |
schrieb lee <lee@××××××××.de>: |
| 3 |
|
| 4 |
> Kai Krakow <hurikhan77@×××××.com> writes: |
| 5 |
> |
| 6 |
> > Am Sat, 29 Apr 2017 20:30:03 +0100 |
| 7 |
> > schrieb lee <lee@××××××××.de>: |
| 8 |
> > |
| 9 |
> >> Danny YUE <sheepduke@×××××.com> writes: |
| 10 |
> >> |
| 11 |
> [...] |
| 12 |
> [...] |
| 13 |
> [...] |
| 14 |
> >> |
| 15 |
> >> Doesn't that require ssh access? And how do you explain that to |
| 16 |
> >> ppl finding it too difficult to use Filezilla? Is it available for |
| 17 |
> >> Windoze? |
| 18 |
> > |
| 19 |
> > Both, sshfs and scp, require a full shell (that may be restricted |
| 20 |
> > but that involves configuration overhead on the server side). |
| 21 |
> |
| 22 |
> I wouldn't want them to have that. |
| 23 |
|
| 24 |
And I can understand this... |
| 25 |
|
| 26 |
> > You can use sftp (FTP wrapped into SSH), which is built into SSH. It |
| 27 |
> > has native support in many Windows clients (most implementations use |
| 28 |
> > PuTTY in the background). It also has the advantage that you can |
| 29 |
> > easily restrict users on your system to SFTP-only with an easy |
| 30 |
> > server-side configuration. |
| 31 |
> |
| 32 |
> From what I've been reading, sftp is deprecated and has been replaced |
| 33 |
> by ftp with TLS. |
| 34 |
|
| 35 |
From what I'm guessing, you're mixing up sftp and ftps. sftp is |
| 36 |
ssh+ftp, and ftps is ftp with ssl. The latter is probably deprecated in |
| 37 |
favor of ftp with tls. TLS supports name indication (to show the |
| 38 |
correct server certificate) and it supports handshaking so the same |
| 39 |
port can be used for secure and insecure connections. |
| 40 |
|
| 41 |
Apparently, many sites on the internet also mix up ftps und sftp, for |
| 42 |
them both is FTP with SSL. But that's not true. I think that comes from |
| 43 |
the fact that "secure ftp" often is a synonym for "ssl encryption" as |
| 44 |
it is with "secure http". But that doesn't mean the acronym is "sftp" |
| 45 |
as it also is not "shttp". |
| 46 |
|
| 47 |
> [...] |
| 48 |
> >> |
| 49 |
> >> Does that work well, reliably and securely over internet |
| 50 |
> >> connections? |
| 51 |
> > |
| 52 |
> > It supports encryption as transport security, and it supports |
| 53 |
> > kerberos for secure authentication, the latter is not easy to setup |
| 54 |
> > in Linux, but it should work with Windows clients out-of-the-box. |
| 55 |
> > |
| 56 |
> > But samba is a pretty complex daemon and thus offers a big attack |
| 57 |
> > surface for hackers and bots. I'm not sure you want to expose this |
| 58 |
> > to the internet without some sort of firewall in place to restrict |
| 59 |
> > access to specific clients - and that probably wouldn't work for |
| 60 |
> > your scenario. |
| 61 |
> |
| 62 |
> At least it's a possibility. I don't even know if they have static |
| 63 |
> IPs, though. |
| 64 |
|
| 65 |
Modern CIFS implementations can be forced to encrypt the transport |
| 66 |
layer and only accept kerberos authenticated clients. It should be safe |
| 67 |
to use then if properly firewalled. At least "CIFS" (which is samba) |
| 68 |
afaik means "common internet file system" - that should at least have a |
| 69 |
minimal meaning of "intended to be used over internet connections". Of |
| 70 |
course this really doesn't say anything about transport security. Be |
| 71 |
sure to apply one, and you should be good to go. |
| 72 |
|
| 73 |
> > But you could offer access via OpenVPN and tunnel samba through |
| 74 |
> > that. |
| 75 |
> |
| 76 |
> I haven't been able yet to figure out what implications creating a VPN |
| 77 |
> has. I understand it's supposed to connect networks through a secured |
| 78 |
> tunnel, but what kind of access to the LAN does someone get who |
| 79 |
> connects via VPN? Besides, VPN is extremely complicated and |
| 80 |
> difficult to set up. I consider it an awful nightmare. |
| 81 |
|
| 82 |
You need to first understand how tunnel devices work. Then it becomes |
| 83 |
very easy to set up. The access to the LAN can be restricted by |
| 84 |
firewall rules. As long as you don't setup routes from the transfer |
| 85 |
network (where the tunnel is located) to your LAN, there won't be |
| 86 |
access. And then there's firewall rules after you set up routing. |
| 87 |
|
| 88 |
> Wireguard seems a lot easier. |
| 89 |
|
| 90 |
I didn't know that, I will look into it. |
| 91 |
|
| 92 |
> > By that time, you can as easily offer FTP, too, through the tunnel |
| 93 |
> > only, as there should be no more security concerns now: It's |
| 94 |
> > encrypted now. |
| 95 |
> |
| 96 |
> The ftp server already doesn't allow unencrypted connections. |
| 97 |
> |
| 98 |
> Now try to explain to ppl for whom Filezilla is too complicated how to |
| 99 |
> set up a VPN connection and how to secure their LAN once they create |
| 100 |
> the connection (if we could ever get that to work). I haven't been |
| 101 |
> able to figure that out myself, and that is one of the main reasons |
| 102 |
> why I do not have a VPN connection but use ssh instead. The only |
| 103 |
> disadvantage is that I can't do RDP sessions with that --- I |
| 104 |
> probably could and just don't know how to --- but things might be a |
| 105 |
> lot easier if wireguard works. |
| 106 |
|
| 107 |
You can always deploy VPN at the edge of the network, so your clients |
| 108 |
won't need to bother with the details but just use the connection. |
| 109 |
|
| 110 |
You can also try using WinSCP instead of filezilla (it supports, |
| 111 |
despite the name, also FTP). Then put a connection file to their |
| 112 |
desktop and configure it to run in explorer-mode. Now it should mostly |
| 113 |
look like a file explorer and they can copy files like they used to. |
| 114 |
|
| 115 |
But then again: Ppl want to get paid for their work. That also means |
| 116 |
they need to invest at least a bit more than just their time... ;-) |
| 117 |
|
| 118 |
> > OpenVPN also offers transparent compression which can be a big |
| 119 |
> > plus for your scenario. |
| 120 |
> |
| 121 |
> Not really, a lot of data is images, usually JPEG, some ZIP files, |
| 122 |
> some PDF. All that doesn't compress too well. |
| 123 |
|
| 124 |
Okay, net data is incompressible, but protocol overhead (like directory |
| 125 |
listings) should compress pretty well. |
| 126 |
|
| 127 |
> > OpenVPN is not too difficult to setup, and the client is available |
| 128 |
> > for all major OSes. And it's not too complicated to use: Open VPN |
| 129 |
> > connection, then use your file transfer client as you're used to. |
| 130 |
> > Just one simple extra step. |
| 131 |
> |
| 132 |
> I'm finding it a horrible nightmare, see above. It is the most |
| 133 |
> difficult thing you could come up with. I haven't found any good |
| 134 |
> documentation that explains it, the different types of it, how it |
| 135 |
> works, what to use (apparently there are many different ways or |
| 136 |
> something, some of which require a static IP on both ends, |
| 137 |
|
| 138 |
OpenVPN works perfectly with dynamic IPs on both sides. IPsec doesn't |
| 139 |
do well here. |
| 140 |
|
| 141 |
> and they |
| 142 |
> even give you different disadvantages in performance ...), |
| 143 |
|
| 144 |
Every tunnel interface has performance overheads, that's the nature of |
| 145 |
how they work. |
| 146 |
|
| 147 |
> how to |
| 148 |
> protect the participants and all the complicated stuff involved. |
| 149 |
|
| 150 |
Put it on the edge router. |
| 151 |
|
| 152 |
> So |
| 153 |
> far, I've managed to stay away from it, and I wouldn't know where to |
| 154 |
> start. Of course, there is some documentation, but it is all |
| 155 |
> confusing and no good. |
| 156 |
> |
| 157 |
> The routers even support it. In theory, it shouldn't be difficult to |
| 158 |
> set up, but that's only theory. They do not have any documentation as |
| 159 |
> to how to protect the connected networks from each other. I could |
| 160 |
> probably get it to work, but I wouldn't know what I'm doing, and I |
| 161 |
> don't like that. |
| 162 |
|
| 163 |
Do not use simple routes with cludgy VPN implementations. Such routers |
| 164 |
have those mostly as free bonus features for selling/marketing |
| 165 |
purposes. Use a real firewall router. There are even free ones that you |
| 166 |
can install on supported hardware routers. But maybe better give it a |
| 167 |
professional touch by buying a real hardware/software bundle with |
| 168 |
support included, so you can get support setting everything up |
| 169 |
correctly. |
| 170 |
|
| 171 |
> I admit that I don't really want to know how VPN works because it's |
| 172 |
> merely an annoyance and not what I need. What's needed is a simple, |
| 173 |
> encrypted connection between networks, and VPN is anything but that. |
| 174 |
|
| 175 |
Well, VPN is actually that: It's an encrypting tunnel able to bridge |
| 176 |
two networks. But I see that you're asking for a single secure |
| 177 |
connection. You don't want to connect networks. |
| 178 |
|
| 179 |
> Wireguard sounds really simple. Since I need to set up a VPN or |
| 180 |
> VPN-like connection sooner than later, I'm considering using it. |
| 181 |
|
| 182 |
I'll look into that, as mentioned earlier. |
| 183 |
|
| 184 |
|
| 185 |
-- |
| 186 |
Regards, |
| 187 |
Kai |
| 188 |
|
| 189 |
Replies to list-only preferred. |
Archives