security question

["Casas, Claudia" <CC...@utep.edu>]

Forgive me if this is not the most adequate place for this question, but it
is somehow related to my web accounts in apache.
My linux 7.2 server needs to be accessed through ftp from anyplace 24 hours
a day by using wu-ftp.
 
I already set up my ftp so that each user can login using their account
password and see their homedirs as their root, with no further access (guest
ftp).
I have already taken off any anynomous or real ftp (access to everything in
the system).  I have restricted any telnet access to the accounts as well.
But, I still would like to know if there is anything else I can do to
protect my server. I know that ftp is a security treat. Is there any
resource where I can read about how to bullet proof my server even when
allowing ftp access?? My requirements are that ftp access is essential for
my server. You know, I have clients who think that ftp is easiest program to
use to modify or add their web content. I would really appreciate if you can
recommend me a good book, http address, anything on how to secure my apache
web server and accounts.
 
I read the email about webdav by Saqib Ali. It seems really interesting to
me, especially for my situation. But one question: how easy is for the users
to learn??? Please take into account that my users are generally people who
are learning how to handle technology ( I mean basics!!! From copy paste to
web development). 
 

Re: security question

[da...@learningmeasure.org]

I would use ssh instead of telnet, and scp or sftp instead of ftp. Also use 
something like Bastille to help make your system more secure. Others might 
have different suggestions. 

Check these websites out: 

http://www.openssh.com/
http://www.bastille-linux.org/ 

David Archer 

Casas, Claudia writes: 

> Forgive me if this is not the most adequate place for this question, but it
> is somehow related to my web accounts in apache.
> My linux 7.2 server needs to be accessed through ftp from anyplace 24 hours
> a day by using wu-ftp.
>  
> I already set up my ftp so that each user can login using their account
> password and see their homedirs as their root, with no further access (guest
> ftp).
> I have already taken off any anynomous or real ftp (access to everything in
> the system).  I have restricted any telnet access to the accounts as well.
> But, I still would like to know if there is anything else I can do to
> protect my server. I know that ftp is a security treat. Is there any
> resource where I can read about how to bullet proof my server even when
> allowing ftp access?? My requirements are that ftp access is essential for
> my server. You know, I have clients who think that ftp is easiest program to
> use to modify or add their web content. I would really appreciate if you can
> recommend me a good book, http address, anything on how to secure my apache
> web server and accounts.
>  
> I read the email about webdav by Saqib Ali. It seems really interesting to
> me, especially for my situation. But one question: how easy is for the users
> to learn??? Please take into account that my users are generally people who
> are learning how to handle technology ( I mean basics!!! From copy paste to
> web development). 
>  
 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: security question

[Steve Leach <sl...@askalix.com>]

FTP is a topic in itself, but outside the Apache forum I'm afraid.
I personally have had bad experiences with wu-ftp, and dislike the lack of flexibility it offers.
For a more customizable environment try pro-ftpd (http://www.proftpd.org) - which I consider a better offering - though not all would agree.

WEBDAV can have limitations too - especially if you want to use Frontpage extensions or Mod_put which seemed to conflict with the WEBDAV environbment in my own tests - which I admit were not as thorough as they could have been (solution needed + customer waiting = get job done).


Best Regards,
 
Steve Leach
Network Manager
Mi-Int Limited
Eaglescliffe Logistics Centre
Durham Lane
Egglescliffe
URL: http://www.askalix.com
TEL: 01642 356205
e-mail: sleach@askalix.com

  ----- Original Message ----- 
  From: Casas, Claudia 
  To: users@httpd.apache.org 
  Sent: Thursday, March 28, 2002 11:55 PM
  Subject: security question


  Forgive me if this is not the most adequate place for this question, but it is somehow related to my web accounts in apache.

  My linux 7.2 server needs to be accessed through ftp from anyplace 24 hours a day by using wu-ftp.

   

  I already set up my ftp so that each user can login using their account password and see their homedirs as their root, with no further access (guest ftp).

  I have already taken off any anynomous or real ftp (access to everything in the system).  I have restricted any telnet access to the accounts as well.

  But, I still would like to know if there is anything else I can do to protect my server. I know that ftp is a security treat. Is there any resource where I can read about how to bullet proof my server even when allowing ftp access?? My requirements are that ftp access is essential for my server. You know, I have clients who think that ftp is easiest program to use to modify or add their web content. I would really appreciate if you can recommend me a good book, http address, anything on how to secure my apache web server and accounts.

   

  I read the email about webdav by Saqib Ali. It seems really interesting to me, especially for my situation. But one question: how easy is for the users to learn??? Please take into account that my users are generally people who are learning how to handle technology ( I mean basics!!! From copy paste to web development).