October 27, 200817 yr Only one way to learn. And all my critical files are backed up on DVD and off-line computers anyways. If I get hacked then so what? I load my saved unRaid config onto my USB and start over. I believe lots of unRaid users would love to access their files over FTP, lets leverage some of your expertise on how to do so with a measure of security. From what I can tell, it involves setting up the vsftpd.conf file correctly, and setting up port forwarding on the router. What else am I missing that is so difficult? *edit* I found a decent tutorial that shows an example of a non-anonymous read only ftp setup: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch15_:_Linux_FTP_Server_Setup
October 27, 200817 yr a breached system is more than losing some files. it could be used to launch an attack on a serious site, poke around your network and break into your pcs, intercept all your web browsing/online banking/emails/credit card purchases... to name just a few. whilst i believe you could probable persevere and make remote access work I am sure that you dont have the skills required to notice if your box has been breached. its not just your unRAID you have to protect it the damage that can be done to your other systems and other people on the internet using your assets. I am not trying to be belligerent I am trying to protect you and the other innocents a breach in your system could cause. Edit: to put this in context i run a publicly visble ftp server. I have at least 1000 breach attempts a day, every day. Occasionally I see tens of thousands of login attempts an hour and thats with a fully hardened ftp server. You just dont realise how much you could get hit once some bad guys find you... and they will.
October 27, 200817 yr Is it any more risky than an unsecured wireless network, of which there are many? I can access 5 from my living room, are the hackers going to go there first, or try to break into my ftp server? I understand that a little knowledge is more dangerous than no knowledge at all. But how does one get to full knowledge without a little knowledge first?
October 27, 200817 yr not the same. your wireless network cant be see by a couple of hundred homes and some passes by at the most. a kid in a noodle shop in china can spend all day trying to break into your ftp
October 27, 200817 yr Fair enough. I accept the risks, lets just leave it at that. And yes, I accept the risk for everyone else that might be adversely affected by someone using my resources for evil. Way I look at it is if someone is going to launch attacks with someone elses resources they are going to do it regardless. Anyone willing to share what steps should be taken to securely setup an FTP server using vpftpd? If not it will be even easier for someone to utilize my resources!
October 27, 200817 yr See if i can guess your ISP... Telus? Edit: I used a cheap trick to try and demonstrate the point im making. I got the Ips of the two people that looked at this thread whilst we were chatting. If I was an evil person that would be enough for me to start attacking your ftp whilst you were experimenting setting it up. At some point in your setup you will make a mistake and leave something open and that as they say would be that. Ive said enough. If you want to go for it then go for it. Just be wary. Edit 2: ive deleted the logs of the IPs for confidentiality reasons. My intention was to demonstrate not actually do anything.
October 27, 200817 yr I appreciate the concern, as it demonstrates someone who wants to help protect people, from themselves in this case. The ISP that I was posting from was not Telus though.... There is likely a telus backbone involved further down the pipe though, as Telus controls pretty much all the ADSL lines and whatnot I believe. *edit* in my area. Our ISP is Radiant, who is probably paying Telus. Do you have any advice for those embarking on setting up an FTP server? I would be willing to start with 1 single passworded, read-only user and go from there. I am also interested in learning how to identify people attempting/succeeding at breaking into my server. The whole "server" realm is new and exciting to me, it started with unRaid, now I would like ftp, and being able to watch logs etc would be cool.
October 28, 200817 yr Are you using the PRO version of unRAID? if so, do you have user security enabled?
October 28, 200817 yr a breached system is more than losing some files. it could be used to launch an attack on a serious site, poke around your network and break into your pcs, intercept all your web browsing/online banking/emails/credit card purchases... to name just a few. whilst i believe you could probable persevere and make remote access work I am sure that you dont have the skills required to notice if your box has been breached. its not just your unRAID you have to protect it the damage that can be done to your other systems and other people on the internet using your assets. I am not trying to be belligerent I am trying to protect you and the other innocents a breach in your system could cause. Edit: to put this in context i run a publicly visble ftp server. I have at least 1000 breach attempts a day, every day. Occasionally I see tens of thousands of login attempts an hour and thats with a fully hardened ftp server. You just dont realise how much you could get hit once some bad guys find you... and they will. NAS, FWIW, vsftpd is a pretty safe application.. It's totally engineered with security in mind. I've been in the code because I had to enhance it for our london office. Chances of a buffer overflow and compromising a system are slim at the software level. Now at the setup level, this is where a user mistake will compromise his data, or allow his machine to become a remote repository with disseminating data he may not want. Glimmerman911, Case in point. a friend of mine setup a basic unprotected ftp server just to do some testing. They left it there for a few hours. She said in a few hours someone gained access. Overnight they dropped gigs and gigs of porn on the machine. They noticed the issue when the system ran out of space and people in the office were complaining about how slow the internet was. Glimmerman911, if by chance you enable telnet or http, your machine will be compromised by a bot very rapidly. Those applications are insecure and easily hacked, plus I'm not sure they log enough information for you to notice.
October 28, 200817 yr I've been experimenting with an idea that could work with a Linux-based router firmware, such as Tomato on a Linksys' WRT54G/GL/GS. Basically, you listen on a port, but give no response, so to the outside, it looks like a secure device that is not responding. But in fact, the URI is examined on such queries to your special port, and if a user-defined string is included in the URI, a linked port-forwarding and/or firewall rule would be enabled. Such a rule could include the source IP, and a timeout value. So you put the URL with the proper query string in your browser, and try to access your server... you get what looks like no response. But it actually enabled FTP, but only between your server and the IP you are at.... and the rules go back to disabled in 10 minutes.
October 28, 200817 yr sounds like good old fashioned port knocking. works a treat. i prefer the telnet approach where you telnet host port1 then port 2 etc like the combination to a safe. the advatage is that almost everywhere has telnet tool and url type logs dont get made which often happens transparently in companies in my experience
October 28, 200817 yr sounds like good old fashioned port knocking. Yes, but if I called it that, no one else would know what I was talking about! I'm trying to keep this system as simple as possible.... and use just HTTP. My system has a couple of tweaks to take care of logs or a packet replay attack. One is it will print out a list of one-time-use keys to use on the URI. The second, is a HTTPS challenge-response as the last step. It is sort of like C3PO, but without the need for a client and time synch, as the key only rotates with each use.
October 29, 200817 yr My IT guy at work mentioned something about Tomato, linux firmware for a router being a safety feature but he lost me. Does anyone have a vsftp configuration that they will share? The part I am having trouble understanding is gaining access to my user shares. The setup I would like is a single user, preferably with read/write access to all my user shares. Second choice would be a single user, read-only access.
October 29, 200817 yr Do you have user security enabled? You will need to set a root password, then add the approximate users. As far as vsftpd.conf specifics, I can't remember off the top of my head, I'll take a peek if I get a chance. >> The part I am having trouble understanding is gaining access to my user shares. it seems the config puts you in /mnt your user shares are in /mnt/user # # Allow local users to log in. local_enable=YES local_umask=077 local_root=/mnt check_shell=NO #
November 6, 200817 yr I have enabled user security, and set a root password. Is there any way to test my settings locally before opening up the ports on my router?
November 23, 200817 yr The problem is that its a chicken and egg issue. The people that understand how to properly secure a service are the exact opposite of the people asking to do it. Theres no way they are going to manage a VPN. It is a vastly superior solution though as we all realise.
November 28, 200817 yr Can VPN be setup so it is accessible through a browser? I want it to be universally accessible from any computer with internet, mac/windows/linux without additional software.
December 2, 200817 yr Can VPN be setup so it is accessible through a browser? I want it to be universally accessible from any computer with internet, mac/windows/linux without additional software. There are some VPN setups like that - one of the vpn solutions we have at work just requires a web browser to be active and I believe uses java on the client side to do the connections. What about using a VPN router box (something like this: http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1115416833192&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=3319254480B03)? That should be a lot easier for a non-expert to configure and not exposure your entire network. Its been a while since I've toyed with these though, so not sure how easy they are to use these days. To echo the others though, I would seriously caution against exposing any services unless you *really* know what you're doing. A couple of my friends and I use to run mail & dns servers, and we all got hacked at least once, despite being relatively advanced users. Now we've all switched to google-mail & external dns so we don't have to worry about it. And if you do go through with it, at least chose a good, strong password. I'm pretty sure my last hacking happened because a user on my server had a weak password and a dictionary attack succeeded. ARGH!
December 2, 200817 yr VPN hardware sounds promising, I will do some research. And now that you mention it I have a friend operating a mail server for the past 5 years, never hacked, I will have to bribe him into doing my setup.
March 27, 200917 yr Since when is FTP secure? It sends the password in clear text as does telent, last time I checked. Now if you are running ssh and sftp, then at least that is more secure. How do you make unraid secure? You could install tools like IDS, firewalls, antivirus/spyware checkers. Recoomendations? SELinux, (freeBSD) developed by the National Security Agency (NSA) is supposed to be the most secure, assuming you configure it correctly. But at what point do you say enough, this is a home server, the data on here that is sensitive is already encrypted using TrueCrypt Setup 6.1. If a hacker gets in, he can download/delete all he wants, all the files are replaceable (offsite offline backups). Can Unraid run on any Linux OS? I know Pandora's box... Now that said, I also agree with NAS. Even though my firewall has almost all ports closed, I get constant alerts from people bouncing off Australian servers trying to hack my home network. Every attack so far has come from Austalian ISP servers. I cannot trac it further to see the originating country. I do not even use a dynamic ip address service, and I my address changes frequently (every time I force a refresh). So there are script kiddies and professionals out there scanning and probing, trying to setup bot attacks, capture credit card info, and identity theft. I also do not use Torrents.
September 26, 200916 yr There are many routers that have built in VPN for a reasonable price. There is enough documentation sold with the products that most people can setup the VPN themselves. If your having a hard time setting things up just call the manufacturers tech support. I'm sure the company will help you setup your VPN. Everything can't be 'plug-and-play'. I'm sorry to say that people will just have to sit down and read some manuals for an afternoon like the rest of us. If you find it too much work, spend some money hiring a professional since you're not capable of doing it yourself. Otherwise live without the luxury.
September 27, 200916 yr I know I'm a bit out of my league here, but regarding the VPN suggestion. It's not practical to install the client side software on a work machine, however would you be able to install the application on a USB Flash drive? This is how I use to run my Slingbox at work. I the case of this application, I just copied the files of the installed directory on my PC over to the Flash drive. Stuck the flash drive into my work PC and ran the executable file. Now, at least Sling Media has designed an Active-X / Plugin so that you can access it through either Firefox or IE. Just a suggestion from us at the bottom of the ladder
Archived
This topic is now archived and is closed to further replies.