# How to create an FTP server on Gentoo

## bigoxygen

Hi...

Does anyone know any good documentation on this?

Which ftp program should I emerge?

----------

## n3mo

vsftpd is a good one, you could read this howto.

----------

## befortin

bigoxygen, if you don't set your server with anonymous access, you shouldn't use FTP as it isn't secure at all. If you're running SSH on your server, then you can use scp (Filezilla, which is free, and WinSCP, which is also free, are SCP clients that run on Windows.) scp should work as soon as SSH is running.

----------

## johnnymac

I agree vsftp is quite good.....however, if this is just for you and not a whole slew of people you could just use SFTP through OpenSSH which is more than likely already running on your system

----------

## justanothergentoofanatic

FTP is more secure than SCP/sFTP, which both allow users to run arbitrary commands on your system. I found pure-ftpd to be very easy to set up.

-Mike

----------

## Ateo

I personally have always used proftpd. So, for me, it's an easy config... Never had any issues with it but then again, I don't run a public server vulnerable to malicious netizens so I can't comment on how secure it is.. but then again, any server is only as secure as the admin is competent.

Proftpd example configurations...

----------

## befortin

 *justanothergentoofanatic wrote:*   

> FTP is more secure than SCP/sFTP

 

FTP sends password in clear text. THIS is not secure. SCP/SFTP in chroot jail is more secure IMHO. Except if you need to use anonymous logons.

----------

## justanothergentoofanatic

 *Quote:*   

> FTP sends password in clear text. 

 

vsftpd and pure-ftpd both support tunneled SSL or TLS connections. In any case, the ability to upload/download arbitrary files to/from a particular directory is a less significant risk than the ability to execute arbitrary commands on a system.

Remember that with sFTP/SCP, you are giving every user a fully functional shell account on your system.

-Mike

----------

## Ateo

 *justanothergentoofanatic wrote:*   

>  *Quote:*   FTP sends password in clear text.  
> 
> vsftpd and pure-ftpd both support tunneled SSL or TLS connections. In any case, the ability to upload/download arbitrary files to/from a particular directory is a less significant risk than the ability to execute arbitrary commands on a system.
> 
> Remember that with sFTP/SCP, you are giving every user a fully functional shell account on your system.
> ...

 

I'd have to agree with you.

1. You'd have to assume someone is sniffing you to grab your plain text PW.

2. I'd prefer chrooting users in ftp than giving them a shell account.

3. For ssh, you must have system account. For ftp, you can use a DB that requires no shell (much more secure)

If you're on a switched network, sniffing traffic is a difficult task. Not impossible, just difficult since there is no broadcasting.

----------

## n3mo

 *Quote:*   

> 2. I'd prefer chrooting users in ftp than giving them a shell account. 

 

my 2cents.

----------

## GentooBox

 *Ateo wrote:*   

> 
> 
> I'd have to agree with you.
> 
> 1. You'd have to assume someone is sniffing you to grab your plain text PW.
> ...

 

No, it's not a difficult task, its easy as hell.

there are tons of ways to sniff a switched network.

And you dont need to give the users a bash shell.

http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29

----------

## befortin

Look at scponly. It's a shell that allows users to only use SCP/SFTP. And you can even chroot users in their ~ directory.

----------

## Ateo

 *GentooBox wrote:*   

>  *Ateo wrote:*   
> 
> I'd have to agree with you.
> 
> 1. You'd have to assume someone is sniffing you to grab your plain text PW.
> ...

 

If you're trying to sniff a node on a switched network, your sniffer must be in between the switch port and the node. Otherwise, you cannot sniff. One of the reasons a switched network is superior to a broadcast network is that by it's very nature, disallows the sniffing of an entire network. Like I said... It's not impossible.... and this is to the best of my knowledge. Correct me if I'm wrong... 

If there are tons of ways, can you describe one or more scenarios?

----------

## GentooBox

 *Ateo wrote:*   

>  *GentooBox wrote:*    *Ateo wrote:*   
> 
> I'd have to agree with you.
> 
> 1. You'd have to assume someone is sniffing you to grab your plain text PW.
> ...

 

There's lots of attack methods on a switched LAN. - you are right that by nature the switch only sends data to the intended host. - it does that by using a CAM table in the switch.

that CAM table can be posioned by sending fake ARP packets. - or you can impersonate a gateway by posioning the hosts arp table.

some switches even flushes the CAM table if they are overloaded, so if you send tons of arp packets with random source/destination addresses, then the switch flushes the CAM table and turn into a hub.

If the swich support STP then there's other ways of sniffing data, VLANs and port security (cisco) is also useless to some attacks.

----------

## UberLord

 *befortin wrote:*   

>  *justanothergentoofanatic wrote:*   FTP is more secure than SCP/sFTP 
> 
> FTP sends password in clear text. THIS is not secure. SCP/SFTP in chroot jail is more secure IMHO. Except if you need to use anonymous logons.

 

Of course, if the FTP server enforced TLS then the username/password combo would not be sent clear text - neither the data.

Infact, most FTP servers support TLS these days - which makes them better than SFTP/SCP because they are real FTP servers and get the bells, whistles, logs and configuration that goes with them  :Smile: 

----------

## GentooBox

 *UberLord wrote:*   

>  *befortin wrote:*    *justanothergentoofanatic wrote:*   FTP is more secure than SCP/sFTP 
> 
> FTP sends password in clear text. THIS is not secure. SCP/SFTP in chroot jail is more secure IMHO. Except if you need to use anonymous logons. 
> 
> Of course, if the FTP server enforced TLS then the username/password combo would not be sent clear text - neither the data.
> ...

 

i'm not against FTP, but there is some security problems with FTP

the FTP protocol supports sending data to 3-part connections, and can you remember the FTP bounce attack's ?

FTP also need to be passive sometimes if connecting behind a firewall with session-timeout.

FTP does not support reverse connection.

FTP is not designed to be secure.

Use FTP if you want to, it's easy to setup and some FTP servers support database user backends, but have the security related stuff in mind  :Smile: 

----------

