Enable ftp by default

NethServer 7 needs ftp for write access to virtual hosts.
ftp access is disabled by default.
I’d like to have it enabled by default, and I’d like to discuss pro and cons. AFAIK, ftp password is transmitted in clear text, but, if stolen, it’d give access only to the virtual host.
How do webmasters work these days?

I’d like to involve some guys in this discussion
@fasttech @WillZen @Walter_Schoenly @lorentedford @EddieA @boneless @Hunv @Ctek @rodmontgt @johnjervig have you thoghts on this topic?

Wow, It requires FTP access? For clarity, we’re just talking about for uploading files to the web directory to be used by the website, right?

I would prefer a more secure option to be the default. Can we have SFTP as the default option?

Not sure how secure Webdav is. My gut feeling is that it is more user friendly, which usually means lower security. However, I could be wrong and it might be an option.

2 Likes

I say no.
I update the websites I have on NS via samba, others by rsync.
I do use ftp for printer scanners at some clients, scans to share via ftp.

There’s that fine line and I lean towards security, hence my request to disable mysql access from other than local by default.

Plus, if you’re running a website, you bear some responsibility for keeping the server and its data secure… if you can’t figure out how to enable ftp…

I also think it is not a good Idea. If something else like SFTP would work, OK, but FTP is a no-go for any kind of possible sensitive data.
And they can “only” manage the virtual hosts - but you can create much damage if you can “hack” them.

besides…

Event: user-create service service@magic.test.local /usr/libexec/openssh/**sftp**-server

I agree as well that SFTP is the minimum.
What kind of work would it be to implement SFTP instead of FTP?

Quite hard actually, since you need a real system user for SFTP.
Probably we could do something by command line but I don’t know how much troubles we will encounter.

What about FTP+SSL? Is it hard to implement? At least we work-around the secrecy issue…

This one is very easy :smiley:
Does someone know if all FTP clients support it?

Some things about Total Commander.

http://www.ghisler.com/featurel.htm
https://indy.fulgan.com/SSL/ (from here, download and extract “openssl-1.0.2h-x64_86-win64.zip” for TC 64 or “openssl-1.0.2h-i386-win32.zip” for TC 32, the last files; copy and paste in C:\Program Files\Totalcmd the following files: libeay32.dll and ssleay32.dll ; restart TC). Worked for me on Win 10 / 64bit, TC 9.0b2 / 64 bit.

Probably not every FTP client, at least winscp yes

https://winscp.net/eng/docs/ftps

For clients that do not support it, a SSH tunnel could be set up, with the additional requirement of a local system account.

Nevermind, it seems it’s more complex than I thought!

Filzilla supports SFTP and FTPS. You type first what you what (sftp:// or ftps://)
Fillzilla Docu
It looks like there are free FTP clients which support it.

Here you can find other comments about FTP

First and foremost, amazing stuff that Nethserver. Thanks for providing such a brilliant piece of software. Just flawlessly installed it on a vanilla CentOS 7 virtual machine.

+1 to add SSL/TLS-Support to the FTP server.
I like the idea of not having to use system users, but still be able to have a simple and secure ftp.
Found the simple steps for vsftpd, which is the FTP server installed on NS7:

I am adding another great free tool to access FTPS: fireFTP
That’s an add on for Firefox.

Since adding this functionality seems rather simple, I would highly recommend it.

btw. in order to add all passive FTP ports 3000 - 30999 to the NS7 firewall, I would have to add each and every port separated by comma… You might be able to improve the firewall as well, so we can use port ranges :slight_smile:

Thanks for considering and keep up the great work!

Regards jassonmc

1 Like

Sorry for the late response, thanks for your kind words our team will be happy to read them :slight_smile: