On Mon, Jan 23, 2006 at 05:15:13PM -0800, Smith wrote:
> It would be nice if sftp/scp/ssh could be chrooted. But I'm sure you
> can always mess with the rights for each user though.
>
> As for "warns of k1dd13s", why care? If you open a port, someone will
> find you. If you're concerned about the kiddies using up your
> bandwidth, have pf running on the same box as the ftp/scp/ssh/sftp
> server on the outside ip address. The ftp/ssh daemon might not be able
> to handle the traffice but pf can and there are features in pf to handle
> denial of service and keep logs. In a setup like this, I'll have pf
> keep state on only the incoming traffic on the open port. And like I
> said, I ran an OpenBSD ftp server with nothing else running and never
> had an issue, especially with script kiddies. Have a little faith.
>
> Anther option is to use openvpn on your ftp server and use openvpn's
> tls-auth feature, but then your setup becomes more involved. And for
> what, to stop script kiddies? Don't do a lot of work for little gain.
>
> Joachim Schipper wrote:
> >I know, I know. The point is not that it is impossible to put this on an
> >expendable system, the point is that the data itself is somewhat
> >confidential.
> >
> >Otherwise, plain FTP combined with a script that warns if the k1dd13s
> >have found you (bandwith utilization ~ 100%, all the time) would be
> >pretty good.
The concern wrt script kiddies is mostly that, knowing my users and the
proliferation of FTP bruteforce scripts, sooner or later someone is
going to use the server as a public pr0n/warez stash.
I'm still undecided, frankly. OpenVPN sounds good, but I'll have to do
some tests on real users to see if it's simple enough.
Joachim
