[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Yudit text-editor



Eli Marmor <marmor@elmar.co.il> wrote:
>  > Here I always thought that passive mode (which most browsers use) is much
>  > more security-friendly than active - you haven't to allow connections to
>  > some strange ports at your site. 
>  > Just to increase my sysadmin knowledge :) - which configuration might
>  > allow to serve vanilla FTP clients and refuse webbrowser's FTP?
>  
>  I don't know anything about passive/active, and this is not the
>  difference between browsers and FTP clients.

AFAIK, that's the difference. At least, netscape by default uses the passive
mode. When it connects to a ftp server that supports the passive connection, the
server tells the client what (unprivileged) port to use for data transfers and
bind()s to this port. The port number is choosen arbitrarily, so with a static
firewall the only solution (AFAIK) is to allow all connections between any
unpriviliged ports on both sides. This is far from being secure, of course.
I'd be extremely happy to know if there is a better solution (with Linux
ipfwadm, I mean).

>   The only problem is
>  that web browsers check many services (i.e. ping) and not only FTP
>  (20,21). 

I have to see such a browser yet. Not something that runs on U*ix, I believe.

>  Some of the additional services are still denied here, so
>  browsers may fail to access my FTP. Anyway, I'll fix it in a few
>  days.
>  
>  Note: There are other things which are *MUCH* more important for
>  your security than my junk. Such as immediate installation of any
>  patch. Or avoiding clear-text passwords over the Net (use the last
>  ssh instead of telnet, don't use ftp except for anonymous, don't
>  use POP/IMAP4, etc.). Or denying vulnerable services such as POP3/
>  IMAP4/SMB/NFS/X/79/etc. 

APOP instead of POP and SMB with encrypted passwords. NFS should definitely be
enabled only for trusted hosts. X is fine when tunneled over an ssh connection.
No comments on others :) (what's 79 BTW?)

Regards,

Evgeny


--
   ____________________________________________________________
  / Evgeny Stambulchik  <fnevgeny@plasma-gate.weizmann.ac.il>  \
 /  Plasma Laboratory, Weizmann Institute of Science, Israel \  \
 |  Phone : (972)8-934-3610  == | == FAX   : (972)8-934-3491 |  |
 |  URL   :    http://plasma-gate.weizmann.ac.il/~fnevgeny/  |  |
 |  Finger for PGP key >=====================================+  | 
 |______________________________________________________________|