On Fri, Mar 22, 2002 at 09:09:31AM -0600, Robert Hood, Ph.D. wrote:
I've been advised by security people on my campus to shut down normal ftp and telnet access to my server if possible and to use sftp and ssh for access. I currently sometimes ftp things to zope.
One solution would be (this assumes that your Zope server runs on some sort of Unix variant) to: 1) have ZServer listen only on the localhost interface (named lo, address 127.0.0.1) 2) get an SSH client on your desktop computer that does port forwarding. Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) works fine for Windows in that regard. This would allow you to set up an encrypted tunnel between your desktop computer and the Zope server's FTP port (or HTTP port, or Webdav port, whatever). 3) You'd then point your ftp client to the port on your desktop computer that is on one end of the tunnel, and you'd be automatically connected to the server port that's not otherwise exposed to the outside world. 4) Since your Zope ports are no longer directly exposed to the outside world, you'll have to put Apache, Squid, or some other proxy-capable server on your publicly-available port 80. You may have already done this for other reasons, though.
I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
As an aside, your security-conscious (or security-paranoid) coworkers don't care whether or not you have national-security information on the server. I'm one of their security-paranoid counterparts up the road, and if they're anything like me, their concerns include: - the possibility that someone's cleartext password would be sniffed in a lab, from offsite, or wherever. If someone used the same password on their FTP server and on their main email account (or worse, their account that gets them into the student records system), there's a potentially big compromise there. Maybe the FTP server only has your account on it, but they don't know that. Maybe you use different passwords there and other place, but they don't know that either. And they're not likely to maintain a list of low-account-number, properly-differently-passworded FTP servers that they don't control. - the possibility for a poorly-written FTP server to be used in bounce attacks on other hosts. No, Zope's FTP server isn't a candidate for that right now. However, they're not going to keep a list that says "oh, *that* FTP server's for Bob's Zope site (running Zope 2.foo.bar). That version's 100% secure, so let it run". -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu