[Zope] ssh (more)

Mike Renfro renfro@tntech.edu
Fri, 22 Mar 2002 09:41:26 -0600


On Fri, Mar 22, 2002 at 09:09:31AM -0600, Robert Hood, Ph.D. wrote:

> I've been advised by security people on my campus to shut down
> normal ftp and telnet access to my server if possible and to use
> sftp and ssh for access.  I currently sometimes ftp things to zope.

One solution would be (this assumes that your Zope server runs on some
sort of Unix variant) to:

1) have ZServer listen only on the localhost interface (named lo,
address 127.0.0.1)

2) get an SSH client on your desktop computer that does port
forwarding. Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
works fine for Windows in that regard. This would allow you to set up
an encrypted tunnel between your desktop computer and the Zope
server's FTP port (or HTTP port, or Webdav port, whatever).

3) You'd then point your ftp client to the port on your desktop
computer that is on one end of the tunnel, and you'd be automatically
connected to the server port that's not otherwise exposed to the
outside world.

4) Since your Zope ports are no longer directly exposed to the outside
world, you'll have to put Apache, Squid, or some other proxy-capable
server on your publicly-available port 80. You may have already done
this for other reasons, though.

> I do not have any packages installed that give zope file system
> access, so I don't really think zope's ftp port would be a security
> hazard (and my own view is that my machine does not have any
> national security type stuff on it, so that this request may be
> going a bit far).

As an aside, your security-conscious (or security-paranoid) coworkers
don't care whether or not you have national-security information on
the server. I'm one of their security-paranoid counterparts up the
road, and if they're anything like me, their concerns include:

- the possibility that someone's cleartext password would be sniffed
in a lab, from offsite, or wherever. If someone used the same password
on their FTP server and on their main email account (or worse, their
account that gets them into the student records system), there's a
potentially big compromise there. Maybe the FTP server only has your
account on it, but they don't know that. Maybe you use different
passwords there and other place, but they don't know that either. And
they're not likely to maintain a list of low-account-number,
properly-differently-passworded FTP servers that they don't control.

- the possibility for a poorly-written FTP server to be used in bounce
attacks on other hosts. No, Zope's FTP server isn't a candidate for
that right now. However, they're not going to keep a list that says
"oh, *that* FTP server's for Bob's Zope site (running Zope
2.foo.bar). That version's 100% secure, so let it run".

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu