What the point of this?

The following example if based around FTPing from a MS-Windows client (where the webpages are written prior to uploading) to a UNIX based web-server.

Please note that in some situations the FTPD deamon may not allow the sending of the data to a separate IP address (in ProFTPD - use the AllowForeignAddress on directive - but this is not the thing to enable on an Anonymous FTP account area as then the server could be used for hacker bounce scanning by people logging anonymously into the system).

Work is still on-going into the naunces of this as many FTP client/server combinations can behave quite erratically(?)

Relevant pages:

• Refer Teraterm/SecureShell Tunnelling FAQ: http://www.zip.com.au/~roca/ttsshdoc.html

• Teraterm for Windows: http://hp.vector.co.jp/authors/VA002416/teraterm.html

• ttsh Secure Shell Plugin for Teraterm: http://www.zip.com.au/~roca/ttssh.html

• Compiling Secure Shell 1.2.27 for Linux/UNIX (with buffer overflow patch)

• Also refer: Christopher Spry tutorials for SGI
  • Install SSH1: http://sprysgi.sghms.ac.uk/~cspry/computing/Indy_admin/ssh1.html
  • Install SSH2: http://sprysgi.sghms.ac.uk/~cspry/computing/Indy_admin/ssh2.html
  • Microsoft 'Windows' ssh client software (Tera Term Pro & TTSSHH): http://sprysgi.sghms.ac.uk/~cspry/computing/ssh_windows_client.html
    This includes information on how to generate the 'RSA key' login file ('.ssh/identity') for Windows, ("This is a way to tell the host computer that the client computer is what it says it is, e.g. that it is not 'spoofing' the connection".
    And includes X-server setup for Teraterm plus links to a free(?) X-server (15 day trial period - but only US$25.00 to buy) http://www.microimages.com/freestuf/mix/ | UK Download Mirror.

SSH Tunnelling via ProFTPD

• http://rad.geology.washington.edu/~tj/proftpd/doc/contrib/ProFTPD-mini-HOWTO-SSH.html
• http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-SSH.html

Information on new FTP specifications (not implemented in many FTPD servers yet):

• RFC 959 (FTP): ftp://ftp.ietf.org/rfc/rfc0959.txt
• RFC 2228 (FTP Security Extensions): ftp://ftp.ietf.org/rfc/rfc2228.txt
• Mark Horowitz's page on FTP Security Extensions: http://www.mit.edu/people/marc/ftpsec/
• SafeTP internet draft concerning updates to RFC 2228: ftp://ftp.ietf.org/internet-drafts/draft-bonachea-sftp-00.txt
• SafeTP Server on NT (FTPD Server): http://www.cs.berkeley.edu/~smcpeak/SafeTP/nt.html
• SafeFTP - Transparent FTP Security Software for Windows
  • "SafeTP is a revolutionary new security application for Win95/98/NT (and UNIX) users who use FTP to connect to their accounts on UNIX FTP servers. The traditional FTP protocol is HIGHLY insecure (it sends passwords in the clear), and for this reason FTP has been recognized as one of the largest remaining security liabilities in most UNIX systems.

    SafeTP operates by installing a transparent proxy in the Windows networking stack which detects outgoing FTP connections from any windows FTP client, and silently secures them using modern cryptographic techniques (the server must also support SafeTP in order for a secure connection to be succesfully established). SafeTP is 100% compatible with existing (insecure) FTP servers, and will operate in an insecure mode if the server does not yet support the SafeTP protocol. One key feature of the SafeTP client proxy is that it was designed to be completely transparent to the client FTP application. This way, users can reap the benefits of FTP security, while continuing to use their existing FTP software."

  • At http://www.cs.berkeley.edu/~smcpeak/SafeTP/

Something to keep in mind Attempting to tunnel the data port as well can be problematic with some systems Date: Mon, 22 Nov 1999 16:56:22 +0000 (GMT) From: The Flying Hamster [hamster@vom.tm] cc: proftpd@proftpd.net Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable On Mon, 22 Nov 1999, Leho Kraav wrote: > On Mon, 22 Nov 1999 12:16:33 +0100 (MET), you -> about "Re: [ProFTPD] sniffable > passwords on linux and freebsd3.3-stable": > > >The only caveat is that this only works for ftp clients that support > >ftp-sessions over *one port only*. If I don't mix it up that's called > >passive ftp, where active ftp opens one port for control and one for data. > > AFAIK, that is incorrect. FTP works over two ports, in passive and in active > mode. Passive mode is when the FTP server is set to listen for the client to > specify the data connection port, so that the firewalls would let the data > through on that port. In normal operation, FTP server sends the client > information on what port to listen to. [few minutes reading later...] Passive Mode connections work the same way as normal (Active Mode) connections, except the data connection is also made from the client to the server ie made to port ftp-data (20). This avoids the problem of incoming data connections being blocked by the firewall by making both connections from the client. What it boils down to is Active control channel, port 21 data channel, server specifies random port. Passive control channel, port 21 data channel, port 20 I guess it's doc time :) Mark -- This is a sig, it's not a smart sig or an AI sig, but it's a sig to replace the sig that died during the death of data... the sig is dead, long live the sig

Following: There are two methods described below. The 1st is a basic method least effort method where you want to FTP tunnel to a single server. The 2nd is more advanced (but not hard to do when you know how) for when you want to be FTP tunnelling to more than one machine.

Method 1 (least effort)

Method 2 (Not using the local FTP Port 21 method)

Some of this may be non-optimal so be a bit wary and shop around a bit. This is working quite nicely for me at the moment but could give problems if the "random" ports you use could be in use by other programs such as the web-browser(?). Going into a DOS prompt and typing netstat can tell you what ports are being used at the current time. Again, this webpage is no substitute for thinking for yourself.

From: "Christopher Spry" Newsgroups: comp.security.ssh Subject: Secure ftp tunneling: disable the Windows ftp client first Date: Wed, 1 Dec 1999 14:55:13 -0000 Organization: MRC Human Genome Mapping Project Resource Centre Lachlan, Thanks for the helpful pointers and advice on secure ftp. I found that I had to disable my 'ftp publishing service' in 'Control Panel | Services' to free the ftp port, before secure ftp connections could be made as you described so well in http://www.ccp14.ac.uk/ccp14admin/security/secure_tunnelling_ftp.htm ---------- Best wishes Christopher Spry cspry@sghms.ac.uk Possible solution to the above: use method 2 described above.