How safe to open FTP & SSH?

Discussion in 'macOS' started by savar, Sep 7, 2005.

  1. savar macrumors 68000

    savar

    Joined:
    Jun 6, 2003
    Location:
    District of Columbia
    #1
    I was upgrading the firmware on my wireless router and discovered that the new version has built-in support for my old favorite dynamic DNS service (dyndns.org)...well I went ahead and set it up and registered a new DDNS for my home network. I've always like the idea of being able to access my mac from anywhere, but this really made it a practical idea. (Those old DDNS scripts were pretty flaky in my experience.)

    So my question is, how safe is it to open up FTP & SSH to the WAN connection? OS X is supposed to be pretty solid, and in my MOTD I don't state what OS it is, only a foreboding warning to anybody who tries to crack it. FTP & SSH are the only ports being forwarded by the router, so I'm not worried about any other exploits.

    I'm going to keep an eye on the server logs to see what kind of traffic I get, but this is a pretty safe thing to do, right? I deleted my computer's Guest account so now my account is the only one on the computer, and I've got permissions set up to hide my home folder from anybody who isn't logged in as me. Anything else?
     
  2. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #2
    Irregardless of the MOTD, it is possible to figure out what OS you are running due to the TCP/IP fingerprints it generates. Each OS is a little different.

    Also, I wouldn't run FTP. If you enable SSH, then you can use sftp, which is FTP secured by the OpenSSH server (SSL).

    Finally, beware that many routers update dyndns.org accounts too often and they will ban you. You will need to send an email to the dyndns.org folks to get it unlocked. As an alternative, I use a program called ddclient. It is perl and works flawlessly on Windows, Linux, and OS X 10.4.
     
  3. dfinn macrumors member

    Joined:
    Jun 15, 2005
    #3
    ftp passwords are sent clear text and pretty easy to snoop, ssh passwords (and all traffic being sent back and forth whether you use ssh, scp, sftp) are enctypted and not easy to snoop.

    OS fingerprinting will probably not work since he's going to be behind a firewall/router with only very select (hopefully) ports opened up. But if someone really wanted to know what OS you were running on those open ports I'm sure they could figure it out.
     
  4. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #4
    Actually, with SSH, the data ends up encrypted after login, but the username and password are still cleartext.

    Whatever you do, make _absolutely sure_ you disable root login in sshd_config:

    PermitRootLogin no
     
  5. dfinn macrumors member

    Joined:
    Jun 15, 2005
    #5
    i'm pretty sure you are wrong. SSH does not send passwords over the net using clear text, otherwise it would be just as insecure as Telnet or FTP.
     
  6. dfinn macrumors member

    Joined:
    Jun 15, 2005
    #6
    \

    yeah, you are definitely wrong. Here's a snipit from the ssh man page:


    > If other authentication methods fail, ssh prompts the user for a
    > password. The password is sent to the remote host for checking;
    > however, since all communications are encrypted, the password
    > cannot be seen by someone listening on the network.
     

Share This Page