Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How safe to open FTP & SSH?

savar

savar

macrumors 68000
Original poster
Jun 6, 2003
1,950
0
District of Columbia
I was upgrading the firmware on my wireless router and discovered that the new version has built-in support for my old favorite dynamic DNS service (dyndns.org)...well I went ahead and set it up and registered a new DDNS for my home network. I've always like the idea of being able to access my mac from anywhere, but this really made it a practical idea. (Those old DDNS scripts were pretty flaky in my experience.)

So my question is, how safe is it to open up FTP & SSH to the WAN connection? OS X is supposed to be pretty solid, and in my MOTD I don't state what OS it is, only a foreboding warning to anybody who tries to crack it. FTP & SSH are the only ports being forwarded by the router, so I'm not worried about any other exploits.

I'm going to keep an eye on the server logs to see what kind of traffic I get, but this is a pretty safe thing to do, right? I deleted my computer's Guest account so now my account is the only one on the computer, and I've got permissions set up to hide my home folder from anybody who isn't logged in as me. Anything else?
 
Irregardless of the MOTD, it is possible to figure out what OS you are running due to the TCP/IP fingerprints it generates. Each OS is a little different.

Also, I wouldn't run FTP. If you enable SSH, then you can use sftp, which is FTP secured by the OpenSSH server (SSL).

Finally, beware that many routers update dyndns.org accounts too often and they will ban you. You will need to send an email to the dyndns.org folks to get it unlocked. As an alternative, I use a program called ddclient. It is perl and works flawlessly on Windows, Linux, and OS X 10.4.
 
belvdr said:
Irregardless of the MOTD, it is possible to figure out what OS you are running due to the TCP/IP fingerprints it generates. Each OS is a little different.

Also, I wouldn't run FTP. If you enable SSH, then you can use sftp, which is FTP secured by the OpenSSH server (SSL).

Finally, beware that many routers update dyndns.org accounts too often and they will ban you. You will need to send an email to the dyndns.org folks to get it unlocked. As an alternative, I use a program called ddclient. It is perl and works flawlessly on Windows, Linux, and OS X 10.4.
Click to expand...

ftp passwords are sent clear text and pretty easy to snoop, ssh passwords (and all traffic being sent back and forth whether you use ssh, scp, sftp) are enctypted and not easy to snoop.

OS fingerprinting will probably not work since he's going to be behind a firewall/router with only very select (hopefully) ports opened up. But if someone really wanted to know what OS you were running on those open ports I'm sure they could figure it out.
 
dfinn said:
ftp passwords are sent clear text and pretty easy to snoop, ssh passwords (and all traffic being sent back and forth whether you use ssh, scp, sftp) are enctypted and not easy to snoop.

OS fingerprinting will probably not work since he's going to be behind a firewall/router with only very select (hopefully) ports opened up. But if someone really wanted to know what OS you were running on those open ports I'm sure they could figure it out.
Click to expand...

Actually, with SSH, the data ends up encrypted after login, but the username and password are still cleartext.

Whatever you do, make _absolutely sure_ you disable root login in sshd_config:

PermitRootLogin no
 
belvdr said:
Actually, with SSH, the data ends up encrypted after login, but the username and password are still cleartext.

Whatever you do, make _absolutely sure_ you disable root login in sshd_config:

PermitRootLogin no
Click to expand...

i'm pretty sure you are wrong. SSH does not send passwords over the net using clear text, otherwise it would be just as insecure as Telnet or FTP.
 
dfinn said:
i'm pretty sure you are wrong. SSH does not send passwords over the net using clear text, otherwise it would be just as insecure as Telnet or FTP.
Click to expand...
\

yeah, you are definitely wrong. Here's a snipit from the ssh man page:


> If other authentication methods fail, ssh prompts the user for a
> password. The password is sent to the remote host for checking;
> however, since all communications are encrypted, the password
> cannot be seen by someone listening on the network.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back