How safe to open FTP & SSH?

Discussion in 'macOS' started by savar, Sep 7, 2005.

  1. savar macrumors 68000


    Jun 6, 2003
    District of Columbia
    I was upgrading the firmware on my wireless router and discovered that the new version has built-in support for my old favorite dynamic DNS service ( I went ahead and set it up and registered a new DDNS for my home network. I've always like the idea of being able to access my mac from anywhere, but this really made it a practical idea. (Those old DDNS scripts were pretty flaky in my experience.)

    So my question is, how safe is it to open up FTP & SSH to the WAN connection? OS X is supposed to be pretty solid, and in my MOTD I don't state what OS it is, only a foreboding warning to anybody who tries to crack it. FTP & SSH are the only ports being forwarded by the router, so I'm not worried about any other exploits.

    I'm going to keep an eye on the server logs to see what kind of traffic I get, but this is a pretty safe thing to do, right? I deleted my computer's Guest account so now my account is the only one on the computer, and I've got permissions set up to hide my home folder from anybody who isn't logged in as me. Anything else?
  2. belvdr macrumors 603

    Aug 15, 2005
    Irregardless of the MOTD, it is possible to figure out what OS you are running due to the TCP/IP fingerprints it generates. Each OS is a little different.

    Also, I wouldn't run FTP. If you enable SSH, then you can use sftp, which is FTP secured by the OpenSSH server (SSL).

    Finally, beware that many routers update accounts too often and they will ban you. You will need to send an email to the folks to get it unlocked. As an alternative, I use a program called ddclient. It is perl and works flawlessly on Windows, Linux, and OS X 10.4.
  3. dfinn macrumors member

    Jun 15, 2005
    ftp passwords are sent clear text and pretty easy to snoop, ssh passwords (and all traffic being sent back and forth whether you use ssh, scp, sftp) are enctypted and not easy to snoop.

    OS fingerprinting will probably not work since he's going to be behind a firewall/router with only very select (hopefully) ports opened up. But if someone really wanted to know what OS you were running on those open ports I'm sure they could figure it out.
  4. belvdr macrumors 603

    Aug 15, 2005
    Actually, with SSH, the data ends up encrypted after login, but the username and password are still cleartext.

    Whatever you do, make _absolutely sure_ you disable root login in sshd_config:

    PermitRootLogin no
  5. dfinn macrumors member

    Jun 15, 2005
    i'm pretty sure you are wrong. SSH does not send passwords over the net using clear text, otherwise it would be just as insecure as Telnet or FTP.
  6. dfinn macrumors member

    Jun 15, 2005

    yeah, you are definitely wrong. Here's a snipit from the ssh man page:

    > If other authentication methods fail, ssh prompts the user for a
    > password. The password is sent to the remote host for checking;
    > however, since all communications are encrypted, the password
    > cannot be seen by someone listening on the network.

Share This Page