Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
hiya
download and install ssh into each windoze box that needs
access to the debian box
samba -> encrypted passwd is typically already on
smbpasswd is needed to allow the windoze users to connect
nfs -> use secure portmap, secure nfs, ....
ftp -> secure ftp w/ scp
telnet -> secure telnet w/ ssh or putty or ??
http://www.Linux-Sec.net/SSH/ssh.windows.txt
pop3 -> secure pop3 w/ ipop3s and turn on SSL on clients
http://www.Linux-Sec.net/Mail/secure_pop3.txt
make backups BEFORE they change the files...
better still have them update http://STAGE.foo.com and
update when the "manager" says release the new site to the real server
... and disallow dhcp/wireless...
c ya
alvin
http://www.Linux-Sec.net
On Thu, 18 Apr 2002, Tom Dominico wrote:
> I have a Debian webserver that currently runs SSH, HTTP, and SMTP
> services. The SMTP service only accepts mail from the local interface.
> I try to keep my box free of any excess services that might lead to
> vulnerabilities, or that transmit authentication information via
> cleartext. I am running into some issues, however, where having only
> SCP access for file transfer is not convenient.
>
> For example, all workstations here are running some version of Windows.
> I have yet to run across Windows applications that have SCP support
> built-in, though. I have instances where I would like to be able to
> upload/download files from the server to my text editor, synchronize
> directories between a workstation and the server, etc. My options are
> generally only FTP, or using windows shares. I hesitate to install FTP
> because of the issues with cleartext passwords being transmitted, as
> well as potential vulnerabilities in the FTP daemon. I understand that
> some daemons now support SSL for encryption, but I do not know if
> running a FTP server is really a wise idea or not, even with SSL.
>
> I am debating installing samba on the webserver, and setting it up to
> use encrypted passwords. I would not allow "guest" usage of any shares.
> This would make it much easier for me to do development and other tasks
> on the server via my Windows workstation. However, I do not know if I
> would be making a large mistake, security-wise, by doing this. We have
> an external firewall, and I would think I could firewall off samba
> traffic, so that only internal users would even have access, and even
> then it would be protected with an encrypted password.
>
> I am curious to see what the users of this list would suggest. It seems
> that I could do the following:
>
> 1) Install samba, and connect to the webserver via "shares" from my
> workstation.
> 2) Try to install FTP with SSL functionality, and perhaps firewall it
> off for internal use only.
> 3) Do none of the above and use an SCP client to manually transfer
> things back and forth when necessary.
>
> In a nutshell, I am wondering what the best way is to co-exist with
> Windows on the desktop, while still running a relatively secure server.
>
> My other question relates to cleartext passwords. I am writing some
> web-based administrative tools to allow selected users to update
> sections of the website, without having to know how to code. Using a
> simple "htpasswd" scheme, passwords are sent out in cleartext. I am
> concerned that anyone with a sniffer could then gain access to those
> passwords. I work in a school district, and some of these kids are very
> clever, and have a lot of time on their hands. Is there a way to
> encrypt htpasswd traffic, or is there another solution I should examine?
>
> I greatly appreciate any advice.
>
> Tom Dominico
> District Technology Coordinator
> Parlier Unified School District
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: