I have a Debian webserver that currently runs SSH, HTTP, and SMTP
services. The SMTP service only accepts mail from the local interface.
I try to keep my box free of any excess services that might lead to
vulnerabilities, or that transmit authentication information via
cleartext. I am running into some issues, however, where having only
SCP access for file transfer is not convenient.
For example, all workstations here are running some version of Windows.
I have yet to run across Windows applications that have SCP support
built-in, though. I have instances where I would like to be able to
upload/download files from the server to my text editor, synchronize
directories between a workstation and the server, etc. My options are
generally only FTP, or using windows shares. I hesitate to install FTP
because of the issues with cleartext passwords being transmitted, as
well as potential vulnerabilities in the FTP daemon. I understand that
some daemons now support SSL for encryption, but I do not know if
running a FTP server is really a wise idea or not, even with SSL.
I am debating installing samba on the webserver, and setting it up to
use encrypted passwords. I would not allow "guest" usage of any
shares.
This would make it much easier for me to do development and other tasks
on the server via my Windows workstation. However, I do not know if I
would be making a large mistake, security-wise, by doing this. We have
an external firewall, and I would think I could firewall off samba
traffic, so that only internal users would even have access, and even
then it would be protected with an encrypted password.
I am curious to see what the users of this list would suggest. It
seems
that I could do the following:
1) Install samba, and connect to the webserver via "shares" from my
workstation.
2) Try to install FTP with SSL functionality, and perhaps firewall it
off for internal use only.
3) Do none of the above and use an SCP client to manually transfer
things back and forth when necessary.
In a nutshell, I am wondering what the best way is to co-exist with
Windows on the desktop, while still running a relatively secure server.
My other question relates to cleartext passwords. I am writing some
web-based administrative tools to allow selected users to update
sections of the website, without having to know how to code. Using a
simple "htpasswd" scheme, passwords are sent out in cleartext. I am
concerned that anyone with a sniffer could then gain access to those
passwords. I work in a school district, and some of these kids are
very
clever, and have a lot of time on their hands. Is there a way to
encrypt htpasswd traffic, or is there another solution I should
examine?
I greatly appreciate any advice.
Tom Dominico
District Technology Coordinator
Parlier Unified School District