Marc Schubert
Aug 19, 2013, 4:19:28 PM8/19/13
to al...@googlegroups.com
The "Enable SSL" option in the vsftpd server setup page is un-checked and I've modified the vsftpd.conf so that the only ssl option is: ssl_enable=no
However I'm still able to connect to the FTP server from Filezilla using sftp...
I want to disable it because when I connect via sftp, I'm able to see the whole directory structure up to root (the real root). As well, I have no need for secure FTP as the only devices that use the FTP do not support the secure FTP protocol.
I've attached my vsftpd.conf file.
P.S. Is there a reason the chroot jail works for FTP but not SFTP (SSL)?
Brandon Hume
Aug 19, 2013, 5:31:38 PM8/19/13
to al...@googlegroups.com
On 19/08/2013 5:19 PM, Marc Schubert wrote:
> However I'm still able to connect to the FTP server from Filezilla
> using sftp
sftp is a protocol that runs across SSH. You're thinking of "ftps".
> However I'm still able to connect to the FTP server from Filezilla
> using sftp
I don't think there's a way of disabling sftp short of disabling SSH
altogether.
João Cardoso
Aug 19, 2013, 10:24:57 PM8/19/13
to
On Monday, August 19, 2013 10:31:38 PM UTC+1, Brandon Hume wrote:
On 19/08/2013 5:19 PM, Marc Schubert wrote:
> However I'm still able to connect to the FTP server from Filezilla
> using sftp
vsftpd provides ftps, while dropbear (the default Alt-F sshd server) provides sftp through the openssh sftp-server.
sftp is a protocol that runs across SSH. You're thinking of "ftps".
I don't think there's a way of disabling sftp short of disabling SSH
altogether.
disabling (removing) /usr/lib/sftp-server should do the trick.
The problem is how to do that permanently, as it belongs to the base, flashed, firmware.
The only option is to install any Alt-F package, then create a dumy /Alt-F/usr/lib/sftp-server, that will shadow the real one. The dummy sftp-server could be a shell script that just returns false; when dropbear launches sftp-server, it will receive an error. Not sure what will happens next, only trying.
Brandon Hume
Aug 20, 2013, 9:48:47 AM8/20/13
to al...@googlegroups.com
On 08/19/13 11:09 PM, Jo�o Cardoso wrote:
>
> disabling (removing) /usr/lib/sftp-server should do the trick.
> The problem is how to do that permanently, as it belongs to the base,
> flashed, firmware.
Even then, it's worth noting that it doesn't stop someone from using the
>
> disabling (removing) /usr/lib/sftp-server should do the trick.
> The problem is how to do that permanently, as it belongs to the base,
> flashed, firmware.
plain SSH client to copy out files. "ssh $host cat
/mnt/md0/file/to/steal > stolen" would be enough.
Of course, it may not be an issue... the OP hasn't said.
Marc Schubert
Aug 20, 2013, 10:48:43 AM8/20/13
to al...@googlegroups.com
Thank you for your replies.
I had a feeling that sftp might have something to do with dropbear because when I was checking the system logs, it was showing the sftp logins under dropbear.
This is actually perfect, as I plan to (once I've finished setting up my box) to disable dropbear/ssh as I want it as locked down as possible when in production. So I assume once I've disabled the dropbear service, that sftp shall cease to function...
Thanks!
On Tuesday, August 20, 2013 9:48:47 AM UTC-4, Brandon Hume wrote:
I had a feeling that sftp might have something to do with dropbear because when I was checking the system logs, it was showing the sftp logins under dropbear.
This is actually perfect, as I plan to (once I've finished setting up my box) to disable dropbear/ssh as I want it as locked down as possible when in production. So I assume once I've disabled the dropbear service, that sftp shall cease to function...
Thanks!
On Tuesday, August 20, 2013 9:48:47 AM UTC-4, Brandon Hume wrote:
Reply all
Reply to author
Forward
0 new messages