Re: OpenBSD-based Website Providers?

dfeustel@xxxxxxxxxxxxxx wrote:
jpd <read_the_sig@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Begin <huRlg.2656$DI2.2057@trnddc05>
On 2006-06-20, dfeustel@xxxxxxxxxxxxxx <dfeustel@xxxxxxxxxxxxxx> wrote:
I've been using Mindspring.com as my website host
for a long time. But Mindspring uses (and apparently
will continue to use) simple ftp for file transfer.

And why is that, do you think?

I am not necessairily defending the practice, but I am advocating
knowing the reasoning behind it, if any. If you look at how and what the
traffic passes, you will note that the need for securing data that will
subsequently be offered up to everyone on a website, varies with your
local network neighbourhood.

My problem is that I may be suffering from a DOS against ftp uploads.
SCP would seem to eliminate at least some of the DOS/DDOS possibilities.

Aside from the fact that SCP doesn't, what makes you believe you are the
target of a DoS? As opposed to, say, a not-quite-perfectly configured
system?

<snip>
somewhere else. Yes, securing your file transfers would be better, but
you might have other things with more urgency to take care of. Can you
decide which needs attention first?

Securing my ability to ftp upload is currently my most important task.
Nothing else comes close.

Well, that's basically impossible. A standard residential line can
always be DoS'ed by a sufficiently large botnet.

[...] I should look for an (OpenBSD) ISP that supports SCP for file
transfers.

There are more options than just scp and sftp. For example, ftps, that
is ftp/ssl or ftp/tls would do it in a pinch, and rsync/ssh is useful
for updating websites as well. There are probably some more protocols
(webdav/https, anyone?) with potential use.

I am not infatuated with any specific secure protocol for ftp.
So far no ISPs I have used offer *any* secure method of ftp.
I would like to find an ISP that at least *offers* a secure ftp.

Why? In almost all cases, you only FTP stuff that ends up on a
world-accessible page anyway, and commercial hosts are not sufficiently
secure to trust with anything you wouldn't trust FTP with.

Or, more to the point, it's almost always possible to at least read
your data after compromising another account, and compromising any
account is generally rather easy. OpenBSD has little to do with this;
it's mostly a matter of correctly configuring the web server used,
typically Apache. Basically, only suEXEC
<http://httpd.apache.org/docs/1.3/suexec.html> is likely to really
prevent this (PHP has several features, like safe_mode and open_basedir,
that try to give a chroot-like experience; sadly, they do not seem very
robust, and I'd not entrust really important data to such security).

Of course, suEXEC makes using mod_php and the like impossible - and the
traditional CGI paradigm requires starting a new php process for each
web page, which is very bad for performance.

FastCGI seems to solve at least some of these problems, but at the cost
of being more complicated and supported on few commercial hosts.

Finally, you could go the way I took - just run your own server. Sure,
people can still DoS you off the net, but at least you get to provide
your own security. Of course, if it's a server for the local students'
association, you still don't get to choose to kill PHP; but at least you
can implement *some* security (like updates only being possible over
Subversion over SSH).

Is there a list of such servers?

Not that I know of. If you're serious about this, you can always start
one. I'd suggest including more than just isps that support scp/sftp.

My interest in such a list is using it to get an affordable ISP that
provides a secure ftp. IMHO it would definitely be a smart advocacy
move for OpenBSD.org to provide such information as part of its listing
of OpenBSD support.

If you want secure webhosting, post a threat model and your requirements
(for instance, do you want DoS protection, confidentiality, ...?)

Joachim
.

Relevant Pages

  • Re: OpenBSD-based Website Providers?
    ... My problem is that I may be suffering from a DOS against ftp uploads. ... I am not infatuated with any specific secure protocol for ftp. ... and I'd not entrust really important data to such security). ... I'd suggest including more than just isps that support scp/sftp. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: How many CALs do I need?
    ... > FTP Server: Box will have FTP. ... > 1 login name and password that everyone would share. ... > Secure Web Pages: Our website will have a 'secure' section that you must ... > logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • How many CALs do I need?
    ... FTP Server: Box will have FTP. ... login name and password that everyone would share. ... Secure Web Pages: Our website will have a 'secure' section that you must ... logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)
  • RE: [OT] M$ collaborates with Suse
    ... Most hosting facilities do allow FrontPage and/or FTP access...FrontPage ... Remote Administration to an actual server can be done with a Terminal ... Secure Administration on the inside can be done with Scripting. ... decent free SSH Servers out there for Windows and I like freeSSHd. ...
    (Debian-User)
  • Re: Folder sharing and ZA
    ... rather than have a shared folder you could set up either an FTP ... server or Web server on your machine. ... but be aware that regular FTP isn't very secure - passwords can be ...
    (comp.security.firewalls)