hiya download and install ssh into each windoze box that needs access to the debian box
samba -> encrypted passwd is typically already on smbpasswd is needed to allow the windoze users to connect nfs -> use secure portmap, secure nfs, .... ftp -> secure ftp w/ scp telnet -> secure telnet w/ ssh or putty or ?? http://www.Linux-Sec.net/SSH/ssh.windows.txt pop3 -> secure pop3 w/ ipop3s and turn on SSL on clients http://www.Linux-Sec.net/Mail/secure_pop3.txt make backups BEFORE they change the files... better still have them update http://STAGE.foo.com and update when the "manager" says release the new site to the real server ... and disallow dhcp/wireless... c ya alvin http://www.Linux-Sec.net On Thu, 18 Apr 2002, Tom Dominico wrote: > I have a Debian webserver that currently runs SSH, HTTP, and SMTP > services. The SMTP service only accepts mail from the local interface. > I try to keep my box free of any excess services that might lead to > vulnerabilities, or that transmit authentication information via > cleartext. I am running into some issues, however, where having only > SCP access for file transfer is not convenient. > > For example, all workstations here are running some version of Windows. > I have yet to run across Windows applications that have SCP support > built-in, though. I have instances where I would like to be able to > upload/download files from the server to my text editor, synchronize > directories between a workstation and the server, etc. My options are > generally only FTP, or using windows shares. I hesitate to install FTP > because of the issues with cleartext passwords being transmitted, as > well as potential vulnerabilities in the FTP daemon. I understand that > some daemons now support SSL for encryption, but I do not know if > running a FTP server is really a wise idea or not, even with SSL. > > I am debating installing samba on the webserver, and setting it up to > use encrypted passwords. I would not allow "guest" usage of any shares. > This would make it much easier for me to do development and other tasks > on the server via my Windows workstation. However, I do not know if I > would be making a large mistake, security-wise, by doing this. We have > an external firewall, and I would think I could firewall off samba > traffic, so that only internal users would even have access, and even > then it would be protected with an encrypted password. > > I am curious to see what the users of this list would suggest. It seems > that I could do the following: > > 1) Install samba, and connect to the webserver via "shares" from my > workstation. > 2) Try to install FTP with SSL functionality, and perhaps firewall it > off for internal use only. > 3) Do none of the above and use an SCP client to manually transfer > things back and forth when necessary. > > In a nutshell, I am wondering what the best way is to co-exist with > Windows on the desktop, while still running a relatively secure server. > > My other question relates to cleartext passwords. I am writing some > web-based administrative tools to allow selected users to update > sections of the website, without having to know how to code. Using a > simple "htpasswd" scheme, passwords are sent out in cleartext. I am > concerned that anyone with a sniffer could then gain access to those > passwords. I work in a school district, and some of these kids are very > clever, and have a lot of time on their hands. Is there a way to > encrypt htpasswd traffic, or is there another solution I should examine? > > I greatly appreciate any advice. > > Tom Dominico > District Technology Coordinator > Parlier Unified School District > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]