It would be nice if sftp/scp/ssh could be chrooted. But I'm sure you
can always mess with the rights for each user though.
As for "warns of k1dd13s", why care? If you open a port, someone will
find you. If you're concerned about the kiddies using up your
bandwidth, have pf running on the same box as the ftp/scp/ssh/sftp
server on the outside ip address. The ftp/ssh daemon might not be able
to handle the traffice but pf can and there are features in pf to handle
denial of service and keep logs. In a setup like this, I'll have pf
keep state on only the incoming traffic on the open port. And like I
said, I ran an OpenBSD ftp server with nothing else running and never
had an issue, especially with script kiddies. Have a little faith.
Anther option is to use openvpn on your ftp server and use openvpn's
tls-auth feature, but then your setup becomes more involved. And for
what, to stop script kiddies? Don't do a lot of work for little gain.
Joachim Schipper wrote:
I know, I know. The point is not that it is impossible to put this on an
expendable system, the point is that the data itself is somewhat
confidential.
Otherwise, plain FTP combined with a script that warns if the k1dd13s
have found you (bandwith utilization ~ 100%, all the time) would be
pretty good.
Joachim
