Re: [opensuse] FTP-server problem ?



On 3/10/2011 10:58 AM, Koenraad Lelong wrote:
Op 10-03-11 13:40, Anton Aylward schreef:
My general advice, from over 30 years of networking, is to NOT use FTP.

I've found that HTTP servers are faster, more network friendly, more
sysadmin friendly, more firewall friendly and more reliable.

From the client point of view, WGet or CURL are better than an ftp
client for similar reasons.

At the very least, WGet or CURL are better than an FTP client.


I'm far from clear from your description why this has to be a virtual
machine. That just seems to add another layer of complexity to no clear
advantage.

The classic model of a machine that downloads its firmware is old, old,
old, and used TFTP not FTP. Today this is the 'net boot' of PXE that is
built in to most motherboard BIOSes. The server software for this can
be found though
http://syslinux.zytor.com/wiki/

Check out PXE Linux, for example.

I've used this in the past to download the code for appliances that
don't have their own flash memory. Its very reliable and very flexible.

Please: Avoid FTP. Its a mess, insecure and a pile of trouble.
As far as I can make out there are better - easier, more reliable, more
flexible, more user friendly, more firewall friendly, more network
friendly, more configuration friendly, ways to do what you're trying to
achieve.


Thanks for your response.

Unfortunately, I don't have anything to say about the server system or
the devices, our customer designed the whole system. And they don't have
problems, I think it's because they are testing with a single device.
As far as I can tell, they get their files with wget. This is a logfile :
wget -q -O /tmp/dayzero/packages/manifest
ftp://production.promo.com/dayzero/manifest

About security : that network has no connection to the outside world. So
nothing to worry about.

The main reason for the vm : our customers regularly ask for some
server, just to test devices. If I have to provide real hardware for
every project, I would have a pile of machines that aren't used most of
the time.
B.T.W. with server I mean a machine that provides services, not
server-grade hardware.

Out of curiosity : why would a virtual machine add complexity ? Once
installed the guest behaves like real hardware, isn't it ?

Regards,

Koenraad Lelong.

Of course using a vm adds more variables, a lot more, and is therefore impossible to be anything BUT more prone to unknown problems. That's a built-in immutable fact of logic. More variables == more opportunities for error, or more things that must all be just right in order for the whole to work. The real question is why would you think otherwise?

Also you didn't mention which of the dozen or more wildly different types of "vm" you are using. They all have strengths and weaknesses.

For one example, that just happens to involve vsftpd, vsftpd has a known issue with it's default configuration when used in a kernel namespace-based container (lxc), because vsftpd itself uses namespaces as a security/isolation technique by default.
So if your "vm" happens to be an lxc container, you need to add
isolate=NO
isolate_network=NO
to /etc/vsftpd.conf
Except, more variables... as lxc is still developing, they already know that this problem will go away soon because they already know they are changing the thing that causes it, so, depending on the version of lxc and you kernel, If you're reading this later in some mail archive, you may NOT have to worry about this after all.

I doubt you are using lxc since it's very new and has hardly any userspace convenience support yet. No nice front end apps to make it easy to create containers and start/stop them etc.

But gee there could be literally ANY number of exactly similar compatibility issues with any kind of vm technology.

I would still say, based on what you've described so far anyways, that you probably don't need vm's for this level of isolation.
You don't need lots of hardware boxes either. vsftp and dhcpd both have a concept of virtual hosts built-in just like apache does, even further since they have built in support for chroot jails. You can have the hosts main dhcpd and vsftpd serve all requests, and yet have it look to the outside as if they were distinct machines with distinct ip addresses and hostnames and their own "root" filesystems as seen from the client side. If the clients need to do more on the host than upload/download files to an ftp account and receive dns and dhcp service, then maybe you need vm's.

It may be either more work or less work to maintain such a setup depending on how you work, which I can't speak to. Certainly if you're already doing vm's then it's more work at least briefly just to figure out this other way. After that I'd say it'll be a lot easier to maintain and use and definitely a lot more efficient in terms of host resources.

--
bkw
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages

  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Microsoft FTP Server problem on W2K?
    ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Telnet/ftp problems SBS2000
    ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
    (microsoft.public.windows.server.sbs)
  • [NEWS] Directory Traversal Vulnerabilities in FTP Clients
    ... vulnerable to certain directory traversal attacks by modified FTP servers. ... file/directory permissions and the privilege level of the client. ... A malicious server could potentially overwrite key files to cause a denial ... your vendor, or the associated CERT vulnerability note, if your product is ...
    (Securiteam)
  • Re: Configure ISA to allow ISA Server to make external FTP Connect
    ... your Server name and select properties, Installation mode is listed at the ... client, as well as being all three at the same time. ... This means that the workstation has the proxy server details ... Enter the name 'FTP Access', press next twice, from the drop down box ...
    (microsoft.public.isa.configuration)