"Dangerous" paranoia
A long time ago in the era of modems, I was fond of network security. Time passed, paranoia remained.
Nowadays, very few people use ftp, replaced by more convenient things, such as svn, which are not explicit, but replace ftp and eliminate many headaches. I’m a lone developer, I do everything from design and version to programming and server optimization for a specific task. Therefore, it is more convenient for me to use good old ftp and so on. I'm not saying that I do not need svn, I actively use it, but only to create revisions. I update the software on the server via ftp, ahem ... more precisely via sftp. Actually what I wanted to talk about.
When I was thinking about the security of my server, I could imagine that I could be logged or trojaned, that they could stupidly get physical. Access to the computer, etc., is all commonplace. But what to do if the “bottleneck” in the security of your system is an Internet provider or service provider? Of course, of course, they are responsible for their actions and their bread is a completely different business. But their employees ... Without insulting anyone, let's get down to business.
What you need to have to build a secure system with access to FTP and other services (for example, mysql)?
The article is designed for people who have their own server capacity, or have access to the "steering wheel" on them.
We forget what FTP is and remove everything connected with it from the server. If we have SSH access, nothing else will help us. Any modern FTP client (SmartFTP, CuteFTP) can work with both ftp over ssh and sftp. Let's look at the example with CuteFTP, I have a 8.0 Pro version.
File -> New -> SFTP (SSH2)
')
We hammer in login and pass from a shell ...
Accordingly, CuteFTP curses the keys, saying that yes, that’s all good, and voila, we have ftp emulation.
True, here we lose a lot of functionality provided by such giants as proftpd. But if you and your ftp developers need to download files and nothing more, then nothing is easier. Add a new user to the system and he immediately has access to sftp.
Respectively, my mysql bases carry out connections only from local IP. What to do if phpmyadmin and similar software do not suit or just want a GUI? Let us examine the example of SSH tunnel using the example of MySQL.
There are GUIs that make SSH tunnels themselves, such as SQLyog. But personally, I developed an emetic reflex to it. I like QB with its functionality and simplicity. However, he does not know how to make a tunnel to musk over ssh.
First, a little theory. The meaning is simple. We have mysql on the server, which does not connect with anyone other than local IPs. Having access to SSH, we can organize the so-called “tunnel”, we connect to it and from there we connect to the base. The database sees the local IP and lets us through, everything is simple. The main task is to automate this process.
Putty is useful for this.
1. Create a new connection, somehow we call it.
2. Go to Connection -> SSH -> Tunnels and add a new tunnel. In the field “Source port” we enter the local port, where one end of our tunnel will be led to. Locally, I have no muscle, so I specify a standard 3306 so as not to soar. If you have local muscle on this port, write 3307 or whatever your heart desires. In the field “Destination” we write the address: port where we are laying the other end of the tunnel. In our case, it will be localhost: 3306 (where the base on the server lives). Click the button "Add".
3. Go back to the Session window, save the session and click “Open”. We enter the login and password and voila, now on the port that we indicated in the “Source port” we have what is hanging on the port, which we indicated in the “Destination”. Open QB and connect.
Actually, if the FTP example is unique to FTP, then the second example shows a way to implement any local service for a remote server, as a local service for you via SSH, which is many times safer than regular connections.
This scheme works on my servers. I have a NAV, I remember all my passwords, I sleep well and advise you to that =)
Nowadays, very few people use ftp, replaced by more convenient things, such as svn, which are not explicit, but replace ftp and eliminate many headaches. I’m a lone developer, I do everything from design and version to programming and server optimization for a specific task. Therefore, it is more convenient for me to use good old ftp and so on. I'm not saying that I do not need svn, I actively use it, but only to create revisions. I update the software on the server via ftp, ahem ... more precisely via sftp. Actually what I wanted to talk about.
When I was thinking about the security of my server, I could imagine that I could be logged or trojaned, that they could stupidly get physical. Access to the computer, etc., is all commonplace. But what to do if the “bottleneck” in the security of your system is an Internet provider or service provider? Of course, of course, they are responsible for their actions and their bread is a completely different business. But their employees ... Without insulting anyone, let's get down to business.
What you need to have to build a secure system with access to FTP and other services (for example, mysql)?
The article is designed for people who have their own server capacity, or have access to the "steering wheel" on them.
FTP
We forget what FTP is and remove everything connected with it from the server. If we have SSH access, nothing else will help us. Any modern FTP client (SmartFTP, CuteFTP) can work with both ftp over ssh and sftp. Let's look at the example with CuteFTP, I have a 8.0 Pro version.
File -> New -> SFTP (SSH2)
')
We hammer in login and pass from a shell ...
Accordingly, CuteFTP curses the keys, saying that yes, that’s all good, and voila, we have ftp emulation.
True, here we lose a lot of functionality provided by such giants as proftpd. But if you and your ftp developers need to download files and nothing more, then nothing is easier. Add a new user to the system and he immediately has access to sftp.
Mysql
Respectively, my mysql bases carry out connections only from local IP. What to do if phpmyadmin and similar software do not suit or just want a GUI? Let us examine the example of SSH tunnel using the example of MySQL.
There are GUIs that make SSH tunnels themselves, such as SQLyog. But personally, I developed an emetic reflex to it. I like QB with its functionality and simplicity. However, he does not know how to make a tunnel to musk over ssh.
First, a little theory. The meaning is simple. We have mysql on the server, which does not connect with anyone other than local IPs. Having access to SSH, we can organize the so-called “tunnel”, we connect to it and from there we connect to the base. The database sees the local IP and lets us through, everything is simple. The main task is to automate this process.
Putty is useful for this.
1. Create a new connection, somehow we call it.
2. Go to Connection -> SSH -> Tunnels and add a new tunnel. In the field “Source port” we enter the local port, where one end of our tunnel will be led to. Locally, I have no muscle, so I specify a standard 3306 so as not to soar. If you have local muscle on this port, write 3307 or whatever your heart desires. In the field “Destination” we write the address: port where we are laying the other end of the tunnel. In our case, it will be localhost: 3306 (where the base on the server lives). Click the button "Add".
3. Go back to the Session window, save the session and click “Open”. We enter the login and password and voila, now on the port that we indicated in the “Source port” we have what is hanging on the port, which we indicated in the “Destination”. Open QB and connect.
Actually, if the FTP example is unique to FTP, then the second example shows a way to implement any local service for a remote server, as a local service for you via SSH, which is many times safer than regular connections.
This scheme works on my servers. I have a NAV, I remember all my passwords, I sleep well and advise you to that =)
Source: https://habr.com/ru/post/21723/
All Articles