Eldor
New Member
Posts: 15
|
Post by Eldor on Feb 28, 2008 0:09:13 GMT 7
Thanks for the suggestion, but it looks like Draytek isn't available in Canada, making for possibly difficult service/support.
I'll stick with something that I can get from more than one source right here in Canada.
Cheers!
|
|
Eldor
New Member
Posts: 15
|
Post by Eldor on Mar 3, 2008 0:06:32 GMT 7
Just wanted to follow up in this thread with an update on what I've done...
First of all, big thanks (again!) to both Static and Peter for their help. They really helped me get this going.
I did change my firewalls (at home and the office) as what I had was about 10 years old and no longer supported by the manufacturer (who would have guessed?). Nor would those old units allow port forwarding.
I've now got SonicWall TZ-150's in both locations. And it was really easy (following the instructions given here by Static and Peter) to get FTP running. I'm really pleased.
Now I'm only curious about the security aspect of this, and even with good (long and completely random) passwords, I wonder how safe this all is. What I'd like to do is open up the main directory on my Thecus to *ME* only (with the strong password) but to have another directory for guest use (also with a good password). The idea being that I might want/need access to a file I've got on the Thecus, but I certainly don't want others to have access to that stuff. And if I must share a file with someone else, I'd log on and FTP the file from MY folder to the one used by guests and they could pick the file up there.
Where's the weak point? Is there anything else I can do (other than what's already been mentioned by Static and Peter) to make the system more secure?
And this probably isn't the place to ask this, but how does VPN play into all this? Since my firewalls support VPN, is it practical to use that for ME to move files around, etc. but to also keep a small folder for guest use with FTP?
Thanks again!!
Eldor
|
|
|
Post by biddyman on Mar 8, 2008 21:22:08 GMT 7
As far as the ME folder and the Guest folder, that is what I do.
|
|
|
Post by Georg Eschenbach on Mar 19, 2008 21:08:40 GMT 7
Hello, I am a newbie with a three day "old" thecus N5200Bpro. I have installed 5 1TB seagate hd´s, have raid6 running, have made groups and users and have activated ftp.
The users can log on with theis username/password (via dyndns.org) and after logging in they can see ALL my folders on the N5200. They can log into only their folder, but I would like to change "something" so that a user, who logs in via FTP will be directly in HIS folder without even noticing that there are some more folders (which just makes nosy).
Can anybody give me an idea how I have to make users / groups / acl -list ??
Thanks a lot
George
|
|
|
Post by peterfu on Mar 20, 2008 1:03:26 GMT 7
Direction of FTP users to their home directory is possible, but with some disadvantages and manual changes in the passwd file. All users created have non valid home directory and a non valid shell in the passwd file.To bind a user in his home directory you have to change the passwd file for the users, that they have a valid home directory and dissalow chroot for FTP users during pureftpd startup (for dissallow chroot the PUREFTPD module can be used). The disadvantage is that disallowing chroot also following links is not possible, and the standard ftp service on the Thecus works with links in the default ftp home directory - so every user must have a home directory and it is not possible that one user has the default home directory and accesses all other folders.
br Peter
|
|
|
Post by Georg Eschenbach on Mar 20, 2008 16:14:45 GMT 7
Hello Peter,
Thanks a lot for the quick answer. I have just downloaded Pureftp and will try. I will let you know, whether it works.
best wishes George
|
|
|
Post by Georg Eschenbach on Mar 21, 2008 0:18:44 GMT 7
Hello again, I have installed the Module PureFTP and have disallowd chroot for all users.
But STILL I can SEE all directories, when logging in via FTP-program.
What did you mean, when you say "you have to change the passwd file for the users"
DO I need to change files "manually" under Linux? I don´t know how and where to find these passwd files.
Sorry, I know very little about linux, ( I am one of the dumb and stupid windows-xp users :-( )
Can you help me a little (??) bit more ??
THANK YOU
Best wishes George
|
|
|
Post by Georg Eschenbach on Mar 21, 2008 0:33:37 GMT 7
Back again ....
So now every user has got an own directory and in the acl list every user has the rigt to read/write in his special directory an will be rejected in any other directory.
But STILL any User can see any directory on the NS5200 AND has access to the folder "My Media" which was created by the Media Server.
I have stoped the Mediabolic Server by Now, have moved all my media files to a directory within MY files and have installed TwonkyMedia Server as Module, which works very fine and much better than mediabolic media server (its more comfortable and has more settings, which can be changed for personal purposes).
So one problem has been solved in a different way, STILL all users can SEE all folders, although they don´t have any access.
So I will habe to change the passwd files, whreever they are and however I´ll have to do that.
IF ever I might find these files (via telnet or something else???) HOW do I have to chnage? Via editor?
How do I have access to the system-files? Telnet? WinSCP?
|
|
|
Post by peterfu on Mar 21, 2008 4:42:00 GMT 7
Some more detailled information now:
The file is /etc/passwd and contains all users and some additional stuff. The layout is (on N5200):
user:x:userid:group id:real name,,,:home dir:shell
home dir : the users home folder shell : the users shell
On the N5200 the home dir and the shell are /dev/null - which is in linux terms nothing or not defined.
Home dir has to be set to the users hoem directory i.e. /raid/data/home Shell may be /dev/null
To enter the linux command shell on the N5200 You have to install the modules SSHD and SYSUSER, which allows You to remote login to the N5200 via ssh.
After login You are in a linux command shell and may modify whatever You want.
Just a warning : editing the passwd file or other configuration files is dangerous, cause You may Yourself lockout completly or damage Your system so that You have no acess anymore. Changes or logins via ssh and modification of configuration files need some basic linux knowledge. So I would advice to google arround some time and take some time for learning.
The standard editor in linux is vi - this editor needs also some training. Never try editing a linux configuration file with a windows style editor - You will destroy the content, or better the content will not be recognized any more.
br Peter
PS : i'm also not happy that my ftp users can see other folders, but who cares, they don't know the content
|
|
|
Post by Georg Eschenbach on Mar 21, 2008 16:57:45 GMT 7
Hello Peter, thank you very much for your patient answers. Must be horrible, to help people, who know very few things and to answer a lot of silly questions. If I understand you right, I will habe to install two more modules, SSHD ans SYSUSER. The I will have to logon to the N5200 via putty or WinSCP (I am running WIndows XP) and the I will have access to all sytemfolders on the machine. Oh my God, I hope I won´t make too much nonsens :-) So I will just change ONE of the users and the logon via FTP and then check, what will hapenn. I will keep you informed. THANKS A LOT George
|
|
|
Post by Georg Eschenbach on Mar 21, 2008 17:04:45 GMT 7
One more question, before I make any nonsens:
Is there any special order, in which the modules should be installed?
At the moment I have two modules installed: 1) Twonky Media 2) PureFTP
Do I have to uninstall these modules to have SSHD ans SYSUSER as number one and two or does the order of the installed modules not matter?
Greetings from a cautious George
|
|
|
Post by Georg Eschenbach on Mar 21, 2008 18:55:14 GMT 7
Back again. So, I have activated the modules SSHD and SYSUSER and have access to the N5200 via WinSCP. I have found the /etc/passwd and have changed ONE of the users to USER:x:1006:102:Linux User,,,:/raid/data/USER:/dev/null and have saved it and rebooted the N5200. This is, how the line looks. USER is the Username und USER is the name of HIS folder. I don´t know, why all Users have "Linux User" in their pwd line ?? In PureFTP is chroot nobody activated. When the user now logs on, he still can see ANY folder and can NOW jump UPwards in the filetree, as he is looged on in raid0/data. He could then change any file in any folder ... If I the deactivate PureFTP and reconnect the USER via FTP, he is logged on as before. So someting in passwd is wrong and the user is looged into the wrong directory with ALL rights to move anywhere ... HELP I have atually stopped the ftp server ..... Greetings George ?
|
|
|
Post by peterfu on Mar 21, 2008 21:06:23 GMT 7
Hi George, will do some tests over the weekend and give You then feedback as soon as I have the results br Peter
PS : the password - which is the second entry in the passwd file ist not stored in the passwd file, the passwords are in the /etc/shadow file the "Linux User" is the comment field mostly used for real name
|
|
|
Post by peterfu on Mar 22, 2008 1:32:42 GMT 7
Hi George, have checked now the scripts and some documentation and I was completly wrong During ftp login only the user authentication is taken from the standard linux passwd and shadow files. The home directory of the user are not taken from there. There runs a own authentification which returns the home directory of the user with /raid0/data/ftproot - this value is returned for every user and this directory contains a link to all defined and standard folders. So to have own home directories will require some more deep changes. Please redo Your changes to the passwd file and set also the chroot parameter to the default one. I'm not sure if I can work out what changes have to be done during the weekend, so this might take some time. br Peter
|
|
|
Post by Georg Eschenbach on Mar 22, 2008 2:24:30 GMT 7
Hi Peter,
tah nk you so much, that you are really looking for a solution for ME. It seems, that I am the only one, who is thinking about this special "problem".
I have in between tried the module FTPACCESS, which masks out folders, which you don´t want to show, but after that still all userfolders are visible. You can just "switch off" your own folders, which NOONE shall see. But you cannot force a user to log on his personal folder without even noticing, that there are other folders.
The funny thing is, that on every web server only the specified user logs on into his personal folder and doenst see the other folders on the machine. Would be funny, if you log on on your webserver and you could see all the other customers who have websites on the rented machine ...
NO, I don´t want to offer a web service or something else and it ist rally not "very" important, but i think it just makes you nosy, if you can see folders, which yoo cannmot access.
So, dont bother too much, I have just made 5 folders for friends of mine to exchange data with me and a personal one for me, into which I can put y data if I am abroad, so its nothing public which could cause any problems. It´s just "cosmetic".
What I have done: every user has got his own group and his own folder. So I can give access rights in the ACL-list to one or more users to each folder (acees to any personal folder is the user himself and me - so we can exchange date, as I have access to all folders)
I haven´t understood the feature of groups by now. What does it mean, to be a user in a group?
Best wishes George
still tinking hardly about the "problems" without getting a solution by myself.
|
|