How do I FTP via a secure tunnel (set up instructions requested pls)

Discussion in 'Computer Security' started by Just A. User, Dec 9, 2005.

  1. Just A. User

    Just A. User Guest

    Hello

    I would like to FTP via an encrypted secure tunnel that will mask my
    ISP. I want to run an FTP client (inbound) and FTP deamon (outbound)
    via this tunnel. However, I've not been able to configure them
    properly. Can anyone help??

    Also, secure star (makers of drivecrypt & DCPP) are now offering their
    own tunneling service. Does anyone have any experience with their
    service yet?

    Thanks for your help and advise.
    Just A. User, Dec 9, 2005
    #1
    1. Advertising

  2. Just A. User

    nemo_outis Guest

    Just A. User <> wrote in
    news::

    > Hello
    >
    > I would like to FTP via an encrypted secure tunnel that will mask my
    > ISP. I want to run an FTP client (inbound) and FTP deamon (outbound)
    > via this tunnel. However, I've not been able to configure them
    > properly. Can anyone help??
    >
    > Also, secure star (makers of drivecrypt & DCPP) are now offering their
    > own tunneling service. Does anyone have any experience with their
    > service yet?
    >
    > Thanks for your help and advise.
    >



    The better FTP programs support SSL/TLS directly (I use Serv-u as server,
    Flashfxp as client). Another alternative is an SSH tunnel within which the
    FTP transfers occur. There's also the (slightly bastardized) SFTP.

    FTP is an awkward protocol to secure with some methods (e.g., stunnel)
    because of the separate control and data channels.

    Like SSH, VPN would also work.

    Regards,
    nemo_outis, Dec 9, 2005
    #2
    1. Advertising

  3. Just A. User

    Just A. User Guest

    thanks for your reply.

    I too am using Serv-U as a server and tunnel via secure tunnel. But
    I'm not sure what domain IP address if should fill in and what FTP
    port number. I've been using 127.0.0.1 on port 21 (thats the socks
    proxy i guess) but not sure that this is working correctly. As you
    can tell, not the most experienced in this area.

    For the client, I'm using WS_FTP Pro, but I don't think it support
    this feature. I'm going to try the FlashFXP that you recommended.
    But I'll probably need some help getting it into the tunnel too.

    Maybe someone can attach screen shots? I would ask secure tunnel
    directly, but their service on such matters really sucks. Thats why I
    asked if anyone was familiar with Secure Star and their new tunnelling
    service.

    Thanks!!

    On 09 Dec 2005 14:25:17 GMT, "nemo_outis" <> wrote:

    >Just A. User <> wrote in
    >news::
    >
    >> Hello
    >>
    >> I would like to FTP via an encrypted secure tunnel that will mask my
    >> ISP. I want to run an FTP client (inbound) and FTP deamon (outbound)
    >> via this tunnel. However, I've not been able to configure them
    >> properly. Can anyone help??
    >>
    >> Also, secure star (makers of drivecrypt & DCPP) are now offering their
    >> own tunneling service. Does anyone have any experience with their
    >> service yet?
    >>
    >> Thanks for your help and advise.
    >>

    >
    >
    >The better FTP programs support SSL/TLS directly (I use Serv-u as server,
    >Flashfxp as client). Another alternative is an SSH tunnel within which the
    >FTP transfers occur. There's also the (slightly bastardized) SFTP.
    >
    >FTP is an awkward protocol to secure with some methods (e.g., stunnel)
    >because of the separate control and data channels.
    >
    >Like SSH, VPN would also work.
    >
    >Regards,
    >
    Just A. User, Dec 9, 2005
    #3
  4. Just A. User

    nemo_outis Guest

    Just A. User <> wrote in
    news::

    > thanks for your reply.
    >
    > I too am using Serv-U as a server and tunnel via secure tunnel. But
    > I'm not sure what domain IP address if should fill in and what FTP
    > port number. I've been using 127.0.0.1 on port 21 (thats the socks
    > proxy i guess) but not sure that this is working correctly. As you
    > can tell, not the most experienced in this area.
    >
    > For the client, I'm using WS_FTP Pro, but I don't think it support
    > this feature. I'm going to try the FlashFXP that you recommended.
    > But I'll probably need some help getting it into the tunnel too.
    >
    > Maybe someone can attach screen shots? I would ask secure tunnel
    > directly, but their service on such matters really sucks. Thats why I
    > asked if anyone was familiar with Secure Star and their new tunnelling
    > service.
    >
    > Thanks!!
    >



    Servu directly supports SSL/TLS. Say, for simplicity, that you set it up
    to ONLY use implicit SSL. Generate your own certificate (read the servu
    docs).

    Assuming you are behind a router and your WAN IP is xxx.xxx.xxx.xxx and
    your LAN IP is yyy.yyy.yyy.yyy (perhaps in the 192 series) you would set
    Servu up to respond on 127.0.0.1 and some port (zzzz, say - it doesn't
    much matter) in PASV mode with a range of ports for the data channel (I
    use 5001-5049) using xxx.xxx.xxx.xxx as the announced "callback" IP.

    You would set your router to listen on some FTP port (I don't like 21 -
    tips off the ISP; pick something like 1333, unless you think you'll have
    firewall problems at the other end when trying to access your site) and
    map/forward it through the router as zzzz (to yyy.yyy.yyy.yyy) to match
    where servu is listening on the LAN side. Also make sure the router
    won't block your data ports (the 5000 series). Incidentally, there's
    usually no reason why the LAN port zzzz cannot be the same as the WAN
    port (1333 in my illustrative case).

    Create a user with appropriate name, password, directory access, etc.

    So much for the server side.

    I'll assume we won't bother with client-side certificates but rely on
    passwords. Set your client up (ws_ftp works just fine, no need to switch
    to flashfxp)) to only use implicit ssl when talking to your home server.

    Put your servu site's parameters into ws_ftp site manager using
    "ftp/implicit SSL" as the connection type, xxx.xxx.xxx.xxx as the server
    address, PASV as the mode, the right name and password, and in the
    advanced submenu change the port to servu's wan-side port (1333 in our
    case). It's also worthwhile to check the 128-bit security box under
    "advanced" "SSL". You're done!

    This setup would allow you to, say, exchange encrytped files to and from
    your home server from work. Be aware, however, that, although the
    sysadmin will not know *what* you are transferring, he will know *that*
    you are transferring (unless he's completely asleep at the switch). You
    are secure but NOT stealthy! Check out if this will draw heat in your
    circumstances!

    Regards,
    nemo_outis, Dec 9, 2005
    #4
  5. Re: How do I FTP via a secure tunnel (set up instructions requested

    Just A. User wrote:

    > thanks for your reply.
    >
    > I too am using Serv-U as a server and tunnel via secure tunnel. But I'm
    > not sure what domain IP address if should fill in and what FTP port
    > number. I've been using 127.0.0.1 on port 21 (thats the socks proxy i


    No, that's Serv-U itself. 127.0.0.1 is the "loopback" interface, or a sort
    of virtual connection back to the same machine. If you're entering this in
    Serv-U's configuration you're telling it to only accept connections from
    that same machine (your copy of WSFTP) on port 21. If this is what you're
    entering in WSFTP to connect, it simply means you're telling that client
    to connect to the FTP server running on the same machine.

    > guess) but not sure that this is working correctly. As you can tell, not
    > the most experienced in this area.


    This is why I think you need to understand that what you're trying to do
    is essentially impossible as you've described it. Outgoing connections are
    a snap to take care of, but incoming connections take some real work.
    You're not going to do it with simple SSH tunneling alone. It's not
    possible without third party help, and even then it's anything but secure
    or anonymous.


    >
    > For the client, I'm using WS_FTP Pro, but I don't think it support this
    > feature. I'm going to try the FlashFXP that you recommended. But I'll
    > probably need some help getting it into the tunnel too.
    >
    > Maybe someone can attach screen shots? I would ask secure tunnel
    > directly, but their service on such matters really sucks. Thats why I
    > asked if anyone was familiar with Secure Star and their new tunnelling
    > service.
    >
    > Thanks!!
    >
    > On 09 Dec 2005 14:25:17 GMT, "nemo_outis" <> wrote:
    >
    >>Just A. User <> wrote in
    >>news::
    >>
    >>> Hello
    >>>
    >>> I would like to FTP via an encrypted secure tunnel that will mask my
    >>> ISP. I want to run an FTP client (inbound) and FTP deamon (outbound)
    >>> via this tunnel. However, I've not been able to configure them
    >>> properly. Can anyone help??
    >>>
    >>> Also, secure star (makers of drivecrypt & DCPP) are now offering their
    >>> own tunneling service. Does anyone have any experience with their
    >>> service yet?
    >>>
    >>> Thanks for your help and advise.
    >>>
    >>>

    >>
    >>The better FTP programs support SSL/TLS directly (I use Serv-u as server,
    >>Flashfxp as client). Another alternative is an SSH tunnel within which
    >>the FTP transfers occur. There's also the (slightly bastardized) SFTP.
    >>
    >>FTP is an awkward protocol to secure with some methods (e.g., stunnel)
    >>because of the separate control and data channels.
    >>
    >>Like SSH, VPN would also work.
    >>
    >>Regards,
    >>
    >>
    Borked Pseudo Mailed, Dec 9, 2005
    #5
  6. Just A. User

    Just A. User Guest

    Warmest thanks for your help.

    On 09 Dec 2005 19:30:28 GMT, "nemo_outis" <> wrote:

    >Just A. User <> wrote in
    >news::
    >
    >> thanks for your reply.
    >>
    >> I too am using Serv-U as a server and tunnel via secure tunnel. But
    >> I'm not sure what domain IP address if should fill in and what FTP
    >> port number. I've been using 127.0.0.1 on port 21 (thats the socks
    >> proxy i guess) but not sure that this is working correctly. As you
    >> can tell, not the most experienced in this area.
    >>
    >> For the client, I'm using WS_FTP Pro, but I don't think it support
    >> this feature. I'm going to try the FlashFXP that you recommended.
    >> But I'll probably need some help getting it into the tunnel too.
    >>
    >> Maybe someone can attach screen shots? I would ask secure tunnel
    >> directly, but their service on such matters really sucks. Thats why I
    >> asked if anyone was familiar with Secure Star and their new tunnelling
    >> service.
    >>
    >> Thanks!!
    >>

    >
    >
    >Servu directly supports SSL/TLS. Say, for simplicity, that you set it up
    >to ONLY use implicit SSL. Generate your own certificate (read the servu
    >docs).
    >
    >Assuming you are behind a router and your WAN IP is xxx.xxx.xxx.xxx and
    >your LAN IP is yyy.yyy.yyy.yyy (perhaps in the 192 series) you would set
    >Servu up to respond on 127.0.0.1 and some port (zzzz, say - it doesn't
    >much matter) in PASV mode with a range of ports for the data channel (I
    >use 5001-5049) using xxx.xxx.xxx.xxx as the announced "callback" IP.
    >
    >You would set your router to listen on some FTP port (I don't like 21 -
    >tips off the ISP; pick something like 1333, unless you think you'll have
    >firewall problems at the other end when trying to access your site) and
    >map/forward it through the router as zzzz (to yyy.yyy.yyy.yyy) to match
    >where servu is listening on the LAN side. Also make sure the router
    >won't block your data ports (the 5000 series). Incidentally, there's
    >usually no reason why the LAN port zzzz cannot be the same as the WAN
    >port (1333 in my illustrative case).
    >
    >Create a user with appropriate name, password, directory access, etc.
    >
    >So much for the server side.
    >
    >I'll assume we won't bother with client-side certificates but rely on
    >passwords. Set your client up (ws_ftp works just fine, no need to switch
    >to flashfxp)) to only use implicit ssl when talking to your home server.
    >
    >Put your servu site's parameters into ws_ftp site manager using
    >"ftp/implicit SSL" as the connection type, xxx.xxx.xxx.xxx as the server
    >address, PASV as the mode, the right name and password, and in the
    >advanced submenu change the port to servu's wan-side port (1333 in our
    >case). It's also worthwhile to check the 128-bit security box under
    >"advanced" "SSL". You're done!
    >
    >This setup would allow you to, say, exchange encrytped files to and from
    >your home server from work. Be aware, however, that, although the
    >sysadmin will not know *what* you are transferring, he will know *that*
    >you are transferring (unless he's completely asleep at the switch). You
    >are secure but NOT stealthy! Check out if this will draw heat in your
    >circumstances!
    >
    >Regards,
    >
    >
    Just A. User, Dec 10, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,096
  2. olabanji  timothy

    pls, help.. i need a number..pls

    olabanji timothy, Sep 9, 2003, in forum: MCSE
    Replies:
    7
    Views:
    824
  3. Replies:
    0
    Views:
    586
  4. Replies:
    0
    Views:
    664
  5. Replies:
    2
    Views:
    660
    trouble
    Aug 16, 2008
Loading...

Share This Page