If were going to hvae this running continously were going to want security.

[fennectech]

Anonymous wont do with something like this.

[jakibaki]

Yeah I agree that running this as anonymous is far from ideal but I don't think ftp-auth is going to help very much.

We're running this in a local network and ftp is unencrypted.

That means that any attacker (in the local network) can find out the credentials anyways by mitming an valid ftp-connection and reading the password from that.

I'll likely look into auth but I think that in this situation it would only gives a false sense of security.

There are even easy to use android-apps which will automatically mitm the traffic without the attacker even having to know what they're doing.

[jakibaki]

Once it's possible to show stuff on screen as a symodule an 'IP is trying to connect to your switch through ftp, is that ok?' popup would be nice but even that wouldn't completely protect from mitm.

[fennectech]

Any security is better than none. Having FTP auth is a bare minimum and would stop the majority of attacks. It wont stop MITM but thats a much more advanced attack. It will stop someone poking arround on the network from connecting to your ftp service. Its the difference between having no lock and a crappy lock. If your just connecting to a hotel WiFi to go online and not connecting to the ftp server (wich is most of the time with something like this) its pretty impenetrable

[p-sam]

I did a quick/dirty patch over this to enforce basic auth, i'm not sure the behavior/return codes 100% matches FTP standards tho. username must be equal to __AUTH_USER__ and password to __AUTH_PASS__. While this is clearly not PR-ready, I leave this here as a working example.

sys-ftpd-auth.patch.txt

[jakibaki]

Ftpd can now be toggled with plus+minus+x and sounds are played on connect/disconnect.

I'll leave this open for now since auth is still not a thing but the situation is much better now.

[fennectech]

Good stopgap for now! We should keep the client notifications even after auth is implimented! I suggest storing FTPD folder in /modules as thats where thats where we seem to be storing hekate related stuff.

[fennectech]

Hey @p-sam Do you think you could update your patch to the latest master? It doesn’t apply and i dont have access to my build box at the moment.

[p-sam]

While the patch suffice my own needs, it's not done properly and probably doesn't match what most FTP clients expect when the password or the username is typed wrong. I'd prefer not to distribute another version of it, but if you want it to work again, when you get back to a computer with git available you can just checkout to a commit around the time it was made, and then rebase to master.

[fennectech]

It’s still much better than nothing. But okay.

On Mon, Nov 19, 2018 at 02:29 Samuel P. notifications@github.com wrote:

While the patch suffice my own needs, it's not done properly and probably doesn't match what most FTP clients expect when the password or the username is typed wrong. I'd prefer not to distribute another version of it, but if you want it to work again, when you get back to a computer with git available you can just checkout to a commit around the time it was made, and then rebase to master.

— You are receiving this because you modified the open/close state.

Reply to this email directly, view it on GitHub https://github.com/jakibaki/sys-ftpd/issues/2#issuecomment-439809655, or mute the thread https://github.com/notifications/unsubscribe-auth/ALZmAck19m70wSEhbE62V_L_nCXPCzYnks5uwmvagaJpZM4VEu_q .

-- FennecTECH

[jakibaki]

Closing this in favor of #17

We just need one issue open about this topic.

[fennectech]

i didnt intend that one to be an issue where discussion is done Just where i mantain the patches