FTP server or something else?

Status
Not open for further replies.
Something

Something

Explorer
Joined
Jan 31, 2015
Messages
93
I have files that I would like to locally host on my FreeNAS box to share with others over the internet (but nothing else, not my backups or Jails or anything else). Is it possible to securely share these files (password authentication required?) via FTP while allowing these files to be accessible by browser (no website hosting / WinSCP / SSH required)?

Is there another solution that can do what I want?
 
pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
One thing you should know:

FTP is not secure. Even with password authentication. FTP transmits passwords in clear text.

SFTP is doable easily, but would require a client like filezilla.
 
Something

Something

Explorer
Joined
Jan 31, 2015
Messages
93
pirateghost said:
One thing you should know:

FTP is not secure. Even with password authentication. FTP transmits passwords in clear text.

SFTP is doable easily, but would require a client like filezilla.
Click to expand...
So the only way i'll be able to securely connect to the NAS over the internet for file sharing purposes is with a client?

Will files be visible in the SFTP without signing in?
 
pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
Something said:
So the only way i'll be able to securely connect to the NAS over the internet for file sharing purposes is with a client?

Will files be visible in the SFTP without signing in?
Click to expand...
VPN, SSH tunneling. Those are options too.

As for no login required for sftp? Set up keys on the client machines....

Your other options are:
Owncloud
Plex(if they only need access to media files)
Web server (in a jail or on another box using NFS/cifs to connect to the shares you want to serve)
 
DrKK

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Yes but, none of these are particularly secure (except VPN and tunnelling, which, if the user was sophisticated enough to put that together, he would never have asked us what he asked us, so that's a no-go), and they all induce quite large attack surfaces on your FreeNAS box.

The CORRECT procedure is to set up SSH/SFTP, as was originally suggested, and direct your users to use the appropriate clients to get access. Filezilla for windows is a good choice (also, Bitvise client). Any number of clients (e.g., AndFTP) for android, etc.etc.etc.

With this setup, your authentication is reasonably secure, and nothing is transmitted in plaintext.
 
Something

Something

Explorer
Joined
Jan 31, 2015
Messages
93
pirateghost said:
VPN, SSH tunneling. Those are options too.

As for no login required for sftp? Set up keys on the client machines....

Your other options are:
Owncloud
Plex(if they only need access to media files)
Web server (in a jail or on another box using NFS/cifs to connect to the shares you want to serve)
Click to expand...
I just want a more elegant solution I suppose. Something that preferably can be downloaded simply by browser. I'd prefer to have the file sharing be secure so not just anyone can access it (and it doesn't pose any risks to the other stuff I do with my NAS) but if need be that can be sacrificed.

DrKK said:
Yes but, none of these are particularly secure (except VPN and tunnelling, which, if the user was sophisticated enough to put that together, he would never have asked us what he asked us, so that's a no-go), and they all induce quite large attack surfaces on your FreeNAS box.

The CORRECT procedure is to set up SSH/SFTP, as was originally suggested, and direct your users to use the appropriate clients to get access. Filezilla for windows is a good choice (also, Bitvise client). Any number of clients (e.g., AndFTP) for android, etc.etc.etc.

With this setup, your authentication is reasonably secure, and nothing is transmitted in plaintext.
Click to expand...
What kind of VPN?

How big an avenue for attack is a Mumble server?
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
You could do WebDAV with https, but many would argue how "secure" it is, etc.

I, personally, would never ever consider doing WebDAV except in situations where the security of the server, its OS, and the files on the server are unimportant and could be made publicly available with no consequence.

VPN and SSH/sftp is really the only options that people would call "secure".
 
Noctris

Noctris

Contributor
Joined
Jul 3, 2013
Messages
163
Have you considered using an owncloud jail? Clean and simpel interface, has all features for granual file permissions and sharing and could easily run through https. Works in browser.

Sent from my HTC One_M8 using Tapatalk
 
Something

Something

Explorer
Joined
Jan 31, 2015
Messages
93
cyberjock said:
You could do WebDAV with https, but many would argue how "secure" it is, etc.

I, personally, would never ever consider doing WebDAV except in situations where the security of the server, its OS, and the files on the server are unimportant and could be made publicly available with no consequence.

VPN and SSH/sftp is really the only options that people would call "secure".
Click to expand...
Just how secure is VPN + SFTP with regards to the server, OS, and files?

Only the files in the FTP i'm comfortable with being made public, nothing else.

Noctris said:
Have you considered using an owncloud jail? Clean and simpel interface, has all features for granual file permissions and sharing and could easily run through https. Works in browser.

Sent from my HTC One_M8 using Tapatalk
Click to expand...
I haven't, does it pose a significant risk to the rest of my data?
 
depasseg

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
security comes down to how well you trust the users. If you are going to give them VPN access, that is like inviting them over and letting them plug into your home network. If you are good with that, then great. If not, then you are going to need to implement some firewall rules on your router, so after they VPN, they can only use SFTP to go to your FreeNAS server.

The problem I have with exposing FTP, is that it is a huge security entry point. There are well known vulnerabilities that let malicious actors gain access to the server (let alone the insecurt FTP username/password protocol). The jails help isolate the damage, but that is a lot of trust. I would prefer something like owncloud or the VPN and FTP method. But it depends on your users.
 
Noctris

Noctris

Contributor
Joined
Jul 3, 2013
Messages
163
I largely agree with depasseg. The personal reason why i would go the owncloud route is that vpn is , in effect, letting someone inside your network. It means the vpn has to be wel configured so they 'cannot escape' the bubble you put them in.

When using the jail route ( for any protcol really) they would be limited to the storage you choose to share ( and thus mount to the jail) after that, it's a matter of protocols ( which have been addreses in thr previous posts). I did go the owncloud way a while back on one of our machines wherr we had to receive files from customers and i did not want to expose freenas itself to the internet. Vpn was out of the question since it was blocked by some customers it department ( and added a level of complexity for the customers who are typically non-tech) AND in the end allows people to 'step inside' , which i didn't want. Even if vpn access is restricted to a jail ftp ip.

Sent from my HTC One_M8 using Tapatalk
 
Something

Something

Explorer
Joined
Jan 31, 2015
Messages
93
depasseg said:
security comes down to how well you trust the users. If you are going to give them VPN access, that is like inviting them over and letting them plug into your home network. If you are good with that, then great. If not, then you are going to need to implement some firewall rules on your router, so after they VPN, they can only use SFTP to go to your FreeNAS server.

The problem I have with exposing FTP, is that it is a huge security entry point. There are well known vulnerabilities that let malicious actors gain access to the server (let alone the insecurt FTP username/password protocol). The jails help isolate the damage, but that is a lot of trust. I would prefer something like owncloud or the VPN and FTP method. But it depends on your users.
Click to expand...
Noctris said:
I largely agree with depasseg. The personal reason why i would go the owncloud route is that vpn is , in effect, letting someone inside your network. It means the vpn has to be wel configured so they 'cannot escape' the bubble you put them in.

When using the jail route ( for any protcol really) they would be limited to the storage you choose to share ( and thus mount to the jail) after that, it's a matter of protocols ( which have been addreses in thr previous posts). I did go the owncloud way a while back on one of our machines wherr we had to receive files from customers and i did not want to expose freenas itself to the internet. Vpn was out of the question since it was blocked by some customers it department ( and added a level of complexity for the customers who are typically non-tech) AND in the end allows people to 'step inside' , which i didn't want. Even if vpn access is restricted to a jail ftp ip.

Sent from my HTC One_M8 using Tapatalk
Click to expand...
Alright, owncloud it DEFINITELY is. Thank you both so much!
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "FTP server or something else?"

Similar threads

A
Best server protocol for external file sharing?
Replies
7
Views
7K
blanchet
blanchet
Q
  • Locked
Help to setup FTP
Replies
12
Views
29K
snaptec
S
winnielinnie
SOLVED Deleted folder keeps re-appearing. (Anyone else notice this?)
Replies
2
Views
2K
winnielinnie
winnielinnie
M
FTP folder setup for external access
Replies
7
Views
10K
saudansari968
saudansari968
D
  • Locked
Cifs user not being created
Replies
5
Views
1K
Drogo
D
Top