Public SFTP Server

[HarambeLives]

I currently have a Docker container running on a different system, just a basic SFTP server. I have it set to key auth + passphrase, its open to the world on port 8000 and it only has access to write to one folder on my NAS

This lets me use an application on my phone to upload all of my pictures to a folder. I use it ALL THE TIME, and since its key based auth + passphrase + such a limited amount of access anyway, its very low risk

Is this something that would suit being setup in a jail? Or should I leave it on the other system in Docker. I don't know much about how jails work, and if there is any more risk

 

[ChrisRJ]

Personally, I would be very careful with something like this. I agree with you that this kind of setup is generally relatively secure. But on the other how many secure setup have been compromised?

When I had something similar, it was a VM for better isolation (relative to Docker) running in a separate DMZ VLAN. It had its own data store and only inbound connections were allowed. A script from another machine would then open a connection into the DMZ machine and move files onto my NAS.

I did this simply because I do not trust myself to know enough in this area. If you know more, all the better

 

[aberlna99]

I'm dealing with some not-so-tech-savvy guys trying to connect to our sftp server. I'd like to be able to point them to some sort of public sftp server to test. something like adobe or microsoft, etc so they can test connectivity. I'm having the dangdest time finding one though (that I can use a generic login for at least). anyone know of one? thanks! -E

 

[Constantin]

Not sure why someone would have a SFTP server with a public password. kind of defeats the purpose.

I'd suggest something indirect like a icloud shared folder, dropbox, or whatever, and the eventual owner downloading and deleting the content from there rather than trying to host something yourself. No matter how secure a connection, I'd be loath to have anything permanently open with a password challenge unless bad logins lead to autobans after the third failed attempt. Even then, I'd prefer certificate-based logins combined with an automatic autoban, if possible).

 

[IOSonic]

I currently have a Docker container running on a different system, just a basic SFTP server. I have it set to key auth + passphrase, its open to the world on port 8000 and it only has access to write to one folder on my NAS

This lets me use an application on my phone to upload all of my pictures to a folder. I use it ALL THE TIME, and since its key based auth + passphrase + such a limited amount of access anyway, its very low risk

Is this something that would suit being setup in a jail? Or should I leave it on the other system in Docker. I don't know much about how jails work, and if there is any more risk

I just saw @HarambeLives 's original post, and it makes me think. Does the jail process (iocage, methinks) run under the root persona? I've seen a few docker hosts setup this way and it makes me cringe. Curious to know whether a vulnerability in the application could let a bad actor pwn the whole system...

 

[elvisimprsntr]

1. Don't use public facing SFTP server
2. Use a VPN
3. Connect to your drives using SMB while connected to VPN

I do this all the time on my iOS devices using the native Files app. It really couldn't be much easier.

 

[aberlna99]

I'm dealing with some not-so-tech-savvy guys trying to connect to our sftp server. I'd like to be able to point them to some sort of public sftp server to test. something like adobe or microsoft, etc so they can test connectivity. I'm having the dangdest time finding snaptube vidmate one though (that I can use a generic login for at least). anyone know of one? thanks! -E

Connect to your drives using SMB while connected to VPN ? how it this happen ?

 

[elvisimprsntr]

Connect to your drives using SMB while connected to VPN ? how it this happen ?

1. Install/enable a VPN server on your home LAN. I use a IPSec VPN server
2. Install/configure VPN client on iOS device. iOS supports IPSec natively
3. Connect to VPN
4. Access your TrueNAS shares. Files App, Connect to Sever, smb://{ip or hostname}

Works anywhere in the world and even at 35,000 feet

 

[Ericloewe]

I just saw @HarambeLives 's original post, and it makes me think. Does the jail process (iocage, methinks) run under the root persona? I've seen a few docker hosts setup this way and it makes me cringe. Curious to know whether a vulnerability in the application could let a bad actor pwn the whole system...

There is no singular jail process. Iocage is just the manager, all the heavy lifting is done in the kernel.

Root in the jail is not root in the host and, conceptually, an exploited jail cannot affect the host beyond the resources made available to it. Of course, vulnerabilities in the jailing mechanism itself are possible.

 

[HarambeLives]

1. Don't use public facing SFTP server
2. Use a VPN
3. Connect to your drives using SMB while connected to VPN

I do this all the time on my iOS devices using the native Files app. It really couldn't be much easier.

I don't really see how a VPN is any more secure than SSH/SFTP with Key Based auth + passphrase and very locked down permissions

If fact, it might be less secure unless you lock down that VPN (And then I'd need multiple VPN profiles)

 

[hexel]

I currently have a Docker container running on a different system, just a basic SFTP server. I have it set to key auth + passphrase, its open to the world on port 8000 and it only has access to write to one folder on my NAS

This lets me use an application on my phone to upload all of my pictures to a folder. I use it ALL THE TIME, and since its key based auth + passphrase + such a limited amount of access anyway, its very low risk

Is this something that would suit being setup in a jail? Or should I leave it on the other system in Docker. I don't know much about how jails work, and if there is any more risk

I am planning to do exactly the same thing for my NAS, since I need to get my CCTV recordings sent from other side of the country to my home server. As I don't want to run sftp directly from the TrueNAS, I was planning to install an sftp server to docker and go through that like you did.

The question is, what docker image you used? I just tried this https://hub.docker.com/r/atmoz/sftp and cannot get it deployed.
If you have time, I would appreciate to see your setup and how you did it. Thanks!

 

[HarambeLives]

That's the exact one I used, if you want you can PM me and I can try screenshot as much as I can for my configuration. It was quite easy once I realized what I needed to do

 

[hexel]

That's the exact one I used, if you want you can PM me and I can try screenshot as much as I can for my configuration. It was quite easy once I realized what I needed to do

Thanks for you reply!
But till now I cannot use SFTP since I changed the camera model what I had in mind and that don't support SFTP. https://www.milesight.com/product/ai-vandal-proof-mini-dome-camera But it had some other features what were necessary to me in this case.

So yeah, I'm still in progress to figure out how I transfer recorded videos remotely from other city to my home TrueNAS. At the moment camera records only to SD Card and is viewable remotely from android app (built in DDNS)..

In camera control panel its possible to send videos via FTPS or NAS (SMB). I was wondering, will FTPS work in this case similiar like yours?
Because I have no idea other than set up an VPN, in order to use SMB system to make it secure. Which will need more equipment to the source location.

Thoughts? And thanks.