What are some secure alternatives to FTP? [closed]

security ftp sftp

This Hacker News story is all about the downsides of FTP. The only reason I might set up FTP is that it's easy.

I know about and use scp already, but sometimes I want to share files with someone without giving them ssh access to my server. I want them to be able to upload and download files, but nothing else, and I want to restrict them to a single directory. I also want their connection to be encrypted like ssh.

What are some alternatives to FTP that meet these criteria?


Proftpd has a built-in sftp server that would allow you to completely segregate users from sshd for the purposes of file transfers. You can set it up so that it uses a completely separate passwd file to even further isolate them (it's hard to login to a system with ssh and break through a chroot if you don't actually have a user in /etc/passwd ...)

proftpd also allows you to chroot and isolate the sftp user to a set of directories pretty easily.

We do something like this:

LoadModule mod_sftp.c

<VirtualHost 10.1.1.217>

    ServerName  "ftp.example.com"

    # from http://www.proftpd.org/docs/howto/NAT.html
    MasqueradeAddress   1.2.3.4
    PassivePorts 27001 27050

    UseSendfile off

    ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog         /var/log/proftpd/auth.log AUTH auth

    AuthUserFile /etc/proftpd/AuthUsersFile
    AuthOrder           mod_auth_file.c 

    <IfModule mod_sftp.c>
        Port 10022
    SFTPAuthorizedUserKeys file:/etc/proftpd/ssh_authorized_keys/%u
        SFTPEngine On
        SFTPLog /var/log/proftpd/sftp.log
        SFTPHostKey /etc/ssh/proftpd-ssh_host_rsa_key
        SFTPHostKey /etc/ssh/proftpd-ssh_host_dsa_key
        MaxLoginAttempts 6
    </IfModule>
</VirtualHost>

I would use WebDav with a https enabled server! The authentication is then base on the standard http authorization scheme. A guide to set up webdav with apache can be found here then it is only neccessary to put that resource behind https, and here I found a nice description how to do that.

Related

Bidirectional real-time sync of large file tree between two distant linux servers
How do I prevent TCP connection freezes over an OpenVPN network?
Creating an EC2 AMI Image from a running instance vs. from a volume snapshot
Get rsync to generate a patch file instead of copying across files?
How to uninstall git installed from the source? [closed]
KVM/qemu - use LVM volumes directly without image file?
How do I update YUM repositories? [closed]
Relationship between bastion host and jump host
What is /var/empty and why is this directory used by sshd?
Configuration management: push versus pull based topology
Easiest way to set up LDAP for dev testing
Linux memory fragmentation