HPE Community
Operating System - HP-UX
1752565 Members
5086 Online
108788 Solutions
New Discussion юеВ

Re: customer support FTP server

 
SOLVED
Go to solution
Rick Garland
Honored Contributor

тАО07-30-2009 05:22 AM

тАО07-30-2009 05:22 AM

customer support FTP server

Hi all:

Looking for ideas on how to setup a customer support FTP server. I like the way HP does it when you call in for support - a chroot jailed account is created with the account login/passwd sent to you. Seems fairly quick.

Setting up the FTP server is done, it resides in the DMZ and the access is restricted.

We are using vsftpd as the FTP application.

So what I am looking for - the support personnel will receive a call from a customer. Log files need to be transferred via FTP to a jailed FTP account. The support personnel will create the chroot FTP account with a passwd and send that to the customer.

I use the HP model as an example. If there are better ways/ideas I greatly appreciated the input.

Many thanks!
0 Kudos
Reply
5 REPLIES 5
Mel Burslan
Honored Contributor

тАО07-30-2009 05:33 AM

тАО07-30-2009 05:33 AM

Solution

Re: customer support FTP server

There is the way IBM's software support does the things. The login is anonymous but unless you know the file name or directory level name, you can not do squat. ls command does not produce any output. They just send you instructions:

cd /pub/new/directory/level
get exactfilename.gz

and you are golden. If you want to explore what else might be in this cd /pub/new/directory/level, well, you are out of luck :)

This is another way of doing than rather than creating volatile accounts and having to remember to delete them.
________________________________
UNIX because I majored in cryptology...
Reply
Rick Garland
Honored Contributor

тАО07-30-2009 05:46 AM

тАО07-30-2009 05:46 AM

Re: customer support FTP server

Thanks Mel

Thats the way we do it now. All customer logins are anonymous and are placed into the incoming directory. The customer cannot see any directories. The customer can create a subdirectory (still cannot be seen) and then can cd down into the newly created subdir and upload file(s). The contents are now visible to the anonymous user.
0 Kudos
Reply
Volker Borowski
Honored Contributor

тАО07-30-2009 09:09 AM

тАО07-30-2009 09:09 AM

Re: customer support FTP server

Hi Rick

FTP nowadays is often a problem when
security is tight at the customer site.

If your audience is mostly sysadmins, you might be fine. If you are involved with application support, you might want to utilize a http-Upload.

I was working the other (customer) side on
a SAP/Oracle support Call in a bank, where
SAP/Oracle people (me) have been strongly
seperated from the sysadmins and the networking and the firewall people.

Getting outbound ftp access for me would have been quite an act of administration.

But in that case, I got an http upload-link where I could upload up to 400MB (zip or tar file) via http. That was quite comfortable.

Unfortunately I do not know what product they use for that.

Volker
Reply
Rick Garland
Honored Contributor

тАО07-30-2009 09:21 AM

тАО07-30-2009 09:21 AM

Re: customer support FTP server

Volker:

You are right and this was a concern I brought up in a meeting with the engineers. Some customers are closing the FTP and other non-secure ports. A solution to this that was proposed was to use sftp in a chroot jail as well. I am still going to push this. The http upload was brought up as well and this could still be an option that is implemented.

0 Kudos
Reply
Rita C Workman
Honored Contributor

тАО07-30-2009 11:27 AM

тАО07-30-2009 11:27 AM

Re: customer support FTP server

We do similar to HP's. We create chroot accounts for all external access to our FTP server. But we do not email passwords. We email their account is set up and the contact information of the Admin(s) who they can call to get the password.
The FTP server is DMZ'd and the only allow open the ports for ftp/sftp. Externally we lock everything else down, telnet included. From outside we do NOT allow the root account ftp access. (Not even me...) There is a separate chrooted regular-name account if root needs to drop something while outside.

We require all file transfers be done using sftp, so everything is encrypted.

We allow only limited access internally to the box as well. Any automated processes that must hit the box are controlled by one special account and that is tightly controlled as well.

So far, UNIX maintains control of the security on the box, so internally only a couple people have control of it. Sometimes I think it's over-kill, but we've passed the security audits.

Regards,
Rita
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.