Security related requests

SamePaul · **on:** May 19, 2007, 11:12:44 PM

I've checked 'TODO' list, but I didn't find some features (maybe I've missed something - sorry for repeat)

- hide folders that currently logged in user is not allowed to access. I believe that less they see - less they will attempt to intrude

- limit account to specific subnet. For example I want to create privileged account for local subnet (192.168.X.X) but I don't want this account to be available for external users at all... Well, I thought not about private subnet, but about localhost (127.0.0.1). For SSL, you know

Giant Eagle · **Reply #1 on:** May 20, 2007, 11:27:32 AM

Quote from: SamePaul on May 19, 2007, 11:12:44 PM

- hide folders that currently logged in user is not allowed to access. I believe that less they see - less they will attempt to intrude

It's already implemented

Menu --> Virtual File System --> List protected items only for allowed users

as for the other suggestion, might not be a bad thing

but i rather see some progess on the external folder creation and file deletion

//edit: forgot a word >_<

SamePaul · **Reply #2 on:** May 20, 2007, 04:35:08 PM

Quote from: Giant Eagle on May 20, 2007, 11:27:32 AM

Quote from: SamePaul on May 19, 2007, 11:12:44 PM
- hide folders that currently logged in user is not allowed to access. I believe that less they see - less they will attempt to intrude

It's already implemented
Menu --> Virtual File System --> List protected items only for allowed users

Thanks.

Quote from: Giant Eagle on May 20, 2007, 11:27:32 AM

as for the other suggestion, might not be a thing but i rather see some progess on the external folder creation and file deletion

Oh yeah!! And return once home and see that someone broke into you computer and deleted everything that was possible, just because it happens the someone successfully sniffed your password when you logged in without SSL. I pray that rejetto will not implement it before the user accounts scheme become more flexible.
I believe we should think about security first.

BTW, once we'll have server-side scripting we'll have creation, deletion, dynamic content and tons of other stuff

Giant Eagle · **Reply #3 on:** May 20, 2007, 09:24:07 PM

True, but i think HFS is ment for simple file sharing purpose only, not to store precious files who have a high value to you. It'd rather use a different program that is more secure to host something like that. But unfortunately, a simple file sharing program is all that i need

. I host my template and some music; so its not life-threatning IF it gets deleted.

My server has been up and running for almost 6 months now; and i havent ran into any attempts to break in or what so ever. (*knocks on a wooden desk*) Its just doing its job as a small but perfect file server, but one thing that somewhat bothers me is that i have to remotely log into my server if i want to delete a file or add a new folder =).

SamePaul · **Reply #4 on:** May 21, 2007, 05:29:34 PM

Well... I personally don't bother about server-side scripting. HFS is exactly what I needed. And I use HFS primarily for myself.

Till yesterday I used FTPS server (FTP with SSL), but the problem was that FTPS:
* requires special FTPS client
* do not work via proxy so I had to fall back to regular FTP if I needed something from my workplace.

On the other hand HTTPS supporrted by any modern browser and works perfectly via proxy.

So by the time I used FTPS I encountered mild attacks every day. No that they were very successfull...

But HTTP is much more prone to hacker attacks than anything else due to its spread. I don't want to play with fire more than it is neccessary.

And you said - HFS is primarily file server. I agree, but this means that security matters the most. So if I create account that can access (not even delete) something sensitive for me I would like to limit it at least to go over SSL only. In case of HFS it means "limit to localhost". But if we are talking about new feature lets define it more general - limit to subnet

It can be useful not only for SSL-scheme.

Sincerely I could do it by myself, but it is in Pascal...

traxxus · **Reply #5 on:** May 22, 2007, 06:53:09 AM

Ähm...

If you use a router, open only the SSL port and thats it ?

rejetto · **Reply #6 on:** May 23, 2007, 02:04:42 PM

feature request accepted

SamePaul · **Reply #7 on:** May 24, 2007, 11:25:43 AM

First of all - I'm not behind router. But it does not matter. If I was wanting to make my server HTTPS-only - there is well known solution for this without routers-firewalls and whatsoever.
But I DO want to share something without access restriction. And HTTPS is not the best way, since the certificate I have is NOT trusted by default. So imagine people trying to see picture from my server and they see popups "Untrusted certificat" and other warnings. This make bad impression of hijacking. So I do want to give access HFS via HTTP for anonymous and only via HTTPS for authenticated users.

SamePaul · **Reply #8 on:** May 24, 2007, 11:27:08 AM

Quote from: rejetto on May 23, 2007, 02:04:42 PM

feature request accepted

Thank you.

kizer8 · **Reply #9 on:** May 25, 2007, 04:44:04 PM

Quote from: rejetto on May 23, 2007, 02:04:42 PM

feature request accepted

Any ETA when you might implement it?

Thanks,
Kizer

rejetto · **Reply #10 on:** May 25, 2007, 04:57:51 PM

no ETA

Security related requests

SamePaul

Security related requests

Giant Eagle

Re: Security related requests

SamePaul

Re: Security related requests

Giant Eagle

Re: Security related requests

SamePaul

Re: Security related requests

traxxus

Re: Security related requests

rejetto

Re: Security related requests

SamePaul

Re: Security related requests

SamePaul

Re: Security related requests

kizer8

Re: Security related requests

rejetto

Re: Security related requests