Am I less secure now?

Posted:
in Genius Bar edited January 2014
So......just purchased new web space for a client. After receiving all username-password details etc, tried to log in using Transmit. No joy.... got a "could not retrieve list of files" error message.



Contacted hosting company. Here is the message I got from them.

"This will be a firewall or security software blocking connections to ports 20 & 21. Please configure your applications to accept connections via these ports and that you are using active mode - not passive."



Thought this, a little strange as I have connected with dozens of sites (some hosted with the same company) and never had to change any settings.



However, I did as they asked. Went to systPrefs-Sharing-Services and ticked the FTP Access box. I can now connect to the hosting server...no probs...however i am feeling a little uneasy about altering these settings.



Is it normal to access FTP hosting accounts this way?

And have I made my iMac less secure?



Thanks

Comments

  • Reply 1 of 7
    MarvinMarvin Posts: 14,223moderator
    Yeah, it will make your machine less secure but enabling any of the services does to some degree, which is why they are off by default. However, I wouldn't worry about it, it's not sending out an internet beacon or anything . People would still have to know you had ftp access and where your machine was and get by the password protection.



    I'm not entirely sure why you had to turn on the service though. I thought that was only if you were giving other people access to your machine. I know you would have to click the ftp option in the firewall panel if it was on because it would block standard ftp ports.



    For sites you tried before, they were likely using other ports - I think some use the http port 80, which is open by default so you wouldn't have to do anything.



    For extra piece of mind, you can always turn off the service when you are done connecting to your server.
  • Reply 2 of 7
    piotpiot Posts: 1,346member
    Quote:

    Originally posted by Marvin

    I'm not entirely sure why you had to turn on the service though. I thought that was only if you were giving other people access to your machine.



    Thanks Marvin. A bit of Googling turned up that some servers need to "talk" to you when connecting (active) and some don't (passive).



    I could have got that wrong though! Still a little troubled that this is the first time in about 50 sited that I have had to do this. Also concerned that my client will have to do the same. Never had to explain that to anyone before.



    Anyone else have any more info?
  • Reply 3 of 7
    lundylundy Posts: 4,466member
    Quote:

    Originally posted by piot

    Thanks Marvin. A bit of Googling turned up that some servers need to "talk" to you when connecting (active) and some don't (passive).



    I could have got that wrong though! Still a little troubled that this is the first time in about 50 sited that I have had to do this. Also concerned that my client will have to do the same. Never had to explain that to anyone before.



    Anyone else have any more info?




    I've never come across an actual active-ftp server either. But if that indeed is what they have configured, here is how it is different:



    Normally, say with http, you do not have to open your port 80 because you send requests out through 80 and the machine is expecting a reply and it knows who the reply is supposed to be from; so it lets that reply through without you having to open port 80 (in fact, many ISPs close port 80 to cut down on individuals running servers).



    With active ftp, though, the initial command that you as the client sends does not expect an answer on port 20 - the server sends its answer to your port xxxx, where xxxx is a port number that your client specified in the request. Since the machine is not expecting unrequested packets on port xxxx, it will block them unless you explicitly open that port.



    It's a pain in the ass.
  • Reply 4 of 7
    Under NO circumstances, it is necessary to turn your own computer into a FTP server (= turning on FTP Access in SysPrefs -> Sharing) to be able to connect to a FTP server. That would be like having to run a webserver on your computer to be able to surf the web, or host a mail server to check your emails.

    You don't necessarily compromise your computer like this, but you effectively turned your computer into a FTP server, meaning you could remotely log in to your own computer to transfer files. That should not be the point of having access to FTP. I'm pretty convinced it's more a matter of blocked ports: by turning on FTP Access, Mac OS X automatically enables the ports 20-21 in the Firewall settings. Try turning off the FTP access and either disable the firewall altogether, or leave the firewall on but enable ports 20-21. Please note that SFTP & other more exotic kinds of FTP require different ports to be enabled / opened.



    Hope this helps,

    [spoon]





    Quote:

    Originally posted by piot

    So......just purchased new web space for a client. After receiving all username-password details etc, tried to log in using Transmit. No joy.... got a "could not retrieve list of files" error message.



    Contacted hosting company. Here is the message I got from them.

    "This will be a firewall or security software blocking connections to ports 20 & 21. Please configure your applications to accept connections via these ports and that you are using active mode - not passive."



    Thought this, a little strange as I have connected with dozens of sites (some hosted with the same company) and never had to change any settings.



    However, I did as they asked. Went to systPrefs-Sharing-Services and ticked the FTP Access box. I can now connect to the hosting server...no probs...however i am feeling a little uneasy about altering these settings.



    Is it normal to access FTP hosting accounts this way?

    And have I made my iMac less secure?



    Thanks




  • Reply 5 of 7
    piotpiot Posts: 1,346member
    Quote:

    Originally posted by crookedspoon

    You don't necessarily compromise your computer like this, but you effectively turned your computer into a FTP server, meaning you could remotely log in to your own computer to transfer files. That should not be the point of having access to FTP. I'm pretty convinced it's more a matter of blocked ports: by turning on FTP Access, Mac OS X automatically enables the ports 20-21 in the Firewall settings. Try turning off the FTP access and either disable the firewall altogether, or leave the firewall on but enable ports 20-21.



    Thanks Spoon. Can I be clear on this? I am a real novice at this network lark!



    1. In FTP program (Transmit), checking or unchecking the "use Passive" checkbox makes no difference.



    2. Turning on FTP access in Sharing/services pane effectively opens ports 20 and 21 according to the pop-up details.



    3 Is there another way to 'open' these ports without making my machine a web server?
  • Reply 6 of 7
    1. In FTP program (Transmit), checking or unchecking the "use Passive" checkbox makes no difference.



    It could make a difference... All servers I work with accept both Passive & Active connections. But this depends from server to server... Just try both, or ask the sysadmin of the server (good luck there :-) )



    2. Turning on FTP access in Sharing/services pane effectively opens ports 20 and 21 according to the pop-up details.



    By default, all ports are open. Turning ON the Firewall closes all ports. Turning on FTP access re-opens port 20-21 (maybe some more)



    3 Is there another way to 'open' these ports without making my machine a web server? [/B][/QUOTE]



    Turn off your firewall. (btw: try to take care of terminology to avoid misunderstandings: it's not a webserver but a FTP server you're talking about)



    -> What network are you on? -> If you're accessing the web from a corporate network, it might be that a sysadmin blocked the whole network for FTP. If you're at home, it could be that your (wireless) router is blocking the ports.



    Guess this topic would belong in Genius Bar. Maybe some admin can move it there.
  • Reply 7 of 7
    lundylundy Posts: 4,466member
    Moving to Genius Bar..
Sign In or Register to comment.