Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "sftp"
Pain the ass sales guy walks into my office uninvited. Looks at one of my screens which has sftp copying a lot of files and spewing out each one. He asks what that "nonsense" is.
I politely tell him that it is all his sales data and I am deleting it. At which point I got up and went to lunch with no further discussion.
The next phone call I received was from my boss asking me to stop fucking with the sales people. I hope he learned to knock after this.5
This happened quite sometime ago.
I received a client, reputable university in my country. After all the paper work was done, I was emailed access to one of their AWS server, FTP where the username and password were both admin. I didn't say much to them at that moment.. Maybe they had some precautions?
Over night I received another email, around 3am,
"Hi Uzair, we've monitored a breach while leaving FTP access open."
Well, that was sorta expected.
I received SFTP access to the server the following day,
Fucking fuck you STRATO. This cancer of a german hosting provider just should be shutdown for crimes against reason. Our website got infected by some shit (I'd like to not state why, there is only so much pressure my main arterie can handle) and now we are supposed to remove that file. Well they blocked all incoming and outgoing traffic to the server so we cannot connect via sftp, the only choice you got with STRATO. And they wont restore network access for the server unless we remove the file. No logical loop to see here citizen, please move on.26
First lecture of computer networks. Let's shove all of these abbreviations with their meaning, and possibly a associated port number in one 1.5 hour lecture:
HTTP, HTTPS, FTP, FTPS, SFTP, TCP, IP, UDP, ISP, DSL, DNS, LAN, WLAN, WDM, P2P, TELNET, PGP, TLS, SSL, SSH, MIME, SMTP, POP3, IMAP, IANA, DHT, RTT, DHCP
I really feel sorry for students who didn't have previous knowledge about this stuff..5
Who says Windows is useless....
Running a python script to swap wifi networks, auto connect to VPN servers, run SSH commands and SFTP files to servers, downloading numerous files, sifting through outlook for emails, running excel macros for data cleansing, cell merging and formulas all at the click of a button 😱
Oh yea.. this is all 1 task that I never have to do again😂
Windows is useless for development you say? 🤔3
Does anyone know a provider for webhosting with this needs?
- decently priced (~4€/month)
- domain included
- email stuff included
- no analytics/cookie stuff from the provider (that's the point of change)
- easy sftp access
- ssl included13
So during my internship I learned a lot about Linux, Docker and servers and I recently switched from a shared hosting to my own VPS. On this VPS I currently have one nginx server running that serves a static ReactJs application. This is temponarily, I SFTP-ed the build files to the server and added a config file for ssl, ciphers and dhparams. I plan to change it later to a nextjs application with a ci/di pipeline etc. I also added a 'runuser' that owns the /srv/web directory in which the webserver files are located. Ssh has passwords disabled and my private keys have passphrases.
Now that I it's been running for a few days I noticed a lot of requests from botnets that tried to access phpmyadmin and adminpanels on my server which gave me quite a scare. Luckily my website does not have a backend and I would never expose phpmyadmin like that if I did have it.
Now my question is:
Do you guys know any good articles or have tips and tricks for securing my server and future projects? Are there any good practices that I should absolutely read and follow? (Like not exposing server details etc., php version, rate limiting). I really want to move forward with my quest for knowledge and feel like I should have a good basis when it comes to managing a server, especially with the current privacy laws in place.
Thanks in advance for enduring my rant and infodump 😅7
3 in 1
If your project needs more than three sentences to describe and the budget is not in the high four digits or preferably five, then you're clearly not fucking paying enough
Clients that just write a "?" after you wrote a very detailed tutorial, which even a fucking skunk could do, if given a fucking mouse and keyboard, are just the fucking laboratory perfection made retards
I just LOVE IT when my internet drops out for under a minute, so windows doesn't notify you yet and your sftp client trashes both local and remote files
Never mess with a motivated developer. I will make your life difficult in return.
Me: we need server logs and stats daily for analysis
DBA: to get those, you need to open a ticket
Me: can't you just give me SFTP access and permissions to query the stats from the DB?
*Writes an Excel Template file that I basically just need to copy and paste from to create a ticket*
This process should not take me more than 2mins 👍😁😋🙂😙😙😙😙😙😙😙😙
For them.... 😈😈😈😈😈😈😈😈😈😈😈10
Oh man, I fucked up...
I was doing after hours work for client, setup website with https.
Can't work over sftp with current user,so I give it the same user ID as apache, get files transferred and shit.
Go back to change uid, set wrong uid, now my user is ntp, I can't get into root, can't set password...
I fucked up
Tail between the legs, sent email to clients support, asking them to fix my user fuck up, waiting for reply
Ah, my brain, MY FUCKING BRAIN!
Got some work from the previous company. Need to update some stuff on their website.
Fine, got the files from the server via sFTP.
Made the changes, before uploading the files, wanted to create the latest backup.
Downloaded the files again, just to realize that I forgot to cd into a different directory before re-downloading the files. All the changes are now overwritten.
Half an hour of work lost. DAMN IT!3
Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!
System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.
Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.
Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.
That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.
We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.
Hella excited about this!
If you guys have any suggestions let us know. We are utter noobs when it comes to this.6
Oh my damn god,
I just found the remote-server plugin for vsCode and holy fuck balls, it's the one thing I've wanted from vsCode since ever.
When you dev in VMs and are forever working with remote code using SFTP and git on a remote servers, it's a pain in the ass.
But this, god damn this solves all of that, and with connection specific plugins, I think I just came.7
The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.1
When you type
"SFTP://SteffTek.de" in your browser window just for fun and devRant is missing you ❤️1
Long story short:
Just had several problems with using some drone ci plugins (hugo and sftp). Found issues regarding the problems on GitHub. Issues have been open for several years. Still open. Tried to participate or ask for the state. Got a "no one else got a problem with this". Recoded both plugins. Tested them. Using them now. Source is on GitHub. Posted them as alternatives on drone's discourse. Got flagged as spam.
Nice. Not using Drone again. Searching for an alternative now.
Little extra: I think they banned me from posting GitHub links on their discourse.4
Have been now testing the new vsCode FileSystemProvider implementations and got to say this one finally hits the nail*, all these years sftp integration has been absolute trash, especially sublimes version, was a hack at most, that was barely maintained, but charged atleast three times as much to remove a popup message.
It's so nice having still working prompts on connect, the filesystem being synced into the files viewer in under a second, even for big folders (was a common problem for other in-editor sftp), all operations are done natively and more, it's just such a treat to look at, I can only see them improving it further, for the search to work natively too and provide more APIs for the plugins to hook into.
I honestly thought I'd be stuck with winscp forever, so now I finally can just have an all in one solution and not leave vsCode for almost anything else but previewing the results.
* the plugin that actually worked for me:
- remote fs: https://marketplace.visualstudio.com/...
Today I'm bringing a tool for you guys, mount servers with old phones Or have servers in your phone for testing.
Tool: Servers Ultimate Pro
Note1.: Doesn't handle well above android 6+, So test one of the free servers you're intending to use before buying.
Note2.: This App costs around 10€/$ but you can get single App servers for free (I think even html + php + mysql package for free).
Not promotional, I'm just a user that loves this App.
I already talked about this a few times (usually I just call the cell phone I'm using my web server), but as a noob I don't even knot the possibilities.
This App comes with more then 70 protocols (60+ servers and a mix of servers).
From ssh, ftp, html (nginx, lightppd, Apache, simple) with php and mysql, Webdav...
Run over 60 servers with over 70 protocols!
Now you can run a CVS, DC Hub, DHCP, UPnP, DNS, Dynamic DNS, eDonkey, Email (POP3 / SMTP), FTP Proxy, FTP, FTPS, Flash Policy, Git, Gopher, HTTP Snoop, ICAP, IRC Bot, IRC, ISCSI, Icecast, LPD, Load Balancer, MQTT, Memcached, MongoDB, MySQL, NFS, NTP, NZB Client, Napster, PHP and Lighttpd, PXE, Port Forwarder, Proxy, RTMP, Remote Control, Rsync, SMB/CIFS, SMPP, SMS, Socks, SFTP, SSH, Server Monitor, Stomp, Styx, Syslog, TFTP, Telnet, Test, Time, Torrent Client, Torrent Tracker, Trigger, UPnP Port Mapper, VNC, Wake On Lan, Web, WebDAV, WebSocket, X11 and/or XMPP server!
I don't know if my boss just wants me to learn how to use a new internal deployment process or just likes giving me unnecessary low-value work to take up time...
I could and have just copied the program via SFTP and unzip it to set it up....
(This is a testing and does not need to be in production...)
I have better things I could be doing and just want to get this done and closed but ...
So i'm trying to upload a file to an SSH server using node. First I try the obvious putFile method provided by the obvious node-ssh package. On any other server this would work fine but this server doesn't have sftp installed so that doesn't work.
So I log into the server and check and the file isn't there. I try again several times, file still isn't there. I try running scp -t manually on the server, typing in exactly what my program is sending, and it works. This goes on for a while until I realize that I've been sending a file to one server and logging into a different server to check if the file was sent. grrr4
Fuck ssh. It does 4 things at once and i couldn't get it to do one. I have some pi's and want a shared directory on each of them. On a server i created a user for that and mounted its home directory on a pi, it worked. I did some lockdowns (no shell, only sftp allowed, login only via keyfile), but i was still able to mount it on boot.
Now i had to migrate this setup to another server. It took me a while copying all the configuration etc. All i got for that was a error-message. I figured out the users home-directory had to be owned be root, fixed that, got another error message. Somehow scp didn't use sftp but the login shell which is /usr/sbin/nologin. That made scp (and sshfs) fail, even though it perfectly works with the other server.
I gave up and removed all the setup. I'll find another distributed filesystem for that (but not samba or nfs, those are way to complicated). Those are the setbacks that depress me.
SFTP timeout errors.. nothing to find in the logs (if i look in the right logs that is) and my balls hurt. My evening cant get better lol4
I'm studying for the Security+ cert exam. I hate how I'm getting practice questions wrong because I mix up the port numbers between SFTP and FTPS! As if I wouldn't Google that in a heartbeat if I was configuring a firewall...
I‘m currently trying to get an SFTP user for our school's webspace (preinstalled WordPress, don't hate it - it's "great" for non-"it" people) and our network administrator means that he can't create one for me because I would have access to all files on the server.
WTF, you can create SFTP users on Linux and restrict their access and even set a home directory.
Yeah, now we need to forget about themes and plugins in WordPress.
(He said that he also can't create an FTP user)1
Just a quick question for ppl that deploy websites through FTP: how are y'all deploying your sites?
Which tools do you use?14
I finally have a server at DO. First time I had to set up a server on my own. Now I have an Ubuntu 14 running apache2, php5, memcached, beanstalkd, supervisor, sftp, vhost-manager, etc...
I really like the whol env and learning but I have to admit, I'd really like to see some GUI for all these things. At least for host management... And honestly I could use some advice on a proper web server setup.3
I've been programming for 15 years now or more if I count my years I programmed as a hobby. I'm mostly self learned. I'm working in an environment of a few developers and at least the same amount of other people (managers, sales, etc). We are creating Magento stores for middle sized businesses. The dev team is pretty good, I think.
But I'm struggling with management a lot. They are deciding on issues without asking us or even if I was asked about something and the answer was not what they expect, they ask the next developer below me. They do this all the way to Junior. A small example would be "lets create a testing site outside of deployment process on the server". Now if I do this, that site will never be updated and pose a security risk on the server for eternity because they would forget about it in a week. Adding it to our deployment process would take the same time and the testing site would benefit from security patches, quick deployment without logging in to the server, etc. Then the manager just disappears after hearing this from me. On slack, I get a question in 30 minutes from a remote developer about how to create an SSH user for a new site outside of deployment. I tell him the same. Then the junior gets called upstairs and ending up doing the job: no deployment, just plain SSH (SFTP) and manually creating the database. I end up doing it but He is "learning" how to do it.
An other example would be a day I was asked what is my opinion about Wordpress. We don't have any experience with Wordpress, I worked with Drupal before and when I look at a Wordpress codebase, I'm getting brain damage. They said Ok. The next day, comes the announcement that the boss decided to use Wordpress for our new agency website. For his own health and safety, I took the day off. At the end, the manager ended up hiring an indian developer who did a moderately fair job. No HiDPI sprites, no fancy SASS, just plain old CSS and a simple template. Lightyears worse than the site it was about to replace. But it did replace the old site, so now I have to look at it and identify myself part of the team. Best thing? We are now offering Wordpress development.
An other example is "lets do a quick order grid". This meant to be a table where the customer can enter SKU and quantity and they can theoretically order faster if they know the SKU already. It's a B2B solution. No one uses it. We have it for 2 sites now and in analytics, we have 5 page hits within 3 years on a site that's receiving 1000 users daily... Mostly our testing and the client looked at it. And no orders. I mean none, 0. I presented a well formatted study with screenshots from Analytics when I saw a proposal to a client to do this again. Guess what happened? Someone else from the team got the job to implement it. Happy client? No. They are questioning why no one is using it.
What would you do as a senior developer?
- Just serve notice and quit
- Try to talk to the boss (I don't see how it would work)
- Just don't give a shit1
Any of you guys use jsch for sftp in Java? Do you know who invented it? Where they live? If they have dicks that can be punched?6
What is the best approach for Continuous Integration / Continuous Delivery/Deployment? I'm using SVN as code repository and I need to identify the files that goes to Test/QA env. and the ones that goes do Prod env. (by Commit message or something else) via sFTP.
Any help would be appreciated. Already tested Jenkins, GoCD and Jetbrains Teamcity.1
Would it be possible to use (S)FTP protocol in conjunction with push technology rather than pull? Perhaps websockets since both use TCP?
Say, something like an external server periodically sending my server files and when a new file arrives, I will get a notification. This instead of constantly polling my directory to check if there are files in it.
I think I can see this done with an Angular page that gives me a notification when a new file arrives on my FTP.
I think it might turn into an interesting little hobby project..4
If I use a connector to pull files from an SFTP server and when I configure it to pull all files from the root folder after it logs in but it actually pulls from the machine's root directory, is that really an SFTP server or just a server? Is that even secure?4
I know this is not the place to be asking questions but does anyone know about a ftp/sftp client that syncs your bookmarked servers with some cloud solution (e.g. Dropbox, ...)?
This would be really nice to have for teams/people with multiple laptops.4
Which extension do you recommend for VS Code, which has most of the features of SFTP package by Will Bond for Sublime Text?
So let's say you're theoretically hosting a website on Google's cloud platform with GoDaddy, but you have the code on your local PC. How would you go about updating it?
For now, I've just been SFTPing into the cloud server and updating it.9