SFTP interface inside a html website

[EoinP]

So I have my sftp server up and running. And it’s great! I use it to transfer important files. (I tried simple ftp and it works fine for me also but I want sftp set up so me and my colleagues can login to their own account and access their drive). 

 

So what do I want to do. I want an interface like google drive or one drive has on their web interface. Nice and modern with information like file size, name, date modified, all that good stuff. It’s not a biggie if I don’t get all that but the main thing I want is to change the look of the plain view of ftp or sftp in a browser. I want it to look the way I want it to. So I can change colours, font or other stuff. Maybe a cool little icon for the folders. 

 

I want to integrate this into a plain html website. So when I type in the link it asks for sign in. From there I can select access drive and all my stuff shows up. I am not going to be using a special key so it’s just username and password. It will be run off windows 10 as I don’t have a separate computer to use Linux. And if you are wondering about speeds I have a high speed internet connection and I will be using a separate drive to my pc’s Main and only drive. 

 

Is there any software I can place inside html or some sort way to modify the look inside a website that has pages such as home, contact and cloud or whatever they may be. 

 

Also users must be able to upload files over the website either via drag and drop or a select files button that opens the files of the users computer. 

 

If I forgot to mention something which I probably did just say. 

 

Thanks. 

[tbake0155]

What you want to do is most definitely possible, the easiest way will be php scripting on the server side. It's not a trivial task and I have no idea if there is software available that you can use out-of-the-box to achieve this. For someone well versed in web design, this is relatively straight forward (although would take a considerable amount of time as it is non-trivial).

However, I would offer you a few pieces of advice. Is your sftp server running inside a virtual machine? If it's not, it probably should be. Ideally, even if the server was running on dedicated hardware, it would be a best practice to put the sftp server in a virtual machine instead of running it directly on the hardware. Second, It's generally not a good idea at all to open up your home internet connection to the outside. Especially opening well-known types of connections, such as ssh (and sftp). If you are going to open up ports on your home system, you should really setup a powerful router (i.e., build a machine and run pfsense, not buying a router). There are bots sniffing for port 22 open on EVERY possible IP combination, all day long, every day, because why not. You can verify this if you open up port 22 and log connection attempts, I've done this and I had numerous attempted connections every day. So if you open ssh to the outside world, take some extra precautions.

You are creating a giant attack vector into your home system by not only opening it up to the outside internet, but especially by running the sftp server on (presumably) your desktop machine.

The safest thing to do would be pay for a virtual server from Digital Ocean or AWS, however, storage is costly with those services so I can understand you not wanting to do that. If you are in university, there's a good chance you will have the ability to host a website on the school's servers (you might look into it), which would also very likely be using massive storage systems so you would have plenty of memory.

I know having an sftp server running is cool, but it's also something that you should do with consideration to the potential vulnerabilities you will create. Sorry for not being more helpful in regards to original question, but hopefully this will give you some insight into best practices regarding running an sftp server from your home machine.

If anyone thinks I am way off base then please correct me!

[desertcomputer]

You can have a look at nextcloud, it might have what you need.

[EoinP]

1 hour ago, tbake0155 said:

What you want to do is most definitely possible, the easiest way will be php scripting on the server side. It's not a trivial task and I have no idea if there is software available that you can use out-of-the-box to achieve this. For someone well versed in web design, this is relatively straight forward (although would take a considerable amount of time as it is non-trivial).

However, I would offer you a few pieces of advice. Is your sftp server running inside a virtual machine? If it's not, it probably should be. Ideally, even if the server was running on dedicated hardware, it would be a best practice to put the sftp server in a virtual machine instead of running it directly on the hardware. Second, It's generally not a good idea at all to open up your home internet connection to the outside. Especially opening well-known types of connections, such as ssh (and sftp). If you are going to open up ports on your home system, you should really setup a powerful router (i.e., build a machine and run pfsense, not buying a router). There are bots sniffing for port 22 open on EVERY possible IP combination, all day long, every day, because why not. You can verify this if you open up port 22 and log connection attempts, I've done this and I had numerous attempted connections every day. So if you open ssh to the outside world, take some extra precautions.

You are creating a giant attack vector into your home system by not only opening it up to the outside internet, but especially by running the sftp server on (presumably) your desktop machine.

The safest thing to do would be pay for a virtual server from Digital Ocean or AWS, however, storage is costly with those services so I can understand you not wanting to do that. If you are in university, there's a good chance you will have the ability to host a website on the school's servers (you might look into it), which would also very likely be using massive storage systems so you would have plenty of memory.

I know having an sftp server running is cool, but it's also something that you should do with consideration to the potential vulnerabilities you will create. Sorry for not being more helpful in regards to original question, but hopefully this will give you some insight into best practices regarding running an sftp server from your home machine.

If anyone thinks I am way off base then please correct me!
 

Hi thanks for your reply! I don’t believe the server is running on port 22. It’s somewhere in the range of 5000-7000 as far as I know. 

 

As you were saying about attacks. How can I protect my machine from this as it’s a must that I run it from my home network as well, I’m poor : / 

 

and in your reply you mention running from a virtual machine. Is this to do with safety. 

 

Also I did forget to mention that my ip is NOT static and changes all the time. I guess this may add security as it’s never the same. I plan on using no-ip to connect to the server and have my router signed into my no-ip account. 

 

If if I am vulnerable even with dynamic ip etc are there any solutions in place like a vpn or anything?

 

thanks again for your reply. 

[tbake0155]

I apologize for the delay in responding. Generally, sftp runs through the default ssh port. However, it sounds like you are running the sftp server from a Windows machine, and if that's the case, I would have to get some more details about the sftp server software you are using. I initially wrote my response assuming you configured sftp yourself, but if you are using software you will have to tell me what the software is. All of my experience using ssh/sftp was with Linux machines or using Git Bash, Cygwin, Putty, etc, to log into Linux machines.

On a Linux machine, ssh/sftp runs by default on port 22, but that can be configured. Moving it from port 22 is probably a good idea, since most bots are sniffing for particular, widely used ports. If you pick a random port over 1200 or so, you'll be less likely to get sniffed. If your software is not using port 22, that's good.

Here's the reality though: If your password is strong enough, you should be ok. By strong enough, I mean use 20+ characters with caps, lower case, numbers and special chars. That will take eons to crack currently. Do not give administrator privileges to any other users except yourself, and encourage or enforce strong passwords for your users. Better yet, do not use an administrator account to run the server, so that if someone is able to log in to your account, they will still not have admin privileges. You will need to secure your admin account with another strong password.

The issue with having an ssh port open is that unless you are monitoring it, someone can attempt to break in by trying every password combination. This would take a ridiculous amount of time, especially if your password is strong. However, they can perform this attack from anywhere in the world that has internet, which makes this a vulnerable attack vector if you were to say leave the port open for years and years without monitoring it.

Regarding dynamic IP, that should help if someone was in the middle of brute forcing you for a really long time, but I doubt your IP rotates frequently enough that it will make much difference. If your password is strong enough, your IP could not rotate for years and it would not really matter. I would not consider a dynamic IP as a security measure and I would not rely on it.

Regarding a virtual machine, that would still be my advice for you. Install VirtualBox and then create a VM using Ubuntu or Windows. Set up the VM so that it has an internet connection and so that you can access it from other computers on the local network, then forward from your router to the VM instead of your base Windows OS.

If someone got access to the VM, they would be stuck in there. If all that is running in your VM is the sftp server, then that is the only thing they would have access to. It's also the case that an intruder will not be able to interact directly with the hardware on your machine, which is the best practice for security.

If you have more questions feel free to ask!

[EoinP]

8 hours ago, tbake0155 said:

I apologize for the delay in responding. Generally, sftp runs through the default ssh port. However, it sounds like you are running the sftp server from a Windows machine, and if that's the case, I would have to get some more details about the sftp server software you are using. I initially wrote my response assuming you configured sftp yourself, but if you are using software you will have to tell me what the software is. All of my experience using ssh/sftp was with Linux machines or using Git Bash, Cygwin, Putty, etc, to log into Linux machines.

On a Linux machine, ssh/sftp runs by default on port 22, but that can be configured. Moving it from port 22 is probably a good idea, since most bots are sniffing for particular, widely used ports. If you pick a random port over 1200 or so, you'll be less likely to get sniffed. If your software is not using port 22, that's good.

Here's the reality though: If your password is strong enough, you should be ok. By strong enough, I mean use 20+ characters with caps, lower case, numbers and special chars. That will take eons to crack currently. Do not give administrator privileges to any other users except yourself, and encourage or enforce strong passwords for your users. Better yet, do not use an administrator account to run the server, so that if someone is able to log in to your account, they will still not have admin privileges. You will need to secure your admin account with another strong password.

The issue with having an ssh port open is that unless you are monitoring it, someone can attempt to break in by trying every password combination. This would take a ridiculous amount of time, especially if your password is strong. However, they can perform this attack from anywhere in the world that has internet, which makes this a vulnerable attack vector if you were to say leave the port open for years and years without monitoring it.

Regarding dynamic IP, that should help if someone was in the middle of brute forcing you for a really long time, but I doubt your IP rotates frequently enough that it will make much difference. If your password is strong enough, your IP could not rotate for years and it would not really matter. I would not consider a dynamic IP as a security measure and I would not rely on it.

Regarding a virtual machine, that would still be my advice for you. Install VirtualBox and then create a VM using Ubuntu or Windows. Set up the VM so that it has an internet connection and so that you can access it from other computers on the local network, then forward from your router to the VM instead of your base Windows OS.

If someone got access to the VM, they would be stuck in there. If all that is running in your VM is the sftp server, then that is the only thing they would have access to. It's also the case that an intruder will not be able to interact directly with the hardware on your machine, which is the best practice for security.

If you have more questions feel free to ask!
 

Thanks for your reply!! 

 

So the windows sftp server is JSCAPE mft server. It uses an interface on your browser using localhost I believe. With a port number of course. 

 

Anyways from there I sign into the jscape account that I created and bam I can edit domain, keys, passwords, users, everything that can be done in sftp really (that I know of)

 

This is windows run and maybe Linux? I just went straight for the windows download of course. 

 

Now this may may sound a little stupid. The only other computer that I have lying about is a raspberry pi 3. 

 

This is linux of course but would it be capable of running sftp for myself? 

 

This means if a hacker got in well all i have to do is reinstall the os. I’m sure there is a way I could protect my files but if I upload files to this cloud it is completely for sharing. I save all my files to my desktop (I’m a film maker)

 

let me know my best options. And if raspberry pi 3 is a working option then I can use that

 

many thanks. 

[tbake0155]

Quote

 

An sftp server would be a good use for your raspberry pi, as long as you don't expect a ton of traffic simultaneously. I think if you use a raspberry pi, you should consider a usb hard drive, since SD read/write isnt great, and freeing up the SD for the operating system will almost certainly give you better performance, especially if you have simultaneous users. Linux will also allow you to create software raid with USB drives, which could further improve performance. I would recommend you try the raspberry pi, it will be a fun project if nothing else.  If you're moving large film files, it might be too slow but since you have one already Id say try it.

 

If you follow a few safety measures I think you will be fine. Forward the ports you need for sftp through your router, and only give the sftp software access to those ports in your software firewall on the machine running the sftp server. Use strong passwords, and ideally dont use the administrator account to run the server (you should not use it as a best practice anyway). 

 

If you get concerned, consider figuring out how to log internet traffic on the open port(s) and make sure the traffic you see is you or your users. You will see the IP address , which you can confirm with your users. Even if a connection attempt fails, you will see it. If you see a lot of strange traffic, consider taking measures. Generally though even if you saw a strange connection attempt, if your passwords are secure you should be fine even getting brute forced. 

 

I'll briefly explain how port sniffing would work. Imagine a bot attempts to get a response from your IP address at every single port, this is simple enough using a tool like netcat.  This wont really be the approach the bot would take though, unless they knew you were a high value target. Since most people with weak security will use default ports, a smarter bot might only check certain commonly used ports (ssh, http, https). That will allow the bot to scan exponentially more IPs in a given time frame, and so the bot has higher odds of finding a target.  But, for the sake of the example, lets imagine a bot will sniff every port. Using netcat, you can tell the difference between an open port with restricted access and a port that is complety shut off. If your router is forwarding no ports, there will be no 'smell' and the bot moves on.  If your router is forwarding ports, that port will give itself away to a program like netcat by rejecting the connection (the foundations of the internet do not, and did not from the beginning, focus on security, it was left up to software developers to implement). Now the bot can try to find a way in. I do not know exactly how a hacker would operate from there, but they would have time on their side.

 

Plenty of systems are open to the internet so its not intrinsically a bad idea. However most servers are not running on bare hardware and they have security features in place. But  systems that are vulnerable and get targeted are sometimes breached. 

[EoinP]

Okay. I get you on the security but my raspberry pi is a low value target. The most they are gonna get out of it is my files which are backed up on my main pc anyway

 

so I did a little research myself and I’m going now and get to use the Linux distro called fedora 27 or something. 

 

Apparently this is great for sftp and the like. I’ll give it a shot. 

 

So back to my my main question. I tried following a terrible how to online for php scripting. I understand the general idea now. Php is used to read a certain directory. It then displays the directory for html to put it into a grid. Putting the data into a grid is easy I guess because html is so widely used and websites are out there for making grids. 

 

But I am completely lost when it comes to php. I am unsure how to make the directory readable and also how to send it to my html website. I don’t know if your experienced in this but if you know of a good guide or know yourself that would be amazing!

 

thanks a bunch though for all the info. I’m much more cautious now about internet sharing etc