Mike Leone on 21 Apr 2010 07:13:09 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Advice needed on collecting files from FTP site

JP Vossen had this to say:
>> Date: Tue, 20 Apr 2010 15:38:00 -0400
>> From: Mike Leone <turgon@mike-leone.com>
>> So here's my situation - I have a Linux server set up in a DMZ, running 
>> VSFTP. Each FTP account is chrooted. We will be using this for vendors 
>> to send us invoices, etc.
> FTP, yuck...  (Had to be said.)

Not really, it didn't, no. :-)

> 1) You need to consider what happens if you do your 
> collect/zip/move/delete part while someone is uploading a file.  Sure 
> you can run your part in the middle of the night, and that'll work fine 
> until someone works late, in a different time zone, or automates their 
> part too.

Then they re-send, at a more convenient time. :-) Seriously, the 
possibility is very remote. And if it is, then we cope. This is 
(supposed to be) a temporary solution.

> 2) A DMZ machine should have very strictly limited ability to connect 
> *in* to the LAN, else what's the point.  So having that machine initiate 
> the connection into the LAN is sub-optimal.

Having the vendors transfer in invoices directly into the trusted LAN is 
even less optimal. :-) And I'd really prefer them not emailing the 
invoice as an attachment, which is what some of them *will* do ... I 
suppose I could reach out from the trusted LAN and get the files, as you 
later suggest.

> 3) If you run from cron on the DMZ machine, you really need to allow 
> email from that machine for cases where the job messes up.  But per #2, 

I'd email statuses regardless of whether it messed up or not.

> So, I'd do something like this.

Great suggestions; I will consider this. However, the FTP is a stop gap, 
until our developers get this sort of transfer working from a secure web 
page accessible to the vendors. And I will deliberately keep it simple 
and primitive (yet still working and hopefully secure), because I do not 
want them relying on this method from now until the end of time ...


> As noted all of that code is untested.  Also, the script has two 'echo' 
> commands in the place it would actually do something.  Fiddle with it 
> and make sure if works if you try to use it, then remove the echos.
> For some primitive sanity checking try: bash -n {script}
> For debugging the script try: bash -x {script}
> Once it works chmod it executable.
> Good luck & hope this is useful,

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug