How I Became a Hero in 24 Hours

“The Little Woman” has an office with a powerful multi-function printer. It was rather trivial last year to get it printing with Debian GNU/Linux. I just had to add a printer driver from the manufacturer, Xerox. The thing scans, too, and I had never used such a gadget but she asked hubby to make that work as well. In that other OS, Xerox had an app for that…

Poking around the control panel of the multi-function printer, I found it could do FTP of the scans. Simple, I added an ftp service to her GNU/Linux PC:
apt-get install vsftpd

That was pretty easy, but the default configuration did not allow uploads, which I needed. I created an upload directory and gave her permission to read/write to it:
#mkdir /home/ftp
#mkdir /home/ftp/pub
usermod -a -G ftp littlewoman
chown ftp:ftp /home/ftp /home/ftp/pub
chmod 550 /home/ftp
chmod 770 /home/ftp/pub
ln -s /home/ftp/pub/ /home/littlewoman/scans


Then I had to modify the configuration in vsftpd.conf and restart (/etc/init.d/vsftpd restart) it to permit anonymous uploads:
...
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
anon_root=/home/ftp/
no_anon_password=yes
anon_world_readable_only=no
dirlist_enable=yes
anon_other_write_enable=yes
anon_umask=007
#
# Uncomment this to allow local users to log in.
#local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only has an effect if the above global write enable is activated. Also, you will obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create new directories.
anon_mkdir_write_enable=YES
...

I just added the IP address and name of her computer to the menu on the multi-function printer and voila!, she was scanning. The benefit of these tweaks were compounded less than 24 h later when I added an ftp client to her Android/Linux smart phone so she could transfer her mobile pix to her PC with a few taps. I used the andFTP client from Android Market. Pretty smooth for a free app. I could add encrypted access, chroot or a virtual machine…, but I am not paranoid. 😉

Hero? Maybe not, but in my own mind I am still useful…

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

23 Responses to How I Became a Hero in 24 Hours

  1. Ivan says:

    Have you checked for hidden processes or are you just using top like a schmuck?

  2. Ivan wrote, “how do you know that no one has bypassed your firewall, Bob?”

    I can see every process running on every machine on the LAN without leaving my chair.

  3. Ivan says:

    Just like a user of that other OS, to be afraid of a little network. I count my installation to be at least 36X more useful.

    Meanwhile, you are setting up anonymous FTP just to scan over the network. That is certainly 0x more useful and infinitely more insecure.

    And how do you know that no one has bypassed your firewall, Bob?

  4. I have filed a wishlist bug report with Debian to include all the parameters needed for this project in the configuration file so the “man vsftpd” step could be omitted.

  5. Setting the thing up was rather trivial, five minutes of effort. The only difficulty I encountered was that the default configuration file did not include all the options I needed, so I had to do man vsftpd. That took an extra few seconds. I spent more time looking into the security (or lack of security) of the thing. Performance was wonderful. Transferring a hundred images took just a couple of minutes. The only labour in that was that I did not know the equivalent of CTRL-A in Android… The Little Woman wants what she wants when she wants it, and the easier I make it for her to do the less likely she will ask me to do it for her… 😉 She likes men who lead, follow or get out of the way.

  6. oiaohm says:

    Robert Pogson is even that password is sent plaintext. Its funny enough good enough to stop a lot of the old network replications worms and even lot of the modern ones. Lot of modern worms are not that advanced at stealing credentials and will try annoymous with no password when they find ftp not wait for user to log into it. So a little log monitoring and it kinda raises alarm that someone has brought a machine in that is not exactly healthy. Normally before you are to far in trouble to stop it.

    Most local network spreading malware is not that tolerant to waiting around for someone to hand them a password.

    Ideal of course is use ftps to protect the password from the scanner it also protects the scan in transport.

    You have placed a quota limit on the directory or its in a partition that if it gets full its not going to cause the system o ouch.

    Each extra step a bit of malware has todo to get into your system is an extra point it can stuff up and fail. This is why items like passwords on ftp that are transmit by plaintext are still not worthless. Ok not as effective as using ftps or better protocols.

    Attackers are truly lazy. They are spoiled rotten by people leave basic doors open and devices lacking the proper features to secure transfer information.

    At a min anonymous should have a password to write.

    Min is not ideal at min is a lot weaker than what is ideal I know this. Min will stop some attacks dead in it tracks and make logs before other attacks work.

    Yes its about time people do look at devices properly and wake up how poor a lot of firmware is in providing secure transport.

    Yes there was a recent case of malware targeting particular model printers firmware to set up home base in a network. Threat from the devices themselves are becoming more a reality.

    Interesting feature robert would not beaware of. Is all firmware updates in multi function device clear settings even better most don’t export password of the network when they backup settings. So you set password multi function device gets malware infected now multi function device has lost password so stops being able to scan. So you know something is wrong or firmware has been changed. You don’t set password you will not know this has happened to the multi function device.

    That it is plantext over the network is not the only why I said to set it. Its if the end point of what is scanning gets breached at fireware level as well. The network printer is normally a bigger target than the computer receiving the scans since the printer broadcasts where it is in most cases.

    ch setting it up on windows or OS X is not exactly trivial either. Really ftp on windows can be hell particularly when particular anti-virus software takes offence to it. OS X still not straight forwards.

    Even setting up to use SMB is not trivial on windows either from multi function device scanners. Since the multi function network stacks are tested against Samba not Microsoft. So hello breakage in creative ways. Yes Linux box running samba for printers to forward to then access from Windows machines from there can in fact be the most stable solution if you don’t install FTP on windows.

    masochist is setting up HP printers on windows to be printed to from many versions of windows using SMB.

    Its in fact many times simpler to set the printer up on samba then share it back to the windows network. Why each version of the HP drivers for each version of Windows in use has to be identical even if they are it can still fail in nasty in other wise Shockley bad ways.

    Basically printers are the bane from hell at times in business networks running Windows. Scanners don’t get much better.

    Masochist is some people battling with windows networks not prepared to mix in one or two Linux boxes to avoid evil from hell problems. Like printers that will not smb to windows stable so generating half files and other bad things but will perfectly to linux running samba.

    Reason for printers being tested against samba not Microsoft is having to pay for Microsoft to test with. Yes printer makers are cheap.

    ch people normal response is that it has to be trivial with Windows. Reality not the case when talking about network printers and scanners. Network printers and scanners all OS’s sux in there own evil ways. Linux just suxs the least due to the fact there is less random issues. Linux either works or it does not with them. Not like windows randomish or OS X where you models are highly restricted. I have set Linux cups servers next to OS X machines so they could use the printer they had bought. Linux supported the printer OS X did not.

    ch MR Ham that owns to another person as well.

  7. ch says:

    Mr Pogson,

    does setting up something the hard way in Linux, that would have been trivial in Windows or OS X, make you a hero? No, not really, more something like a masochist – or, lt’s say, a tinkerer.

    However: Actually reading Mr Ham’s posting, now THAT makes you my hero!

  8. oiaohm wrote, “At a min you should be able remove this no_anon_password=yes and set an anon password. As long as you xerox printer is one with decent firmware.”

    Uh, no. FTP does not encrypt the password so a password is nearly useless for security. Further, the advantages of allowing strangers whom I invite into my house to share images so conveniently far outweighs risk to this non-valuable property. My wife has complete control of her files. She can produce them by scanning and remove them before visitors can see them. The only risk is that ftp might allow access to other directories through some vulnerability. The passwords in old-style FTP are certainly insecure. Any malware on the sending or receiving system could pick off a password and do whatever. Any weakness in FTP is dwarfed by the ease with which that other OS falls down to malware. There are several things I could do which would make the ftp server more secure like putting it on a different machine than my wife uses to protect her files, using a virtual machine or chroot etc. FTP is useful for just such situations.

  9. oiaohm says:

    Robert Pogson call me anal-retentive. But what you have done has weaken secuirty possibly without valid need in most cases. Your case might be an exception. But people who copy what you wrote may not be. We do need to take responsibility to direct the less skilled in the safer directions.

    At a min you should be able remove this no_anon_password=yes and set an anon password. As long as you xerox printer is one with decent firmware.

    Most likely because the xerox manuals nicely don’t tell you that the network access password setting is on the web interface of the printer.

    Only found it out because I always perform a network audit on what is accessible to change options and was wondering how to I secure this properly.

    Lot of wireless secuirty keys are just pure time to how long to break them.

    Its also surprising to most people how far away you can detect and connect to most wireless networks. Particularly with 15 db gain+ gear(that is modified drain pipe). Modified sat dish gets you to +25 db. So unless you wireless network is in the middle of no where someone could monitoring without you known and working on breaking the key. You will find out after they break key.

    I guess you would not be using radius and enterprise wireless access. That one is a true prick to attackers. Because if it setup right the encryption is unique to machines even nicely limited session.
    I have found radius form security handy in some business to make people place notice that they are in the building at the front desk. Reason not mentioned to front desk you are in building nothing you have wireless will hook up because the wireless access point is not accepting. Funny how this improves conformance of signing into building.

    This is called surface area reduction. Less area harder time attackers have. Pity that no out the box wireless access points I have found have a small radius server installed by default with the options todo this without another server.

    Attacks don’t only come from windows machines being in network or just the machines you have let in. kernel.org break in is a clear warning about this. It is possible for a Linux machine to get infected worse the router Robert Pogson yes it less common. But it can bring hell on a scale that is equal to windows infections if stuff is not done right.

    Leaving these little mistakes can come back and hurt you.

    “SMB/CIFS could do similar things but in all the years I have seen it in schools I have never seen it work flawlessly amongst different platforms.”

    That is explained by what came out in the EU case of Microsoft vs Samba. The fact MS network protocols did not have a test suite in fact they still don’t they use the samba one today. But were in fact depending on plugging them into an network and doing rough testings if nothing showed up ship. So its shipped full of bugs that makes our life a misery.

    Xerox to samba SMB works fine. Xerox firmware some versions to some versions of windows say by by to machine windows or the printer as a functional unit.

    In fact some versions of xerox printers support ftps again shows up in the web interface as a tick box. Again not in the manual. Prevents network snooping.

    I was not saying go SMB. Just do the FTP better. Doing it better equals changing less default settings.

    Since the password on the anonymous account is to prevent automated infections spreading automatically. Having it on a sticky note on the screen is not a problem as long as you don’t take a photo of it and put it somewhere attacker can get it.

    Issue is evil items like infected PDF files inserted into the scan directory. Looking like a scan but infected.

    There are reasons not to be lax with any OS. Linux is not an excuse to be lax.

    The problem I have about doing it Lax its simpler to be lax the next time and the next time sooner or latter you be lax in the wrong place.

    Problem I have is that someone else who did not know better could have seen you settings and not thought threw the secuirty risk they setup for themselves.

    If you are going to be lax anywhere you really do need to assess really carefully. More often than not its where you going to get burnt.

    The sad part is most Windows users are not even able to perform the assessment so they go on blind faith and wonder why they are getting burnt. Some Linux also unable to perform the assessment either or get lazy and don’t perform the assessment. Kernel.org was a case of lazy and not performing the assessment on what shell access really allowed to happen so it was given out to way too many people.

    Yes if there was ever a requirement for a license to access the Internet I would include on the exam doing a risk assessment.

    We all need to accept that our computer security is directly related to how lax we treat the secuirty.

    I am not a lax person on this. Most of the time not being lax is in fact faster to setup on Linux. You have to do more work to make it Lax in a good distribution. More effort more Flaws. Good way to be.

  10. oiaohm wrote, “Robert has had to go out of his way to weaken the secuirty of the Linux system.”

    My network is a cluster of trusted machines. I have GNU/Linux on all of them and Android/Linux on “the little woman”‘s phone and all the visitors’ equipment. A couple of them have MacOS thingies. As far as I know no one has brought that other OS into my home for years. They cannot connect without me giving them the wireless key anyway. Our firewall is the most anal-retentive thing I have ever seen. So, the odds against intrusion are pretty high and the efficiency of access to one shared directory is wonderful. I have checked the server and none of the usual lame attempts at getting out of the shared directory work.

    Family is all there is for my wife. Everything is done for family, including partying. A popular passtime is putting some audio/video/pix up on the big screen with everyone talking and giggling… This little ftp service will be used. The beauty of taking a snap with the smartphone and putting it on the TV screen seconds later is appealing. It would be easy to tighten security and open it for these events. I don’t see the need.

    SMB/CIFS could do similar things but in all the years I have seen it in schools I have never seen it work flawlessly amongst different platforms. I have worked in places that replaced “7” with XP just so the LAN would keep working. Forget GNU/Linux or MacOS having an easy time with anything designed/tweaked by M$. Thank Goodness, they had little to do with FTP.

  11. oiaohm says:

    iLia let think this threw for a moment.

    You are making the same argument why people did not want firewalls on Windows. All those adjustment setting could have been done GUI by webmin and many others. Also Robert most likely went this way because was not aware of how xerox scanner/printers operate fully.

    In fact there is a problem with xerox network printers.

    Robert Pogson please visit the xerox printers web interface. Some you can set username and password to use for the ftp and smb. This is safer than the full annoymous you just enabled. Some xerox machines you cannot what is a major secuirty flaw. Even better even set up buttons so you have one button to scan and she has another and it goes to the right accounts if it does support username and passwords.

    Yes Robert has had to go out of his way to weaken the secuirty of the Linux system. When you start having to tweak the default a lot its time to think should I really be doing this. Particular when it has a warning.

    “# Allow anonymous FTP? (Beware – allowed by default if you comment this out).”
    This is because there are secuirty issues with allowing it so the package added the line after to disable it.

    Default Windows computer setup of xerox scanner does in fact enable anonymous writing to the machine. Or in other words any other computer in the network can fill the harddrive of that machine to breaking point with what ever. So Robert has just downgraded his Linux box to how bad the windows default would be. Not something to be proud of.

    This is one of the lovely case of third party software making nice big secuirty holes in windows.

    Yes fast way does not equal good way.

    JairJy
    “select the printer on the list.” This is xerox you are talk about. they has a bad habit of not turn up in the MS printer detections. You have to go local and create a network port.

    So printers using cups interface or other printer interfaces don’t appear at all at times.

    Basically windows printer configuration is how to drive someone nuts. You go network if MS does not detect it you find nothing now have to know to go back to local and create a network port. This is completely stupid. You would think it would be sane to provide an option to go straight on and just configure network printer by IP like cups under apple and Linux does but no MS has to make life hard. After you create network port it then will go find a driver.

    Being xerox due to not using enough id differents between models Windows update will most likely download the wrong scanner and printer driver and print and scan like complete trash. So yes trip over to the xerox site manual download the right driver and now everything magically works. Until you now have conflicting xerox printers or windows update gets the idea of replacing the driver you manually installed.

    Even on Linux with xerox you cannot depend on auto detection.

    Xerox makes great printer hardware. Their driver construction leaves a lot to be desired. They are not the only printer maker who driver leaves a lot to be desired.

    HP with some usb printers will not work over network because the pre side of the driver on Windows that is run by the machine sending documents to another machine with the printer connected attempts to directly talk usb to the printer. Yet they work perfectly fine provide by cups from a Linux box to Windows vista and 7 machines that do support cups.

    Printing on Windows can drive you nuts with all the creative land mines including don’t have this printer driver installed with this other printer driver or it will not print correctly or at worst instead of print blue/red screen of death the machine randomally.

    Linux and OS X most cases the printer does not work because you don’t have a driver. You want a good behaved printer go to the OS X and Linux listed working printers and buy that even if you are a Windows user. Anything else is playing loto with your machine.

    What you described JairJy works for canon but everything else go to the makers site and get the drivers yourself unless you expect to be driven nuts under windows.

    Installing network printers and scanners on windows is not fun. Linux if they are supported fairly straight forward but you do need to audit the makers drivers.

    By the way some of the best added back doors to Linux by third party software have come from printer drivers right up to remote root access and disabling selinux and other LSM modules so making sure printer driver root access is without telling user.

    iLia please step back and think how many holes you are putting in your own systems. Some third party driver makers don’t make secure drivers. You install them you have just backdoored your system.

    Windows is not just swiss cheese due to Mistakes Microsoft directly is making it so. Windows is also Swiss cheese due what third party driver makes do without auditing.

    Apple only support certified hardware that they provide all the drivers for. So reducing swiss cheese problem. Linux comes out box with a lot of driver support that is safe. When you need to go third party away from distribution/OS maker provided its time to be careful. Does not matter the OS. You just might have ruined your OS secuirty. Problem is with printers and windows you don’t have any choice in most cases.

  12. Just like a user of that other OS, to be afraid of a little network. I count my installation to be at least 36X more useful.

  13. Ivan says:

    Does that take care of the scanner and make its output available to guests on the LAN running diverse OS?

    Yes. Without having to manually set up and configure an anonymous FTP account, which needles to say, is a security risk.

  14. JairJy wrote, “1)Connect the printer. If the printer can’t be connected but it is on the same network: Open Devices and Printers (is on the Start Menu) and click the “Add Printer” button. Select “Add a network, wireless or bluetoth printer” and select the printer on the list.”

    Does that take care of the scanner and make its output available to guests on the LAN running diverse OS?

  15. Viktor wrote, “Xerox’s fault for not supporting your niche OS abomination.”

    Hmmm. The thing was printing on Day One with the installation of a driver provided by Xerox.

    Scanning was also provided on Day One for folks with an ftp server which takes seconds to set up on Debian GNU/Linux. So, Xerox supports GNU/Linux quite well. Does XP or “7” provide such facilities? I think not but Google does give “the ten-step programme” for setting up FTP on an XP machine. “TEN STEPS“!!! and that’s still: “Note that by default, these files are read-only and public. Public meaning that anyone who knows the IP address may download copies from it.” I would have had to use SMB/CIFS with that other OS and “the little woman” would not likely have been very proficient setting that up. This way we have an open standard that will work for every client machine in the house and every client machine brought in by visitors. They can all do ftp but M$ has messed up SMB/CIFS so badly that it is likely every machine would have to be configured. The visitors can use their web browsers to ftp :// herpc /

  16. JairJy says:

    “That other OS would not even know the scanner existed. It’s not “connected to the PC” except by the network.”

    You are right, so let me change the step 1:
    1)Connect the printer. If the printer can’t be connected but it is on the same network: Open Devices and Printers (is on the Start Menu) and click the “Add Printer” button. Select “Add a network, wireless or bluetoth printer” and select the printer on the list.

  17. Viktor says:

    Yeah, yeah, yeah. Stop dancing around the truth already, Pogson. The most important point is: you did it for her. That kinda defeats the purpose of claiming that Linux is so easy that everyone can use it. And setting up a printer or a scanner is, alas, a common home user scenario. So you need a well-versed administrator friend for the most trivial things? What a great OS! I like it already.

    It’s, of course, all Xerox’s fault for not supporting your niche OS abomination. How could they!

  18. JairJy wrote, “Connect the printer.”

    Chuckle. That other OS would not even know the scanner existed. It’s not “connected to the PC” except by the network. We could have installed Xerox’s app on a PC running that other OS but the solution I implemented is trivially usable by “the little woman” and she does not need to learn an additional application. She can use the web browser, the file manager or the image-processor or the image-viewer according to her whim. She uses all of them every day. It’s automatic.

  19. JairJy says:

    How to make a multifuntional printer work on Windows:

    1) Connect the printer.
    2) Enter the terminal, get root access and… Nah I was joking. Windows Update finds the driver and installs it.

    Also, ftp also works on Windows, so the ftp app from Android should work well on Windows too, but IMHO, using Dropbox or Skydrive could be more easy.

  20. Viktor wrote, “That was real easy, Pogson. Why didn’t your wife do it herself? Linux is so easy. And logical. I would perfectly understand it, if someone explained to me that I need to set up a frakkin’ FTP server to use a scanner.”

    1. “The Little Woman” does not have root access. I may be old but I am not crazy. If I gave her root access she might replace me with a younger husband/boyfriend.
    2. Logic – Problem: get scan from scanner to PC, Solution: use a network protocol, one of which the scanner knows is FTP.
    3. Any PC can be a server with GNU/Linux. Those details are all transparent to the little woman. All she sees is a nice little folder-icon on her desktop, labelled “scans”. From the scanner, she just selects something like Send To her PC. There is nothing difficult about it from the user’s perspective. She has read/write access as a normal user in the ftp group and so has complete control of the process even though the scanner is not connected to her PC but to our LAN. The fact that it is a networked service makes it available to several other PCs to which she and visitors have access. This is an unintended consequence of her request to be able to scan documents. It is an example of Metcalfe’s Law where the power of a network goes as the square of the number of PCs on the network. In our case the network is multiplying my feable effort many times. We have six PCs and visitors from time to time so my few minutes of effort are giving benefit 36 times more than I “deserve” but I’ll take it. We have half a dozen friends and relatives who visit socially so we can share with them as well.
  21. Viktor says:

    That was real easy, Pogson. Why didn’t your wife do it herself? Linux is so easy. And logical. I would perfectly understand it, if someone explained to me that I need to set up a frakkin’ FTP server to use a scanner.

    Use Linux! And get thrown back into the stone age for free.

  22. I guess that was sarcasm, when iLia wrote, “who needs my comments after this?” implying that my example of how easy it was to set up a nice useful facility with standard parts in GNU/Linux would discourage people from using it.

    Perhaps it would have been simpler if Xerox had an app, but would that same application have worked with the smart phone? Using open standards makes a system much easier to set up and to manage. Now anyone in the house can browse to her folders of scans, including the media PCs on the televisions. The whole thing just fell together nicely when my plan was merely to make it work quickly. My whole effort was a brief search of the package lists for an ftpd package and a few minutes editing the configuration file. The smart phone app was the first one on the list and used thousands of times. No effort at all. Huge benefits. Price/performance was great.

  23. iLia says:

    And who needs my comments after this?

    Actually, such things are called linux-bashing, the reason why anti-linux people cannot provide such hight-quality basing is very easy — they drop using linux on this:

    apt-get install vsftpd

    and never arrive to the level of competence sufficient to provide such great examples.

Leave a Reply