The Do-it-yourself ASP Part II

The Do-it-yourself ASP Part II:

Creating your own FTP server with free software from the Internet

In my last article I wrote about how to use an already established free web server as a method by which you could transfer files to and from your MTs and clients. In this article I will discuss how you can use free software to create your own web server out of any computer with an Internet connection. Creating your own server will save you tons of time downloading and uploading files to and from the Internet. With the information in this article, posting files to the Internet will be as simple as copying them to a folder on your computer or network. A high-speed connection to the Internet (cable or DSL) is mandatory.

In my last article we used encryption to protect the data in transit as well as protect it while residing on the server itself. Encryption is still a necessary component.

Download and install the software

First, let's go get the software that will allow us to create our server. Point your browser to http://www.sambar.com and download the latest production release. (At the time of this writing it is version 5.2 and weighs in at just under 5 megabytes.) If you require additional features you can pay $99 for the Pro version.

When you start the download, it will ask you if you want to open it or save it to disk. Save it to disk in a place that is easy for you to find later, like your Desktop.

Once you have it downloaded double-click the file to start the installation process.

When you get to the portion of the installation that says: Select the directory to install Sambar Server in: (see Figure 1) Click the Browse button and choose C:. This will place the Sambar Server files in the c:\sambar52 directory. You should see c:\sambar52 in the white box. If you don't see that you can also type it in manually. The rest of this article assumes that you've installed the software to the c:\sambar52 directory.

Click the Install button and after the files are copied you'll be done and ready to go.

Starting and configuring the server

Now that the server software has been installed you can start the server by double-clicking the new icon on your desktop labeled Sambar Server 5.2. Starting the server automatically opens a new browser window titled "My Website." This page is the default starting point for your new server. There are links to information and help files here.

Locate the section titled System Administration and click on the System Administration link. This opens a password dialog. Enter admin for the User Name and leave the Password blank. Click OK.

You will then be taken to the Sambar Server Administration page. The pane on the left has links to various pages that you can use for information and to modify settings. The pane on the right is where the action happens. This administration screens functions just like a common web site with forms.

Right now we are at the Main Page. In the right pane you'll see the following options:

Server Documentation	Opens the help files for the server. This is basically everything there is to know about operating an Internet server. Be sure to have a computer dictionary handy if you are going to navigate these waters. You'll need it!
Server Configuration	Opens the form for configuring the server's basic settings.
System Management	Lets you perform actions on the server like shut it down, restart, or pause it.
Pro License	Used to enter the license information if you are using the Pro version. We're not using the Pro version.
User Management	Opens the form for creating and managing user access. You'll spend a lot of time here.
Search Engine	For finding files on your server. You probably won't use this much.

Click on the link to Server Configuration. Scroll down until you get to Directory Lists. Make sure that Yes has a dot by it. You can set the other checkbox options to your personal taste. Turning this option on allows your MTs and clients to see the files you have placed in their directory. If this option was off you'd have to create an index.htm page every time you wanted them to be able to download a new file.

Next scroll down to where it says Act as FTP Server, put a dot next to Yes. You want this on so that your MTs and clients can upload files to your server through an FTP client, like WS-FTP.

Scroll down all the way to the bottom of the page and click the Update Server Configuration button.

User management

You should now be back at the main page once again. Click on the User Management link. This is where you create users and set permissions for what part of the server they can access. For our purposes we'll be locking users down to one directory but you can add subdirectories, like "pickup" and "deliver" or "audio" and "text" if you like. Your users will need to provide a user name and password to the server before they can access their directory through the web (HTTP) or FTP.

Again, on the left pane we have options and on the right we have forms. To get started click the Create User link on the left. On the right you'll see the following options:

Username	The username for your user. They will type this whenever they need to login.
Password	The password for the new user. They will type this along with the username when they login.
Group	This is used when you want to allow access to portions of your site to multiple users of the same group. We'll be using user level access controls, not group controls. But creating users under groups can make them more manageable. As you can see in the left pane the users are divided out by group. You could create an MT group and a client group, if you wanted. For now, let's create all users under the user group.
Account Name	This field doesn't do much of anything that I can see. Essentially, it's a label for your users.
Root Directory	This is very important. This is the directory that your users can access. You want to leave the /docs/ in place and add a user directory after that. So if I had an MT whose ID# was 1234 I would type /docs/1234/ in this field. Put a dot next to Create so that the directory will be created when you click the Create New User button, assuming it doesn't already exist.
Access	This is the user's FTP access. Everyone needs to have Read/Write access in order to upload files. Put a dot next to Read/Write.
FTP Maximum Upload	Setting this to 0 allows the user to upload files of any size. Otherwise this is the size of upload in megabytes the user is allowed.
Create New User	Click this button when you are ready to add the user.

As you add users you'll see them appear in the left pane. If you want to change a user's settings you can click on their username. If you want to delete a user click on the trash can icon to the left of their name.

For the rest of the article we're going to assume that you created three users with the following settings:

Username	Password	Root Directory
user1	user1	/docs/1234
user2	user2	/docs/1235
user3	user3	/docs/1236

Before we do anything else set an admin password for yourself. To do this locate the admin user in the left pane, under root. Click on the word admin. In the right pane type a password. Click the Update User button. From now on you'll have to type this password to enter the Sambar Server Administration screens.

Restart the server by right-clicking the icon next to the clock in the bottom right portion of your taskbar. Choose Restart from the pop-up menu.

Now that your users are set up we have to set their access permissions.

Security settings for user downloads

Click the monitor icon in the upper left corner of the left pane of the User Management screen. This will return you to the Sambar Server Administration page. (Password dialogs asking you to log in as the as the admin may pop up from time to time as you restart the server, change these settings, and come back in.)

In the left pane underneath the All Servers section locate the section titled Security [security.ini]. Click on the portion that just says Security, not the part in square brackets.

This opens the Security Configuration page. Scroll down to the part that says Security Restrictions. Here you see two columns of edit boxes. The column on the left represents the directory. The column on the right represents who can access the directory. Set one directory for each user that you created in the last section. If you added someone with a username of user1 whose directory was /docs/1234/ you would put /1234 in the left column and user1 in the right column. Here's the format:

/1234	user1
/1235	user2
/1236	user3

If you run out of rows don't worry. Just click the Update Configuration button and come back in, two more rows will be added automatically. Continue this way until all the users you created previously are assigned to their own directory.

Now your security settings are in place. Users will not be able to access each other's directories without the other user's username and password. Users will not be able to see each other's directories from FTP sessions without the other user's username and password.

Restart the server by right-clicking the icon next to the clock in the bottom right portion of your taskbar. Choose Restart from the pop-up menu.

Accessing the server for uploads and downloads

Now comes the tricky part. In order to be able to access your new server from the Internet we need a few items to be in place.

1. A high-speed Internet connection must be working and the computer running the server must be connected.
2. The Sambar server must be running.
3. Any firewalls and routers need to be configured so that the Sambar server can accept all incoming FTP and HTTP connections.
4. You need to know the IP address of the computer that is hosting the server.
a. From the hosting computer, open the Start menu and choose Run.
b. Type winipcfg.exe in the Open field and click OK.
c. This shows you the current IP address of that computer.

If your IP address is static, your ISP has assigned you a never-changing IP address. This is good. This means that anyone will be able to access your server by entering http://122.45.23.1/ in their Internet browser (assuming 122.45.23.1 is the correct IP address, which it won't be since I just made it up).

If your IP address is dynamic, it will change every time you reboot your computer or every time you get off the Internet and get back on again. If your IP address is dynamic, it is going to be difficult (although not impossible) for your users to locate you. You'll have to give them your new IP address every time it changes. If this sounds like too much of a hassle check with your internet service provider and see if they can assign you a static IP address, you'll probably have to pay more for it.

Alternatively, you can go to http://www.dyndns.org and sign up for their free service or pay service. They will assign you a hostname, like http://yourname.dyndns.org. Then when your IP address changes you can contact them and they will update their server information. The great thing about this is that your users just type http://yourname.dyndns.org into their web browser and they land at your site. This works with FTP access as well.

Once you've got the connection issues straightened out, your users can access your server just like they would access any other server on the Internet. (See my previous article for details on how to do this.)

Now you may be wondering how do I as the system administrator and head cheese access my server and put files in the appropriate directories? It's very easy. At the beginning of the article we installed the server software to the directory named c:\sambar52. Open up My Computer or Windows Explorer and go there. In this directory you'll see a lot of subdirectories. These contain all the configuration files, help files, and software needed to make the Sambar server run. Locate the docs directory and open it. Inside you'll see the following directories/folders: 1234, 1235, and 1236. These are the directories that you put files in for your users.

When user1 uploads her work for the day you will find it in the c:\sambar52\docs\1234 directory. When user2 needs more audio files to transcribe you will need to copy them to the c:\sambar52\docs\1235 directory. (See the table in the User Management section of the article for a reference on how we set up the sample users.) If you don't want to mix audio files and completed reports together you can add subdirectories to the user directories. For example, audio files could go into the c:\sambar52\docs\1236\audio directory and report files could go into the c:\sambar52\docs\1236\text directory. Your users will, of course, need to be instructed on which directory to use and where to FTP their files.

One final word about security

By default the server does not allow people to log in as admin unless they are on the localhost machine, i.e. sitting in front of the computer that the server software is installed on. This is a good thing and it will keep out hackers, but it can be changed if you want to log in as an admin from a remote location.

Your users have to log into their web and FTP directories but you should know that this only prevents access to those directories from unauthorized users. The data your users download and upload is not protected as it bounces around the Internet from computer to computer on its way to your server. Also, the user's password and username are sent to the server without encryption. These can be captured by an interested or determined third party. Once the username and password are captured, the third party can log in just like your user. For this reason you should be sure to encrypt any and all files coming to your server and residing on your server for download.

Encrypted files should always have a different password than the user password that is used to access to the server.

The Sambar server comes equipped with some users already configured, "anonymous" is one that is very dangerous. All FTP software is configured to try an anonymous connection. Delete these users or reconfigure them from the User Management screens so they can't access the server (set Access to None). Alternatively you could add a password to their profile. This can be a huge security hole. Once someone knows you are running the Sambar server they can download it, install it, and start trying to gain access through the default user configurations. Don't delete the admin user, but be sure you've assigned a password to it and set it to run only from the localhost (127.0.0.1).

Users should change their password often. You can make this easy on them by copying the file found in C:\sambar52\sysadmin\usermgmt\ named passwd.htm to their individual document directory. You could also copy this file to the main docs directory at C:\sambar52\docs\. Your users would have to type http://yourIPaddress/passwd.htm to change their password. If they forget their password you can always change it manually by editing their user profile from the User Management page in System Administration.

The Sambar server software we are using does allow for encrypted SSL connections, but this can be quite expensive. An encrypted connection doesn't mean anything unless you can trust the server sending you the key required for the connection. On the Internet where computers and servers trade data and move data through one another this means you need to use a trusted third-party. In this case, the most trusted third parties are Verisign (http://www.verisign.com) and Thawte (http://www.thawte.com). If a trusted third party is not involved in the equation anyone could substitute the real key with a fake key and decrypt all your traffic. Unfortunately, Verisign and Thawte charge you to use their services. For a 128-bit key Verisign charges $849 a year (see their Secure Site Pro package). Thawte charges $199 a year for variable length key that depends on what key the user's browser can handle, either 40-bit, 56-bit, or 128-bit. For a 128-bit nonvariable key Thawte charges $449 a year. Keep in mind that 128-bit encryption is the minimum required by HIPAA.

If you do want to go the SSL route there are instructions in the help files of Sambar server that tell you how to go about creating the necessary keys. Verisign and Thawte have further instructions for submitting keys and obtaining their services.

In my opinion, you are better off using file-level encryption rather than SSL. In the unlikely event that your server is hacked or compromised in some way, encrypted files will not help the hacker. If you rely on SSL it only encrypts the connection/transport of data through the Internet so files that are downloaded will be unencrypted automatically by your browser. See my previous article for encryption options.

Conclusion

The best way to learn is to try. Download and set up a server on your computer using the instructions in this article. Try to send yourself sample files from another computer and download them again. Test your security any which way you can. Above all have fun. You can't break this. If you get stuck, Shutdown the server, take a break, and pick up the instructions again at a later time. If you really get stuck and decide to forget it completely, just uninstall the server software, and your system will be back to normal.