iptables: Block FTP in and out, allow SFTP
 

I'm fairly new to knowledgeable editing of iptables...

I'd like to allow SFTP while blocking FTP.

I'm aware that FTP uses two ports, but that one of those ports is also required for SFTP.

Can someone help me out by pointing me in the right direction?

Block port 21 and/or don't start an ftp daemon.

Yes. Will not starting the FTP daemon and blocking the port be enough to prevent any FTP use? I know the obvious answer is "Yes, why would you even ask that", but I just want to run down all the even obviously blocked ally ways on this. I've been considering simply uninstalling FTP (I have vsFTP)...

Not starting the daemon will be enough, IMO. Blocking port 21 is adding suspenders to the belt.
BUT, I would only do this if there were very few (or one) SFTP user, because to allow a user to use SFTP they have to be able to login via sshd [true?]
I'm currently hosting several customers who are NOT allowed to login [login shell is /sbin/nologin], but who ARE allowed to use FTP to maintain their websites and/or provide downloads to their customers via FTP. Isn't that better/more secure than allowing them into sshd?
(I DO have to monitor the ftp logs and fail2ban the cracking attempts, tho.).

Thoughts?

I or one or two others who have SSH access anyway would be the only ones using SFTP. It's an application server so-to-speak, it runs some internal web apps that a lot of other people use for their particular functions. But I'm all about shutting all the doors that don't need to be unlocked. You might say "if that's the case, why care?", mostly because I'm paranoid.

But on a slightly different note, you allow FTP access to your customers? Just out of curiosity - it doesn't apply to me - are there any other alternatives? I get the idea that FTP is dangerous, so if alternatives (excluding SFTP) exist (do they?) why allow it? Do you force them to do automagic backups? Do you do them yourself on your customers "just in case"? Storage in the "cloud" really isn't that expensive anymore, there's really no excuse for not backing up everything daily and keeping 5 or ten versions back, just zip it all up into a nice convenient tar ball...

You're off by one on the port number for FTP. FTP uses 21 and, maybe, 20, depending on whether you're using active or passive FTP. There are also sequence diagrams for FTP connections.

SFTP is completely unrelated to FTP, as far as protocols go, except for the name. SFTP operates over SSH which is on port 22. So there is no overlap with the port numbers unless someone has made really weird configuration changes.

Those are only the defaults, though. Any service can be re-configure or mis-configured to listen to other ports instead of or in addition to the defaults.

About the default port numbers, there is the IANA Service Name and Transport Protocol Port Number Registry online. It is the authoritative source on the matter.

You're taking the right step in moving to phase out FTP.

SFTP is somewhat easy to limit according to group. For some groups of accounts, you could eliminate their shell access and allow only SFTP. Or you could chroot them to specific directories with a little more effort. But if it's only you and one or two others, then chroot is probably not appropriate since you'd presumably also need shell access on occasion. See the manual page for configuration directives Subsystem, Match, ForceCommand, ChrootDirectory, and maybe AuthorizedKeysFile.

If your version of OpenSSH server is new enough, see also the 'restrict' option for the authorized_keys file.

Though again that might not be so relevant is if just you two or three.

I'm not aware of other alternatives. Would be interested in hearing of any.
My Terms of Service put the responsibility for backups of customer data on the customer, but I do daily backups of the entire server using rsnapshot anyway, yes, just in case.

;)I shall have to look into it further. Thanks for the pointers Turbocapitalist.

AND I apologize for hijacking the thread...to bring it back to topic:

Don't run an FTP daemon and/or block port 21 :);)

Just for clarification SFTP is not the same thing as FTPS (FTP/SSL). FTPS can use port 21 if configured using implicit mode. Because FTP uses a dynamic secondary port you can configure the server to use a set range and then open those ports in the firewall. As stated if FTP access is not required then do not run the server. Otherwise you need to configure the firewall for the FTPS mode in use.