iptables: Block FTP in and out, allow SFTP
I'm fairly new to knowledgeable editing of iptables...
I'd like to allow SFTP while blocking FTP. I'm aware that FTP uses two ports, but that one of those ports is also required for SFTP. Can someone help me out by pointing me in the right direction? |
Block port 21 and/or don't start an ftp daemon.
|
Quote:
|
Quote:
BUT, I would only do this if there were very few (or one) SFTP user, because to allow a user to use SFTP they have to be able to login via sshd [true?] I'm currently hosting several customers who are NOT allowed to login [login shell is /sbin/nologin], but who ARE allowed to use FTP to maintain their websites and/or provide downloads to their customers via FTP. Isn't that better/more secure than allowing them into sshd? (I DO have to monitor the ftp logs and fail2ban the cracking attempts, tho.). Thoughts? |
Quote:
But on a slightly different note, you allow FTP access to your customers? Just out of curiosity - it doesn't apply to me - are there any other alternatives? I get the idea that FTP is dangerous, so if alternatives (excluding SFTP) exist (do they?) why allow it? Do you force them to do automagic backups? Do you do them yourself on your customers "just in case"? Storage in the "cloud" really isn't that expensive anymore, there's really no excuse for not backing up everything daily and keeping 5 or ten versions back, just zip it all up into a nice convenient tar ball... |
Quote:
SFTP is completely unrelated to FTP, as far as protocols go, except for the name. SFTP operates over SSH which is on port 22. So there is no overlap with the port numbers unless someone has made really weird configuration changes. Those are only the defaults, though. Any service can be re-configure or mis-configured to listen to other ports instead of or in addition to the defaults. About the default port numbers, there is the IANA Service Name and Transport Protocol Port Number Registry online. It is the authoritative source on the matter. You're taking the right step in moving to phase out FTP. |
Quote:
Code:
man sshd_config Code:
man sshd |
Quote:
My Terms of Service put the responsibility for backups of customer data on the customer, but I do daily backups of the entire server using rsnapshot anyway, yes, just in case. |
;)
Quote:
AND I apologize for hijacking the thread...to bring it back to topic: Don't run an FTP daemon and/or block port 21 :);) |
Just for clarification SFTP is not the same thing as FTPS (FTP/SSL). FTPS can use port 21 if configured using implicit mode. Because FTP uses a dynamic secondary port you can configure the server to use a set range and then open those ports in the firewall. As stated if FTP access is not required then do not run the server. Otherwise you need to configure the firewall for the FTPS mode in use.
|
All times are GMT -5. The time now is 04:24 PM. |