LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-27-2017, 04:11 PM   #1
Arty Ziff
Member
 
Registered: May 2008
Location: Tacoma, WA
Distribution: CentOS and RHEL
Posts: 124

Rep: Reputation: 15
iptables: Block FTP in and out, allow SFTP


I'm fairly new to knowledgeable editing of iptables...

I'd like to allow SFTP while blocking FTP.

I'm aware that FTP uses two ports, but that one of those ports is also required for SFTP.

Can someone help me out by pointing me in the right direction?
 
Old 05-27-2017, 05:54 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Block port 21 and/or don't start an ftp daemon.
 
1 members found this post helpful.
Old 05-27-2017, 06:30 PM   #3
Arty Ziff
Member
 
Registered: May 2008
Location: Tacoma, WA
Distribution: CentOS and RHEL
Posts: 124

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Habitual View Post
Block port 21 and/or don't start an ftp daemon.
Yes. Will not starting the FTP daemon and blocking the port be enough to prevent any FTP use? I know the obvious answer is "Yes, why would you even ask that", but I just want to run down all the even obviously blocked ally ways on this. I've been considering simply uninstalling FTP (I have vsFTP)...
 
Old 05-27-2017, 07:13 PM   #4
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Arty Ziff View Post
Yes. Will not starting the FTP daemon and blocking the port be enough to prevent any FTP use? I know the obvious answer is "Yes, why would you even ask that", but I just want to run down all the even obviously blocked ally ways on this. I've been considering simply uninstalling FTP (I have vsFTP)...
Not starting the daemon will be enough, IMO. Blocking port 21 is adding suspenders to the belt.
BUT, I would only do this if there were very few (or one) SFTP user, because to allow a user to use SFTP they have to be able to login via sshd [true?]
I'm currently hosting several customers who are NOT allowed to login [login shell is /sbin/nologin], but who ARE allowed to use FTP to maintain their websites and/or provide downloads to their customers via FTP. Isn't that better/more secure than allowing them into sshd?
(I DO have to monitor the ftp logs and fail2ban the cracking attempts, tho.).

Thoughts?
 
1 members found this post helpful.
Old 05-27-2017, 10:45 PM   #5
Arty Ziff
Member
 
Registered: May 2008
Location: Tacoma, WA
Distribution: CentOS and RHEL
Posts: 124

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by scasey View Post
Not starting the daemon will be enough, IMO. Blocking port 21 is adding suspenders to the belt.
BUT, I would only do this if there were very few (or one) SFTP user, because to allow a user to use SFTP they have to be able to login via sshd [true?]
I'm currently hosting several customers who are NOT allowed to login [login shell is /sbin/nologin], but who ARE allowed to use FTP to maintain their websites and/or provide downloads to their customers via FTP. Isn't that better/more secure than allowing them into sshd?
(I DO have to monitor the ftp logs and fail2ban the cracking attempts, tho.).

Thoughts?
I or one or two others who have SSH access anyway would be the only ones using SFTP. It's an application server so-to-speak, it runs some internal web apps that a lot of other people use for their particular functions. But I'm all about shutting all the doors that don't need to be unlocked. You might say "if that's the case, why care?", mostly because I'm paranoid.

But on a slightly different note, you allow FTP access to your customers? Just out of curiosity - it doesn't apply to me - are there any other alternatives? I get the idea that FTP is dangerous, so if alternatives (excluding SFTP) exist (do they?) why allow it? Do you force them to do automagic backups? Do you do them yourself on your customers "just in case"? Storage in the "cloud" really isn't that expensive anymore, there's really no excuse for not backing up everything daily and keeping 5 or ten versions back, just zip it all up into a nice convenient tar ball...

Last edited by Arty Ziff; 05-27-2017 at 10:52 PM.
 
Old 05-27-2017, 11:40 PM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
Quote:
Originally Posted by Arty Ziff View Post
I'm aware that FTP uses two ports, but that one of those ports is also required for SFTP.

Can someone help me out by pointing me in the right direction?
You're off by one on the port number for FTP. FTP uses 21 and, maybe, 20, depending on whether you're using active or passive FTP. There are also sequence diagrams for FTP connections.

SFTP is completely unrelated to FTP, as far as protocols go, except for the name. SFTP operates over SSH which is on port 22. So there is no overlap with the port numbers unless someone has made really weird configuration changes.

Those are only the defaults, though. Any service can be re-configure or mis-configured to listen to other ports instead of or in addition to the defaults.

About the default port numbers, there is the IANA Service Name and Transport Protocol Port Number Registry online. It is the authoritative source on the matter.

You're taking the right step in moving to phase out FTP.
 
Old 05-27-2017, 11:50 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
Quote:
Originally Posted by Arty Ziff View Post
I or one or two others who have SSH access anyway would be the only ones using SFTP. It's an application server so-to-speak, it runs some internal web apps that a lot of other people use for their particular functions. But I'm all about shutting all the doors that don't need to be unlocked. You might say "if that's the case, why care?", mostly because I'm paranoid.
SFTP is somewhat easy to limit according to group. For some groups of accounts, you could eliminate their shell access and allow only SFTP. Or you could chroot them to specific directories with a little more effort. But if it's only you and one or two others, then chroot is probably not appropriate since you'd presumably also need shell access on occasion. See the manual page for configuration directives Subsystem, Match, ForceCommand, ChrootDirectory, and maybe AuthorizedKeysFile.

Code:
man sshd_config
If your version of OpenSSH server is new enough, see also the 'restrict' option for the authorized_keys file.

Code:
man sshd
Though again that might not be so relevant is if just you two or three.
 
2 members found this post helpful.
Old 05-28-2017, 12:45 AM   #8
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Arty Ziff View Post
But on a slightly different note, you allow FTP access to your customers? Just out of curiosity - it doesn't apply to me - are there any other alternatives? I get the idea that FTP is dangerous, so if alternatives (excluding SFTP) exist (do they?) why allow it? Do you force them to do automagic backups? Do you do them yourself on your customers "just in case"? Storage in the "cloud" really isn't that expensive anymore, there's really no excuse for not backing up everything daily and keeping 5 or ten versions back, just zip it all up into a nice convenient tar ball...
I'm not aware of other alternatives. Would be interested in hearing of any.
My Terms of Service put the responsibility for backups of customer data on the customer, but I do daily backups of the entire server using rsnapshot anyway, yes, just in case.
 
Old 05-28-2017, 12:50 AM   #9
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Turbocapitalist View Post
SFTP is somewhat easy to limit according to group. For some groups of accounts, you could eliminate their shell access and allow only SFTP. Or you could chroot them to specific directories with a little more effort. But if it's only you and one or two others, then chroot is probably not appropriate since you'd presumably also need shell access on occasion. See the manual page for configuration directives Subsystem, Match, ForceCommand, ChrootDirectory, and maybe AuthorizedKeysFile.

Code:
man sshd_config
If your version of OpenSSH server is new enough, see also the 'restrict' option for the authorized_keys file.

Code:
man sshd
Though again that might not be so relevant is if just you two or three.
I shall have to look into it further. Thanks for the pointers Turbocapitalist.

AND I apologize for hijacking the thread...to bring it back to topic:

Don't run an FTP daemon and/or block port 21
 
Old 05-28-2017, 05:37 AM   #10
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,592

Rep: Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880
Just for clarification SFTP is not the same thing as FTPS (FTP/SSL). FTPS can use port 21 if configured using implicit mode. Because FTP uses a dynamic secondary port you can configure the server to use a set range and then open those ports in the firewall. As stated if FTP access is not required then do not run the server. Otherwise you need to configure the firewall for the FTPS mode in use.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables to block ip from ftp Skillz Linux - Security 1 03-06-2010 04:38 AM
block access from iptables and / or ftp configuration ?! ytd Linux - Security 6 11-03-2009 09:10 AM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 08:10 AM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
Using SFTP instead of FTP cliffyman Linux - Software 0 01-19-2003 10:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration