LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Opening FTP service on public facing website for 3rd party maintenance access (http://www.linuxquestions.org/questions/linux-security-4/opening-ftp-service-on-public-facing-website-for-3rd-party-maintenance-access-842288/)

albertwt 11-04-2010 05:58 AM

Opening FTP service on public facing website for 3rd party maintenance access
 
Hi All,

I'd like to know if this is common security flaw or normal to open up FTP to the public which is of course protected with password for 3rd party access to maintain our public facing / production website ?

If yes, what sort of FTP application to install in your Linux webserver ?

Any kind of sharing and suggestion in regards to this thread will be greatly appreciated.

Thanks,

AWT

linuxlover.chaitanya 11-04-2010 06:35 AM

I would say, anything open to public internet is always at risk. Even if you have got authentication at place. If it is going to be used by limited users and if they have static addresses, using iptables to only allow certain addresses for FTP will increase the security. Also changing the default listening port to something else should put another layer of security.
You can use vstfpd for your needs though.

Hangdog42 11-04-2010 06:49 AM

You should also consider using SSL with your FTP server as FTP transmits usernames and passwords in the clear. That isn't a problem if you're just using anonymous access, but if you're allowing access to only specific people, it is something worth considering.

tronayne 11-04-2010 06:56 AM

I think I would want to have SSH implemented for any outside access (and require the use sftp; sftp "...operates over an encrypted ssh transport."

With ssh, you control who has what access and it's a reliable way to do what you're interested in. SSH is, in many ways, analogous to the user id/password system.

You may wish to turn off (or not turn on) ftp services, possibly found in /etc/inetd.conf (your location may vary). The services lines in /etc/inetd.conf look like this:
Code:

#
# These are standard services:
#
# Very Secure File Transfer Protocol (FTP) server.
#ftp    stream  tcp    nowait  root    /usr/sbin/tcpd  vsftpd
#
# Professional File Transfer Protocol (FTP) server.
#ftp    stream  tcp    nowait  root    /usr/sbin/tcpd  proftpd
#
# Telnet server:
#telnet stream  tcp    nowait  root    /usr/sbin/tcpd  in.telnetd
#

On my systems, there are all commented out (meaning that they are not available) and external users are required to use SSH (and, thus, sftp) for any connections or file transfers.

Hope this helps some.

nowonmai 11-04-2010 08:04 AM

^ Agreed

ftp over ssh with access controlled by keys and passphrases will give you a fairly tight lockdown.

albertwt 11-04-2010 08:19 AM

ah.. yes sFTP, so in this case only port 80 and 22 that is open to the public ?
great, so can I use Filezilla from the internet to upload this ?

nowonmai 11-04-2010 09:13 AM

Yup. It will even do key based authentication.


All times are GMT -5. The time now is 08:56 PM.