[SOLVED] Opening FTP service on public facing website for 3rd party maintenance access

albertwt · 11-04-2010, 05:58 AM

Hi All,

I'd like to know if this is common security flaw or normal to open up FTP to the public which is of course protected with password for 3rd party access to maintain our public facing / production website ?

If yes, what sort of FTP application to install in your Linux webserver ?

Any kind of sharing and suggestion in regards to this thread will be greatly appreciated.

Thanks,

AWT

linuxlover.chaitanya · 11-04-2010, 06:35 AM

I would say, anything open to public internet is always at risk. Even if you have got authentication at place. If it is going to be used by limited users and if they have static addresses, using iptables to only allow certain addresses for FTP will increase the security. Also changing the default listening port to something else should put another layer of security.
You can use vstfpd for your needs though.

Hangdog42 · 11-04-2010, 06:49 AM

You should also consider using SSL with your FTP server as FTP transmits usernames and passwords in the clear. That isn't a problem if you're just using anonymous access, but if you're allowing access to only specific people, it is something worth considering.

tronayne · 11-04-2010, 06:56 AM

I think I would want to have SSH implemented for any outside access (and require the use sftp; sftp "...operates over an encrypted ssh transport."

With ssh, you control who has what access and it's a reliable way to do what you're interested in. SSH is, in many ways, analogous to the user id/password system.

You may wish to turn off (or not turn on) ftp services, possibly found in /etc/inetd.conf (your location may vary). The services lines in /etc/inetd.conf look like this:

Code:

#
# These are standard services:
#
# Very Secure File Transfer Protocol (FTP) server.
#ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  vsftpd
#
# Professional File Transfer Protocol (FTP) server.
#ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  proftpd
#
# Telnet server:
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#

On my systems, there are all commented out (meaning that they are not available) and external users are required to use SSH (and, thus, sftp) for any connections or file transfers.

Hope this helps some.

nowonmai · 11-04-2010, 08:04 AM

^ Agreed

ftp over ssh with access controlled by keys and passphrases will give you a fairly tight lockdown.

albertwt · 11-04-2010, 08:19 AM

ah.. yes sFTP, so in this case only port 80 and 22 that is open to the public ?
great, so can I use Filezilla from the internet to upload this ?

nowonmai · 11-04-2010, 09:13 AM

Yup. It will even do key based authentication.