LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Safe practices for ftp server in my office? (http://www.linuxquestions.org/questions/linux-security-4/safe-practices-for-ftp-server-in-my-office-528784/)

BrianK 02-13-2007 05:44 PM

Safe practices for ftp server in my office?
 
I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.

My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine.

I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference.

Thoughts?

Brian1 02-13-2007 06:05 PM

Here is a link to secure proftpd. http://www.comptechdoc.org/os/linux/...secureftp.html

Only open the needed ports to that machine help in security. Setting other machines on the lan not to accept access from that machine can be an option as well. Running firewall on all lan machines and defining the needed service and access is another option to increase security. Run the service you only need. Keep services updated.

Brian

win32sux 02-13-2007 10:29 PM

Quote:

Originally Posted by BrianK
I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.

cool... but keep in mind that (port filtering aside) the modem/router thing won't really add that much security in this case, unless you have it configured to do IP address filtering (for example by allowing only certain IPs to access the FTP server)...

Quote:

My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine.
in that case, you definitely need to set-up your LAN firewall(s) properly, because you will need to assume that the FTP server box *will* be cracked... so the firewalls will be your LAN's safety net when that happens...

Quote:

I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference.
as far as security is concerned, using a different IP won't make any difference at all...

there's *basically* three security issues you need to consider here:

#1 - the security of the FTP daemon...

#2 - the security of your network and other boxes when the FTP box gets cracked (and possibly vice-versa)...

#3 - the security of the data that is transmitted between the FTP server and clients...


#1 is addressed by making sure you use a secure and properly configured FTP daemon... #2 is addressed by making sure you have firewall rules in place in case all hell breaks loose... #3 can not be addressed by FTP natively... so you need to be aware that the data you transmit (including the usernames/passwords) will be visible to anyone sniffing your connection...

if #3 isn't a problem for you, i'd suggest using vsftpd instead of proftpd simply because it has historically fit issue #1 better (security reputation, etc.)... but if #3 is indeed an issue, as it probably is, then i would suggest you forget about FTP entirely, and instead opt for SFTP, which will take care of issue #3... in any case, issue #2 is a separate one which you must deal with either way...

just my $0.02...

chort 02-14-2007 03:00 AM

Always keep in mind that FTP by default has no encryption, so it sends usernames and passwords "in the clear". If anyone can snoop on their network traffic, they can compromise all your FTP accounts. Some FTP daemons have an option to enable SSL or TLS. Check the documentation for the one you're planning on using to make sure it allows encrypted connections, and if possible configure it only allow encrypted connections.

nx5000 02-14-2007 06:32 AM

I highly suggest that you put this public ftp on a DMZ, a physically separated network.
Then define some kind of policy to get the file from the DMZ to the company.

For password eavesdropping (from one ftp user to another, as said above), you could lower the risk by using scponly (its designed for what you want to do in a way)
Tighten a lot the local iptables (like outgoing connections), put some log checker and integrity system.

edit:
didn't see this one:
http://www.securityfocus.com/bid/21587

BrianK 02-14-2007 02:35 PM

Lots of good suggestions. Thanks guys.


All times are GMT -5. The time now is 10:45 AM.