LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-13-2007, 05:44 PM   #1
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Safe practices for ftp server in my office?


I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.

My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine.

I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference.

Thoughts?
 
Old 02-13-2007, 06:05 PM   #2
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Here is a link to secure proftpd. http://www.comptechdoc.org/os/linux/...secureftp.html

Only open the needed ports to that machine help in security. Setting other machines on the lan not to accept access from that machine can be an option as well. Running firewall on all lan machines and defining the needed service and access is another option to increase security. Run the service you only need. Keep services updated.

Brian
 
Old 02-13-2007, 10:29 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by BrianK
I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.
cool... but keep in mind that (port filtering aside) the modem/router thing won't really add that much security in this case, unless you have it configured to do IP address filtering (for example by allowing only certain IPs to access the FTP server)...

Quote:
My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine.
in that case, you definitely need to set-up your LAN firewall(s) properly, because you will need to assume that the FTP server box *will* be cracked... so the firewalls will be your LAN's safety net when that happens...

Quote:
I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference.
as far as security is concerned, using a different IP won't make any difference at all...

there's *basically* three security issues you need to consider here:

#1 - the security of the FTP daemon...

#2 - the security of your network and other boxes when the FTP box gets cracked (and possibly vice-versa)...

#3 - the security of the data that is transmitted between the FTP server and clients...


#1 is addressed by making sure you use a secure and properly configured FTP daemon... #2 is addressed by making sure you have firewall rules in place in case all hell breaks loose... #3 can not be addressed by FTP natively... so you need to be aware that the data you transmit (including the usernames/passwords) will be visible to anyone sniffing your connection...

if #3 isn't a problem for you, i'd suggest using vsftpd instead of proftpd simply because it has historically fit issue #1 better (security reputation, etc.)... but if #3 is indeed an issue, as it probably is, then i would suggest you forget about FTP entirely, and instead opt for SFTP, which will take care of issue #3... in any case, issue #2 is a separate one which you must deal with either way...

just my $0.02...

Last edited by win32sux; 02-13-2007 at 10:31 PM.
 
Old 02-14-2007, 03:00 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Always keep in mind that FTP by default has no encryption, so it sends usernames and passwords "in the clear". If anyone can snoop on their network traffic, they can compromise all your FTP accounts. Some FTP daemons have an option to enable SSL or TLS. Check the documentation for the one you're planning on using to make sure it allows encrypted connections, and if possible configure it only allow encrypted connections.
 
Old 02-14-2007, 06:32 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
I highly suggest that you put this public ftp on a DMZ, a physically separated network.
Then define some kind of policy to get the file from the DMZ to the company.

For password eavesdropping (from one ftp user to another, as said above), you could lower the risk by using scponly (its designed for what you want to do in a way)
Tighten a lot the local iptables (like outgoing connections), put some log checker and integrity system.

edit:
didn't see this one:
http://www.securityfocus.com/bid/21587

Last edited by nx5000; 02-14-2007 at 09:12 AM.
 
Old 02-14-2007, 02:35 PM   #6
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Original Poster
Rep: Reputation: 51
Lots of good suggestions. Thanks guys.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP server best practices crwdawg Linux - General 0 05-08-2006 02:44 PM
How safe is linux? need help with a server stormrider_may Linux - Security 17 01-31-2006 10:03 PM
SSH Server - How and how safe? Jorek Linux - Networking 9 10-27-2005 06:12 PM
win98 Server, as safe as it gets ;-) browny_amiga General 12 06-26-2003 09:04 AM
Best Practices in Remote administration in Redhat 8, Terminal Server clone? sboscarine Linux - General 3 02-09-2003 04:39 PM


All times are GMT -5. The time now is 11:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration