Safe practices for ftp server in my office?
I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.
My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine. I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference. Thoughts? |
Here is a link to secure proftpd. http://www.comptechdoc.org/os/linux/...secureftp.html
Only open the needed ports to that machine help in security. Setting other machines on the lan not to accept access from that machine can be an option as well. Running firewall on all lan machines and defining the needed service and access is another option to increase security. Run the service you only need. Keep services updated. Brian |
Quote:
Quote:
Quote:
there's *basically* three security issues you need to consider here: #1 - the security of the FTP daemon... #2 - the security of your network and other boxes when the FTP box gets cracked (and possibly vice-versa)... #3 - the security of the data that is transmitted between the FTP server and clients... #1 is addressed by making sure you use a secure and properly configured FTP daemon... #2 is addressed by making sure you have firewall rules in place in case all hell breaks loose... #3 can not be addressed by FTP natively... so you need to be aware that the data you transmit (including the usernames/passwords) will be visible to anyone sniffing your connection... if #3 isn't a problem for you, i'd suggest using vsftpd instead of proftpd simply because it has historically fit issue #1 better (security reputation, etc.)... but if #3 is indeed an issue, as it probably is, then i would suggest you forget about FTP entirely, and instead opt for SFTP, which will take care of issue #3... in any case, issue #2 is a separate one which you must deal with either way... just my $0.02... |
Always keep in mind that FTP by default has no encryption, so it sends usernames and passwords "in the clear". If anyone can snoop on their network traffic, they can compromise all your FTP accounts. Some FTP daemons have an option to enable SSL or TLS. Check the documentation for the one you're planning on using to make sure it allows encrypted connections, and if possible configure it only allow encrypted connections.
|
I highly suggest that you put this public ftp on a DMZ, a physically separated network.
Then define some kind of policy to get the file from the DMZ to the company. For password eavesdropping (from one ftp user to another, as said above), you could lower the risk by using scponly (its designed for what you want to do in a way) Tighten a lot the local iptables (like outgoing connections), put some log checker and integrity system. edit: didn't see this one: http://www.securityfocus.com/bid/21587 |
Lots of good suggestions. Thanks guys.
|
All times are GMT -5. The time now is 12:57 PM. |