Quote:
Originally Posted by BrianK
I want to put an ftp server in my office - accessible to the world - for easier admin & file sharing. I've got a cable internet connection using the cable company's modem/router thing. It's supposedly the higher security device - made for business customers.
|
cool... but keep in mind that (port filtering aside) the modem/router thing won't really add that much security in this case, unless you have it configured to do IP address filtering (for example by allowing only certain IPs to access the FTP server)...
Quote:
My question is - am I opening myself up to security issues by forwarding port 21 to computer X? I won't be allowing anon ftp access & the ftp server will do nothing but be an ftp server - no nfs mounts or anything - all local. That machine will, however, be on my local network. I'd like to be sure that no one can get to my other machines by opening ftp up to this machine.
|
in that case, you definitely need to set-up your LAN firewall(s) properly, because you will need to assume that the FTP server box *will* be cracked... so the firewalls will be your LAN's safety net when that happens...
Quote:
I'll likely use ProFTP & the ftp server will be a Linux box (probably Debian or Ubuntu). I have 4 available static ips available, so I could put the ftp server on a separate ip if that would make any difference.
|
as far as security is concerned, using a different IP won't make any difference at all...
there's *basically* three security issues you need to consider here:
#1 - the security of the FTP daemon...
#2 - the security of your network and other boxes when the FTP box gets cracked (and possibly vice-versa)...
#3 - the security of the data that is transmitted between the FTP server and clients...
#1 is addressed by making sure you use a secure and properly configured FTP daemon... #2 is addressed by making sure you have firewall rules in place in case all hell breaks loose... #3 can not be addressed by FTP natively... so you need to be aware that the data you transmit (including the usernames/passwords) will be visible to anyone sniffing your connection...
if #3 isn't a problem for you, i'd suggest using vsftpd instead of proftpd simply because it has historically fit issue #1 better (security reputation, etc.)... but if #3 is indeed an issue, as it probably is, then i would suggest you forget about FTP entirely, and instead opt for SFTP, which will take care of issue #3... in any case, issue #2 is a separate one which you must deal with either way...
just my $0.02...