capr Posted January 10, 2012 Share Posted January 10, 2012 Hey I have an FTP server setup and am banning all IPs with exceptions for the few IPs I trust. This setup will work for me. I am wondering if SSL is necessary for this server. I have to admit that I don't full understand it but just know that it's recommended for security. The main reason I don't want to allow it is so users don't have to use ftp clients to access the server. thanks, RK Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 10, 2012 MVC Share Posted January 10, 2012 If you locking your ftp server down to only the IPs you trust to access it, then only thing ssl would buy you as mentioned would be security from sniffing the traffic for login. Since standard ftp sends info in clear. So in theory, someone at the location or anywhere in between that could see the traffic between client and server could sniff the traffic and get username and password to login. If this is an issue for you, then you should look to SSL sure -- but then again even if someone has the username and IP, since you have your server locked down to only allow access from specific IPs, then they would have to be coming from one of those IPs to use the info they gained from sniffing the traffic. Unless you really see it as security concern, I would just leave it with locked down access -- ssl ftp is quite a bit more complicated than just standard active/passive ftp, if you go the ftps route are you planning Explicit or Implicit? Do you just want control channel encrypted or do you plan on encrypting the data channel as well? And yeah would require use of client, I do not know any browsers that support ftp access using SSL?? To be honest if your worried about security, its easy to configure and setup is just SFTP (SSH File Transfer Protocol) vs ftps -- but then again you do require a client vs just a browser to access. And then there is also just FTP over SSH ;) capr 1 Share Link to comment Share on other sites More sharing options...
capr Posted January 10, 2012 Author Share Posted January 10, 2012 Thanks budman. can always count on a comprehensive response from you... your second paragraph kinda makes it hard for me to justify the extra effort required to setup anything else. Also I would really rather not having to download software on the client side. Link to comment Share on other sites More sharing options...
cybertimber2008 Posted January 10, 2012 Share Posted January 10, 2012 Try changing your FTP port from 21 to something like 12 or something. You'll know it, but automated bots won't go through the trouble. Avoid 20, 22, 23, 25, 80, etc. Link to comment Share on other sites More sharing options...
offroadaaron Posted January 13, 2012 Share Posted January 13, 2012 Try changing your FTP port from 21 to something like 12 or something. You'll know it, but automated bots won't go through the trouble. Avoid 20, 22, 23, 25, 80, etc. He has already locked down the IP addesses why would the port change help? Link to comment Share on other sites More sharing options...
cybertimber2008 Posted January 13, 2012 Share Posted January 13, 2012 He has already locked down the IP addesses why would the port change help? Ever heard of script kiddies or war driving? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 13, 2012 MVC Share Posted January 13, 2012 I think your missing the point cyber -- his server would not allow you to login even if you had the correct password if your not coming from the IPs that have been ok'd So it does not matter how many bots or script kiddies try and hit it -- not even going to look to what username/password your trying since your not coming from a valid IP. Now not sure if this still fills up the log of his ftp server? Or is the rule to only allow valid IPs at the firewall -- which is where I would put it, not in the ftp server itself. So server never going to see any traffic at all unless your coming from a valid IP, so there is no reason at all to change the port to prevent bots and such from hitting it. They can't because they are from wrong IP! Link to comment Share on other sites More sharing options...
Recommended Posts