I would suggest using pure-ftpd instead of vsftp. Pure is a lot easier to set up. It'll talk to LDAP if you need it to, but I think the security gained by putting it in the DMZ is worth the loss of management convenience. You should be able to set it up so that the ftp server in the DMZ can talk to the LDAP server through the firewall if you really want it to, but if your FTP service gets hacked the hacker then has access to your directory and that's not good. If you have large numbers of users to manage, use the password database feature. I'm sure you can find a way to export user info from LDAP and import to the database. If you have good ftp client software, it should automatically detect the need for passive mode. I have a setup of this with pureftp running inside a DMZ that has a private address and it runs very well. It's easy to set up with privilege separation or chrooted, it's as secure as vsftp. Make sure your server only supports ssl-ftp and get clients that do as well. SSH/SFTP is also a good solution, but requires local accounts on the server, and a bit more tech savvy from your users. With pure or vsftp you can do it without adding any real users to the box. It'll boil down to whatever is the easiest to manage. You really should put it in the DMZ if you can. Don't run it on the firewall. Never run anything on the firewall. Good luck. -----Original Message----- From: Daniel Nilsson [mailto:dnilsson@sisoft.com] Sent: Thursday, July 24, 2003 8:44 AM To: suse-security@suse.com Subject: [suse-security] ftp server "best practice" All, I'm tasked to add an ftp server to our companys "internet presence", the ftp server will need to have accounts on it since the data is not for the public. Currently our setup consists of a number of Linux firewalls for our 4 office locations that then in turn connects these 4 office locations using ipsec. In addition, at our main office location we have a DMZ with a webserver. The ftp server should be located at the main office, but I could use some recommendations on where to place this server. From reading mailing lists I understand the issue of active vs. passive ftp and placing the ftp server in the DMZ. I don't think I can ask our customers to toggle the active/passive flag of their ftp client since are customers are usually not very computer savvy people. Putting an ftp server in the DMZ that supports both active and passive ftp seems tricky, does anyone have a recipe of how to make that work (using SuSEFirewall 2 on the firewall machine). Other options include using the firewall machine itself as the ftp server, but that makes me very nervous. I was leaning toward using the vsftpd, but regardless how secure that is by design I'm still not to comfortable using the firewall as the ftp server (what if the ftpd is hacked ???). The last option is to place the ftp server outside the company LAN and make it a standalone machine with it's own firewall. This would probably be the best solution in terms of company LAN security, but the only thing I don't like about this solution is that I will have to administer accounts on this machine. I was hoping to be able to hook up to an LDAP server that is available inside the firewall (not in the DMZ). Any thoughts / recommendations are greatly appreciated. Thanks -- Daniel Nilsson -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here