ftp server "best practice"
All, I'm tasked to add an ftp server to our companys "internet presence", the ftp server will need to have accounts on it since the data is not for the public. Currently our setup consists of a number of Linux firewalls for our 4 office locations that then in turn connects these 4 office locations using ipsec. In addition, at our main office location we have a DMZ with a webserver. The ftp server should be located at the main office, but I could use some recommendations on where to place this server. From reading mailing lists I understand the issue of active vs. passive ftp and placing the ftp server in the DMZ. I don't think I can ask our customers to toggle the active/passive flag of their ftp client since are customers are usually not very computer savvy people. Putting an ftp server in the DMZ that supports both active and passive ftp seems tricky, does anyone have a recipe of how to make that work (using SuSEFirewall 2 on the firewall machine). Other options include using the firewall machine itself as the ftp server, but that makes me very nervous. I was leaning toward using the vsftpd, but regardless how secure that is by design I'm still not to comfortable using the firewall as the ftp server (what if the ftpd is hacked ???). The last option is to place the ftp server outside the company LAN and make it a standalone machine with it's own firewall. This would probably be the best solution in terms of company LAN security, but the only thing I don't like about this solution is that I will have to administer accounts on this machine. I was hoping to be able to hook up to an LDAP server that is available inside the firewall (not in the DMZ). Any thoughts / recommendations are greatly appreciated. Thanks -- Daniel Nilsson
I'm tasked to add an ftp server to our companys "internet presence", the ftp server will need to have accounts on it since the data is not for the public. Currently our setup consists of a number of Linux firewalls for our 4 office locations that then in turn connects these 4 office locations using ipsec. In addition, at our main office location we have a DMZ with a webserver. I would suggest to use a HTTP server (no problems with downloading, easy
On Jul 24, Daniel Nilsson <dnilsson@sisoft.com> wrote: protection of files using .htaccess. If the passwords are more sensitive, use HTTPS. For uploading use SFTP, a very good client program for windows is FileZilla from http://filezilla.sf.net. Best of all: it's freeware and can also be used as standard ftp client. You may also want to restrict access to the sftp (ssh) server based on ip address to get maximum security. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
On Thursday 24 July 2003 15:04, Markus Gaugusch wrote:
For uploading use SFTP, a very good client program for windows is FileZilla from http://filezilla.sf.net. Best of all: it's freeware and can also be used as standard ftp client. You may also want to restrict access to the sftp (ssh) server based on ip address to get maximum security.
winSCP http://winscp.vse.cz/eng/download.php is another free sftp client for Windows, though the program loses connection if ClientAliveInterval is set too low in sshd_config. # kill session if no proper response from client. # avoids having "ghost" sessions running. ClientAliveInterval 40 ClientAliveCountMax 3 Sigfred
Hi *, as http://filezilla.sf.net was mentioned in this List some time ago, i installed, and tested it. There are IMHO some hints to prefer WinScp over FileZilla. a:) The Interface is more Win-Like. (see WsFTP) (This might not be very important.;-)) b:) Using of Public-Private-Key pairs seems impossible. c:) The version of the underlying putty ssh Socket is not Documented. (And one should use >=0.53b due to Security reasons.) Greetings Dirk Sigfred Håversen schrieb:
On Thursday 24 July 2003 15:04, Markus Gaugusch wrote:
For uploading use SFTP, a very good client program for windows is FileZilla from http://filezilla.sf.net. Best of all: it's freeware and can also be used as standard ftp client. You may also want to restrict access to the sftp (ssh) server based on ip address to get maximum security.
winSCP http://winscp.vse.cz/eng/download.php is another free sftp client for Windows, though the program loses connection if ClientAliveInterval is set too low in sshd_config.
# kill session if no proper response from client. # avoids having "ghost" sessions running. ClientAliveInterval 40 ClientAliveCountMax 3
Sigfred
Markus Gaugusch wrote:
On Jul 24, Daniel Nilsson <dnilsson@sisoft.com> wrote:
I'm tasked to add an ftp server to our companys "internet presence", the ftp server will need to have accounts on it since the data is not for the public. Currently our setup consists of a number of Linux firewalls for our 4 office locations that then in turn connects these 4 office locations using ipsec. In addition, at our main office location we have a DMZ with a webserver.
I would suggest to use a HTTP server (no problems with downloading, easy protection of files using .htaccess. If the passwords are more sensitive, use HTTPS. For uploading use SFTP, a very good client program for windows is FileZilla from http://filezilla.sf.net. Best of all: it's freeware and can also be used as standard ftp client. You may also want to restrict access to the sftp (ssh) server based on ip address to get maximum security.
Markus, Thanks for the input. What I'm not sure about when it comes to using HTTP is how easy it would be to setup separate user accounts for our customers. Let's say we want to ship a patch to a single customer for example, I think what the software teams is looking to do is to setup an account for that customer on the ftp site where the customer can log in and download files intended for that customer only. That's simple with an ftp server since it will have the concept of a "home directory" for that ftp user. I agree that HTTP would be a much better solution, but I just don't know how to solve the problem with different areas for different customers. Can that be done using some rewrite logic in the apache config or something ? Thanks -- Daniel Nilsson
On Thu, Jul 24, 2003 at 08:44:02AM -0400, Daniel Nilsson wrote:
The ftp server should be located at the main office, but I could use some recommendations on where to place this server. From reading mailing lists I understand the issue of active vs. passive ftp and placing the ftp server in the DMZ. I don't think I can ask our customers to toggle the active/passive flag of their ftp client since are customers are
Most ftp clients use passive ftp as a default. A exeption is the client delivered by SUN for Solaris which does not even support passive ftp. (may be solved with solaris 9) There are firewalls in all the office locations. Therefore I assume that only passive ftp is possible.
usually not very computer savvy people. Putting an ftp server in the DMZ that supports both active and passive ftp seems tricky, does anyone have
Active ftp is not the problem on the server side. You have to allow outgoing tcp connections. The firewall on the client side will have to forward incoming tcp connections. Iptables can handle that, but IMHO you should not use active ftp. If it is passive ftp the port range used for data connections can be specified in /etc/vsftpd.conf (pasv_min_port pasv_max_port). This might be usefull.
a recipe of how to make that work (using SuSEFirewall 2 on the firewall machine).
You may have to set up your own set of iptables rules. There are already some mails listing alternatives to ftp. I don't want to mention it again. -- Stefan Tichy <listuser@pi4tel.de>
participants (5)
-
Daniel Nilsson -
Dirk Schreiner -
Markus Gaugusch -
Sigfred Håversen -
Stefan Andreas Tichy