Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] ftp server "best practice"
  • From: DDepue@xxxxxxxxxxx
  • Date: Thu, 24 Jul 2003 09:52:55 -0400
  • Message-id: <904D0CA3F6F98441BB3D77031898599410B09C@xxxxxxxxxxxxxxxxxx>

I would suggest using pure-ftpd instead of vsftp. Pure is a lot
easier to set up. It'll talk to LDAP if you need it to, but I think the
security gained by putting it in the DMZ is worth the loss of management
convenience. You should be able to set it up so that the ftp server in the
DMZ can talk to the LDAP server through the firewall if you really want it
to, but if your FTP service gets hacked the hacker then has access to your
directory and that's not good. If you have large numbers of users to manage,
use the password database feature. I'm sure you can find a way to export
user info from LDAP and import to the database. If you have good ftp client
software, it should automatically detect the need for passive mode. I have a
setup of this with pureftp running inside a DMZ that has a private address
and it runs very well. It's easy to set up with privilege separation or
chrooted, it's as secure as vsftp. Make sure your server only supports
ssl-ftp and get clients that do as well.

SSH/SFTP is also a good solution, but requires local accounts on the
server, and a bit more tech savvy from your users. With pure or vsftp you
can do it without adding any real users to the box. It'll boil down to
whatever is the easiest to manage. You really should put it in the DMZ if
you can.

Don't run it on the firewall. Never run anything on the firewall.
Good luck.

-----Original Message-----
From: Daniel Nilsson [mailto:dnilsson@xxxxxxxxxx]
Sent: Thursday, July 24, 2003 8:44 AM
To: suse-security@xxxxxxxx
Subject: [suse-security] ftp server "best practice"


All,

I'm tasked to add an ftp server to our companys "internet presence", the
ftp server will need to have accounts on it since the data is not for
the public. Currently our setup consists of a number of Linux firewalls
for our 4 office locations that then in turn connects these 4 office
locations using ipsec. In addition, at our main office location we have
a DMZ with a webserver.

The ftp server should be located at the main office, but I could use
some recommendations on where to place this server. From reading mailing
lists I understand the issue of active vs. passive ftp and placing the
ftp server in the DMZ. I don't think I can ask our customers to toggle
the active/passive flag of their ftp client since are customers are
usually not very computer savvy people. Putting an ftp server in the DMZ
that supports both active and passive ftp seems tricky, does anyone have
a recipe of how to make that work (using SuSEFirewall 2 on the firewall
machine).

Other options include using the firewall machine itself as the ftp
server, but that makes me very nervous. I was leaning toward using the
vsftpd, but regardless how secure that is by design I'm still not to
comfortable using the firewall as the ftp server (what if the ftpd is
hacked ???).

The last option is to place the ftp server outside the company LAN and
make it a standalone machine with it's own firewall. This would probably
be the best solution in terms of company LAN security, but the only
thing I don't like about this solution is that I will have to administer
accounts on this machine. I was hoping to be able to hook up to an LDAP
server that is available inside the firewall (not in the DMZ).

Any thoughts / recommendations are greatly appreciated.

Thanks
--
Daniel Nilsson


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

< Previous Next >