I have a few machines connected to the 4 port ethernet router, operating as a mini network. I have set up one of the machines as a passive FTP server, but have discontinued that, as I was warned that opening port 21 for FTP presents a major security risk, even though I have extensive firewall software on all the machines. Can anyone confirm if this is true or not?
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What's the most interesting small town you've visited in South Africa?
security risks on FTP server
- Thread starter jennetp
- Start date
well its both. like ANY service it can be secure and insecure. while scp and such would be a more secure and safer option, FTP, like HTTPd is secure as the admin who sets it up.
1) Install the latest build of the FTP daemon you wish to run
2) make sure all patches and fixes are up to date, and follow the bugtraqs for the software you are using
3) DO NOT USE WEAK FTP USERNAMES AND PASSWORDS... this is what leads to most "hacks"
However, opening up port 21 will be fine, tell the person you spoke to give substantiation to his comments, as they sound alarmist and uneducated. His statement is like saying "dont use your browser as its a security risk and you may get infected with malware"
1) Install the latest build of the FTP daemon you wish to run
2) make sure all patches and fixes are up to date, and follow the bugtraqs for the software you are using
3) DO NOT USE WEAK FTP USERNAMES AND PASSWORDS... this is what leads to most "hacks"
However, opening up port 21 will be fine, tell the person you spoke to give substantiation to his comments, as they sound alarmist and uneducated. His statement is like saying "dont use your browser as its a security risk and you may get infected with malware"
Last edited:
The_Unbeliever
Honorary Master
Best practice to do when opening port 21 :
1. Good passwords.
2. Try to keep it readonly.
3. Try to run this server on a separate PC if possible.
4. If possible, set up and move this server to a DMZ.
5. Do read the FTP server documentation should you need or want to do customized modifications.
6. If you're really, really paranoid, then you can have a look at the log files on a daily basis...
I concur with the following :
Good luck.
1. Good passwords.
2. Try to keep it readonly.
3. Try to run this server on a separate PC if possible.
4. If possible, set up and move this server to a DMZ.
5. Do read the FTP server documentation should you need or want to do customized modifications.
6. If you're really, really paranoid, then you can have a look at the log files on a daily basis...
I concur with the following :
W1z4rd said:
Good luck.
Thanks for the advice guys (girls?). Got it working and all seems fine, and yes I was intially paranoid, so checked logs on a daily basis. I even do a daily check on my connection logs against the Telkom ADSL usage reports.
This has nothing to do with security, but the Telkom usage tracker is a bit weird. It correctly showed that I had downloaded 90MB one day, and then decided the next day that I hadnt downloaded anything. Anyway, not complaining.
This has nothing to do with security, but the Telkom usage tracker is a bit weird. It correctly showed that I had downloaded 90MB one day, and then decided the next day that I hadnt downloaded anything. Anyway, not complaining.
The main "security issue" with FTP servers is buffer overflows. Make sure you're running the most recent version of your FTP server, and you should be fine.
It's NOT that much of a security risk, as long as you don't allow anonymous uploads / downloads, otherwise you may find that your bandwidth is gone, and you're suddenly hosting a crapload of warez.
It's NOT that much of a security risk, as long as you don't allow anonymous uploads / downloads, otherwise you may find that your bandwidth is gone, and you're suddenly hosting a crapload of warez.
The_Unbeliever
Honorary Master
Or pull your 64k Diginet line down solid...thisgeek said:It's NOT that much of a security risk, as long as you don't allow anonymous uploads / downloads, otherwise you may find that your bandwidth is gone, and you're suddenly hosting a crapload of warez.
I've tightened security on mine, disallowed anonymous ftp and so far, so good (touch wood). SME Server RC6.1 runs fine, however, as soon as RC7 comes out, I'll grab it and upgrade.
Regarding anonymous up/downloads, our previous firewall was a Win2k server with Sygate firewall on... and this was also our ftp and web server. The ftp server had anonymous access allowed, which I disabled, but before I did so, some yahoo ran several exploits on it, trying to gain r00t access. This server is now retired (mobo's packed up) and in its place is a Smoothwall and a SME server. There was also a c**pload of funny directories with weird characters which you could not delete. And a warezed DVD movie as well...
no, not pr0n, unfortunately. 
Never had any problems with Smoothwall and SME server yet...
/me goes off to check SME server for problems...