FTP Security

Johnniep

I have just setup a network storage device which allows me to connect to the hard disk remotely via FTP. In order to access files and folders I need to input a username and password which is fine, but I am just wondering how secure this really is?

I know the disk doesn't contain the secret to immortality or anything like that, but I would like to know that it is as secure as possible

Any help would be appreciated.

Thanks, and Happy Crimbo......

Cake Fiend

How broad is the network access to this device? Local? Specific remote range? Internet? That would be one thing to look at.

But for a start, make sure you're using a long, complicated password (and even username!) that won't be easily cracked.

Is FTP the only option for this device? Does it have any other ports open that might be abused?

Johnniep

WOW! That was quick Cake Fiend!

The idea behind it is to be able to access files remotely over the internet. I have a dynamic IP address unfortunately so I am using DynDNS which my router supports to get access.

The Landisk will only support FTP or SMB for accessing the disk, so what I have done is set up a long user name and password like you suggested and mapped the ports (20 or 21 - can't remember off hand) to the disk. Works fine, just curious on the security.

Or is there a better way?

liamo

FTP is not secure and no encryption is used. Everything is transmitted in clear.

I would recommend against simply forwarding the ports and, instead, access this device remotely by connecting to your network with a VPN. That way you don't need to open up FTP ports unnecessarily and all communications are encrypted.

Regards,

Liam

layke

liamo wrote:

FTP is not secure and no encryption is used. Everything is transmitted in clear.

I would recommend against simply forwarding the ports and, instead, access this device remotely by connecting to your network with a VPN. That way you don't need to open up FTP ports unnecessarily and all communications are encrypted.

Regards,

Liam

FTP is actually quite secure pending on the softweare you use.

Johnniep

liamo wrote:

I would recommend against simply forwarding the ports and, instead, access this device remotely by connecting to your network with a VPN.

Is it possible to setup a VPN using a dynamic ip address? I have a Netgear DG834g router and am using DynDNS so have that bit sorted :rolleyes:

Thanks for the help!

liamo

layke wrote:

FTP is actually quite secure pending on the softweare you use.

Within the context of my last comment, FTP is not secure. Your comment is vague and lacking specificity so it's hard to respond to it other that to say that if you use FTP within an ssh tunnel or across a VPN then, yes, that's secure. SFTP is secure in that it encrypts commands and data, but that's an entirely new protocol - it's not FTP. Nothing in the foregoing changes that fact that FTP itself is not secure.

Having said that, I set up an FTP server in work. I used FTP for reasons of convenience for the many users. However, it's understood that this is not secure and files don't remain there for any longer than necessary.

Johnniep wrote:

Is it possible to setup a VPN using a dynamic ip address?

Absolutely. However, you might have trouble if your lease expires during a VPN session.


Regards,

Liam

matrim

For the vpn you could look up humanzi, which should allow you to connect.

I have an ftp server setup on my pc, what I do is connect remotely to my pc using ssh, then access the ftp server through this.

Johnniep

matrim wrote:

For the vpn you could look up humanzi, which should allow you to connect.

I have an ftp server setup on my pc, what I do is connect remotely to my pc using ssh, then access the ftp server through this.

Any more info on humanzi matrim? All I found was info on an Irish band

feylya

Try Himanshi...

Edit: http://www.hamachi.cc/ even...

zappb

I set up a FTP server at home as well through IIS (Internet Information Services) - through win xp -

I used to leave it open so anyone could log in - so its not secure, but i think there is an issue that if you use a username and password through IIS - you have to have an account login & Pword to use - as in you have to give people your user account and password or create a new account for them through win xp.

This is also not secure and i would rather leave it open tbh...

What is the best software for FTP?

liamo

zappb wrote:

I used to leave it open so anyone could log in - so its not secure

Not being secure is not the end of the world. As long as you know that it's not secure.....

i think there is an issue that if you use a username and password through IIS - you have to have an account login & Pword to use - as in you have to give people your user account and password or create a new account for them through win xp.

Again, not necessarily a problem if you set up an account that has very restricted permissions.

What is the best software for FTP?

The problem is that FTP, as a protocol, is insecure - in that everything is transmitted in clear. I use vsftp (Very Secure FTP) and I also implement some procedures to tighten up security, eg in my Upload directory, user can only upload, they can't read the contents and can't download. In my Download directory, users can only download files - they can't upload. However traffic is still transmitted in clear - that's where the major security problem with FTP lies. As long as that's understood, you can make informed decisions.

My preferred server software for transferring files is ssh. My preferred client is WinSCP or scp or Filezilla (which has an scp client). There are versions of ssh server for Windows so there's no reason why you can't have a secure file transfer system if you want.

Hope that information is of some help.

Regards,

Liam

Johnniep

Hey Liam,

You seem to be well up on this stuff......mind if I pick your brain. Basically, I want to access a Landisk (a networked drive attached to an internal network) Anywho, I want to be able to access this drive over the internet. I have it up and running over ftp. Just wondering if VPN is a better option. My setup is basically the Landisk attached to a Netgear DG834G router. I have broadband with a dynamic address with Dyndns linking the IP addy.

Should I keep running over ftp (with open ports in my firewall) or should I go down the VPN route. The problem I see with the VPN is getting over the dynamic IP issue.

Would really appreciate any ideas you have.

Thanks!!

John

zappb

thanks liam - good advice!

blorg

As stated FTP isn't secure in the sense that all commands, passwords, etc. are transmitted in plain text. However the actual likelihood that someone is going to intercept anything due to that is very very low (they would have to have control of a computer in the path your packets follow.) It would be a lot more likely that someone would crack a weak password or exploit a vunerability in the FTP server in question.

There are other things to consider that could help; for example if you just want to get at the files from a single location (e.g. "work") and said location has a static IP address (likely if its work) then you can lock down access to that IP addess. This is really quite effective.

Also if possible run the FTP server on a non-standard port (e.g. not 21) which will make it significantly more difficult to locate by port scanners, etc.

Cake Fiend

blorg wrote:

Also if possible run the FTP server on a non-standard port (e.g. not 21) which will make it significantly more difficult to locate by port scanners, etc.

If you can do this, it would be another improvement. Don't ever rely on security by obscurity on its own, but it can be useful as an additional layer of obfuscation.

liamo

Johnniep wrote:

I have it up and running over ftp. Just wondering if VPN is a better option.

I think blorg's comment were the most applicable to your situation. He's quite right that the biggest risk to you is a weakly passworded account or a vulnerability in the server software. That being the case, you're probably safe enough.

Being a bit of a purist, that wouldn't be my preference, but when you're on-line, everything is a matter of balancing risks and benefits.

It would do no harm to try to set up a VPN, even if only from the point of view of learning how to do it. Then you'll at least have the option to use it or not.

Regards,

Liam