Re: Secure FTP

From: MaddHatter <maddhatt+securitybasics@xxxxxxxxxxx>
Date: Sun, 25 Mar 2007 13:26:34 -0700

We have a public facing FTP server that we would like to secure.
... What is the best way to secure this FTP server? I've =
tried SFTP, but was just curious as to what else is out there.

There's nothing you can do to "fix" FTP. _If_ you really want FTP, SFTP
(a separate draft standard based on ssh) is the way to go. You could
direct customers to a popular and user-friendly client such an WinSCP
(http://winscp.net). For the server, you could use OpenSSH through Cygwin
or something similar (the price is right -- free). My favorite is WinSSHD
(http://www.bitvise.com/), which is reasonably priced. Or there's lots
of less-reasonably-priced commercial solutions.

For other ideas, there's also SSL-FTP (traditional FTP wrapped in SSL),
which seems to have fallen out of favor. You could use normal FTP but
require clients connect to an encrypted VPN before initiating the FTP
session (*ick*).

For your application, you probably don't need FTP at all. Here's what I'd
suggest. Make an SSL-protected web page to authenticate your clients and
allow them to upload files via a web form. You have complete control over
the interface, what happens to the files, who can put what where, and
all the security concerns. It's all your company's code, so nobody else
can decide to change/remove the one essential feature you need(ed). Your
customers certainly already have a web browser, so they don't need to
download and learn to use another foreign program. If you're a Windows
shop -- and it sounds like you are -- you can just add onto the IIS setup
you're already using, no need to install, configure, maintain, and secure
another service. I think the cheapest SSL certificate provider right now
is GoDaddy.

Follow-Ups:
- RE: Secure FTP
  - From: jbeauford

References:
- Secure FTP
  - From: aaronr

Prev by Date: RE: how to block web messenger services
Next by Date: Re: RE: The Value of GIAC/GSEC Certification
Previous by thread: RE: Secure FTP
Next by thread: RE: Secure FTP
Index(es):
- Date
- Thread

Relevant Pages

First time vsftp setup
... I am setting up my very first ftp server for my small company and I am wondering if someone with more experience than I could look at my configuration and give me some advice. ... The purpose of my ftp site is to enable our staff and a select group of our clients to exchange very large files back and forth, without the problems associated with emailing large files. ...
(RedHat)
Re: How 2 secure PC-PC data transfer
... The assumption that you are going to open your machine to attack is one of the worst ideas ... I have no idea what you mean by "not that secure". ... connecting a parallel port cable from PC to PC will work. ... If you have a front-end software that blocks all incoming FTP requests from the WAN (look ...
(microsoft.public.vc.mfc)
Re: IIS 6.0 FTP
... The reason for testing via ftp.exe is to see if your ftp server is working ... I understand your have the order entry program, but now - we need to check ... The ftp server connection msgs you posted, doesn't look like IIS FTP to me. ... clients are using an order entry program created in Microsoft access. ...
(microsoft.public.inetserver.iis.ftp)
Re: FTP
... >from a website to my computer VIA ftp. ... but who knows if your ftp server supports any of those ... service doesn't have any secure options, meaning the ftp session cannot be ... 1) have your designer fetch the database using ssl. ...
(comp.security.misc)
RE: Secure FTP
... alternativley having IIS generate a self signed cert using selfssl.exe ... Your clients would then access their directory as a 'web folder' within ... Subject: Secure FTP ... We have a public facing FTP server that we would like to secure. ...
(Security-Basics)