sFTP compared with FTP via VPN

From: ITguy_uk (itguy_uk_at_hotmail.com)
Date: 04/22/04 

Date: 22 Apr 2004 06:49:56 -0700

I am trying to setup a server to allow third party users to place
files on a Solaris filesystem within a specific directory through the
internet securely. Initially I was thinking of having VPN connection
to the server from the host through a firewall/VPN appliance and only
allowing the external host FTP access to the server using port
filtering. I have since found the cost of the VPN functionality to be
fairly high (cannot use open source solution for this although I would
like too - long story!!!!!).

I then found the sFTP software which allows FTP functionality through
SSH which seemed to be the solution. I have since found with testing
that in order for sFTP to work the third party has to have SSH access
to the server. I can limit where the user can get into using Unix
file permissions but I am concerned that giving the third party SSH
shell access is creating vulnerabilites that I am not aware of. I
have searched on Google for this and the newsgroups but there doesn't
seem to be anything specific. It basically seems a bad idea to give
users shell access when they only need to transfer files.

Can anyone suggest what vulnerabilities are exposed by using SSH
instead of FTP via VPN and how this can be reduced. Or should I just
use the VPN solution as sFTP opens up to many vulnerbilities due to
the shell access. Also if anyone can suggest another solution to this
problem I would be interested to hear of it.

Thanks in advance

Relevant Pages

  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
    (FreeBSD-Security)
  • Re: FreeBSD Crash without Errors, Warnings, or Panics
    ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
    (freebsd-hackers)
  • Re: restrict ssh access
    ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
    (comp.security.ssh)
  • Re: SSH as root
    ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
    (SSH)
  • Re: Explanation of SSH
    ... I am still unclear on how SSH works exactly. ... Client issues SSH command and names server ... "Shopper" says "server sends back its public host and server keys ... Surely there is only one public key it sends ...
    (comp.security.ssh)