Topic: Allow SFTP access but not insecure FTP from internet.

[ZL3DON]

Greetings All,

I have a windows machine at a remote client site that needs to automatically send a few log files back to me at the mothership each day.  These are standard text files produced by some industrial hardware.

I'm not the admin for the remote site, and have limited access to their server.  Reasonable requests would be granted, but I'm trying to do this as simply as possible.

I've looked at setting up a VPN between sites, but frankly think that'd be overkill.
I could use a shared cloud provider (Google drive/Dropbox) I suppose, although I'm trying to do this as simply as possible to avoid maintenance issues.

I'm thinking a timed job in the wee small hours on the remote Windows machine that runs a script to use Putty Secure FTP to transfer the files to a user account on my server running SME 9.2 would be the best solution.  And I'm more than capable of arranging this.

Although if someone has a better idea, I'm all ears. 

The part I'm struggling with is opening FTP on my server.  I'm running Fail2Ban, and every time I've opened the FTP ports in the past, the number of people trying the doorhandle has kept me awake at night!

What I'd like to do is lock it down as much as possible, by:
1) Allowing SFTP, but not insecure cleartext password FTP.
2) It'd be nice to whitelist a dozen IP addresses.
3) Changing the port to something non-standard would be nice.  You know.  Just to make life hell for the bad guys.

I have only allowed secure access to email from outside, but there's no option to do the same for FTP.
Maybe I can firewall insecure FTP port after enabling FTP in the UI?

Any suggestions?

Thanks,
Don.

[ReetP]

Use SCP, or a VPN, and save yourself some hassle ?

Putty SCP

https://success.tanaza.com/s/article/How-to-use-SCP-command-on-Windows

[mmccarn]

SFTP uses ssh - to use SFTP without giving people your root password you'd need to enable ssh for a user, which can be done using Remoteuseraccess.  If you look into that you may also be interested in UserManager

FTPS (FTP over SSL) uses SSL/TLS, and is not enabled in SME 9.  There is work in bugzilla to enable it for SME 10 (Bug 6804).  I applied the template fragment from the bug to my SME 9.2 server and was then able to connect using FTPS, however, the version of ProFTP in SME9.2 only supports the deprecated SSLv3 and TLSv1 protocols, so this may be insecure / inadvisable:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/proftpd.conf
curl https://bugs.contribs.org/attachment.cgi?id=3393 > /etc/e-smith/templates-custom/etc/proftpd.conf/06ModTLS
config setprop ftp TLSEnabled yes
config setprop ftp TLSRequired yes
signal-event remote-access update

These commands should create a firewall rule that allows FTP access only from the allowed public IPs:

Code: [Select]

config setprop ftp AllowHosts 'a.b.c.d'
signal-event remote-access update

This recent forum post lists various options that could be used to allow encrypted file uploads to your SME server:
https://forums.contribs.org/index.php?topic=53420.0


UNDO information:

These commands will un-do the FTP custom changes created using the above commands:

Code: [Select]

'rm' -f /etc/e-smith/templates-custom/etc/proftpd.conf/06ModTLS
config delprop ftp TLSEnabled
config delprop ftp TLSRequired
signal-event remote-access update

These commands will remove the firewall rule:

Code: [Select]

config delprop ftp AllowHosts
signal-event remote-access update


[Jean-Philippe Pialasse]

the best approach would bet using sftp everywhere an totally disable ftp as pointed MMccarn the tls protocol available on SME9 is not considered secure.

Whether you are on the lan or over the internet, with FTP your password is sent in clear, so could be taken.

Using SFTP /SCP which is a protocol using SSH you are pretty secure. And why having two procedures whether you are local or remote? Why would you accept the risk someone sniffing on your LAN could get a password? It seems less probable, but more targeted, somaybe not that less probable. Just use it everywhere and disable FTP.
As pointed by Mmccarn install remoteuseraccess and usermanager so each user could enable and set its own rsa ssh key.

In term of software, filezilla could be used for scp /sftp but I would prefer winscp on windows.


If you are in need to make a chroot, some extra work need to be done, but this would be to make it more convenient than more secure. If your user has not right to access an ibay or any folder, being able to list it will change nothing.

[ZL3DON]

Use SCP, or a VPN, and save yourself some hassle ?

Putty SCP

https://success.tanaza.com/s/article/How-to-use-SCP-command-on-Windows

Hi Reet,

Yes.  I was trying to avoid the VPN, but may have to revist the idea.

SCP sounds promising.  I'll do some reading over the weekend.

Thanks for your help!
Don.

[ZL3DON]

These commands should create a firewall rule that allows FTP access only from the allowed public IPs:

Code: [Select]

config setprop ftp AllowHosts 'a.b.c.d'
signal-event remote-access update

This recent forum post lists various options that could be used to allow encrypted file uploads to your SME server:
https://forums.contribs.org/index.php?topic=53420.0

Hi mmccarn,

Thanks for that.  That's given me some more info, and the specifics of how to setup things under the hood so to speak.

You may not be the person to ask, but I think things like FTP whitelists would be useful to have in the UI of a future release?

I've taken a quick look at the post you've mentioned too.  I'll read it a little more in depth and see if something there might do the job.

I'm probably being a little paranoid, but better that than being hacked in my book.

Thanks,
Don.

[ZL3DON]

the best approach would bet using sftp everywhere an totally disable ftp as pointed MMccarn the tls protocol available on SME9 is not considered secure.

Whether you are on the lan or over the internet, with FTP your password is sent in clear, so could be taken.

Hi Jean-Philippe,

Yes.  I couldn't agree more.  I'm more than happy to disable insecure FTP entirely inside & outside. 
I think I was just comparing it to the existing mail "server access" settings in the configuration/email GUI in SME 9.2
It specifies secure for external, but makes no mention of it for internal.  I'd be happy with secure both sides.
I'm not actually using FTP internally (to this server), so it never crossed my mind.

I'm so paranoid I run secure SSL IMAP down a 6 foot cable I can see both ends of across my office!

As pointed by Mmccarn install remoteuseraccess and usermanager so each user could enable and set its own rsa ssh key.

In term of software, filezilla could be used for scp /sftp but I would prefer winscp on windows.

Yes.  This is something I'm going to have to research a little more now that I've confirmed the direction I need to take.

If you are in need to make a chroot, some extra work need to be done, but this would be to make it more convenient than more secure. If your user has not right to access an ibay or any folder, being able to list it will change nothing.

Understood.  At the moment I'm happy for them to upload to a useraccount, and I can then write some scripts to move things around from there, rather than (potentially) exposing more of the filesystem to the world, so that if it was hacked, the damage would at least be limited.

Thanks for all the help.  Time to digest and come up with a plan.

I appreciate the help from you all.  It's been top-notch and helpful.  It makes a refreshing change from some of the "assistance" I've seen elsewhere lately.