Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: boringgit on February 15, 2004, 04:08:12 PM

Title: Secure FTP (ish)
Post by: boringgit on February 15, 2004, 04:08:12 PM

One of our major suppliers requires FTP access to one of our servers in order to deposit various despatch confirmations etc...

The SME box seems the obvious choice, as I don't trust a Win2K server to be particularly secure.

My question is, is there a way within SME for me to allow FTP access, but tie it to a particular external IP address? I don't really want to add their IP as a local network, as it is entirely beyond my control.

The only other way I can consider would be to buy one of the commercial FTP packages for the Windows bax and forward the FTP port (but then we are back to the security problem  :cry:

Thanks In Advance!

Rob

Title: Secure FTP (ish)
Post by: oregonbob on February 17, 2004, 05:49:43 AM

You don't want to open FTP to the outside - bad thing. Open your SSH port and use "sftp", which is secure ftp running over ssh.

Search on net and download "FileZilla". It is an excellent free Windows FTP that supports 'sftp'.

Title: Secure FTP (ish)
Post by: boringgit on February 18, 2004, 08:17:01 PM

Thanks for the reply Bob,

Unfortunately it has to be FTP - we are a real small customer when it comes to this supplier, so we are having to "fit in" with their existing systems.

Surely, if tied to one IP only, and with very restricted Access to a server which in itself contains no business critical data, FTP is not such a risk? They are running the FTP which I will deposit files onto on one of their main IBM mainframes.?

Title: Secure FTP (ish)
Post by: boringgit on February 18, 2004, 09:48:09 PM

OK, here's a thought...

Could I use IPtables?

Something such as

iptables -I INPUT -j DROP -s --source ! 10.0.0.1 -p tcp --dport 21

OK, so 10.0.0.1 is not the IP addy  :-D

Does this look effective however?

Thanks in advance again :-D

Title: Secure FTP (ish)
Post by: jcoleman on February 19, 2004, 03:03:20 AM

Another solution might be to give the vendor the ftp account and use one of the ftp chroot contribs to lock them into that directory.

All the vendor needs to know is his login / password and the rest is transparent and "relatively" safe.

-jeff

Title: Secure FTP (ish)
Post by: oregonbob on February 21, 2004, 08:36:58 PM

On your SME server type command "man hosts.allow". Basically you deny all ftp in /etc/hosts.deny, then in /etc/hosts.allow you list IP addresses that are permitted to use FTP. Take care not to lock yourself out when you test this.

Title: Secure FTP (ish)
Post by: Anonymous on February 22, 2004, 05:05:15 PM

Thanks Guys,

I think I will probably use both of your suggestions  :-D

Thanks again!

Title: Did you find a solution?
Post by: iFX_guest on June 24, 2004, 07:47:16 AM

Quote from: "boringgit"

Could I use IPtables?

Just wondering whether you found a solution to your problem... 'cause I've got the same problem - so temporarily I've got FTP wide open... though would like to restrict it to just one external IP address. But so far nothing I have tried seems to work.

By the way, does it make a difference whether you've got SME setup as a Server & Gateway OR a Private Server & Gateway?  Can it be done with both set ups? or will it only work with one of them?  I don't need any other port open externally, just FTP to one external server with a fixed IP (they have a PHP script that transfers files).

If I had a second box (which I don't :-( ) I'd have set up Smoothwall and not used SME for the firewall - probably would have saved a lot of hassle, but it must be possible to restrict it without having to yet another pc to the equation, right?

Any help would be greatly appreciated - I've been searching for info for nearly a week now...

Cheers,
Ingo.

Title: Secure FTP (ish)
Post by: iFX on June 26, 2004, 05:54:53 AM

So is the only option to use Smoothwall instead of SME's firewall?

Title: Glazer & the Buccaneers
Post by: wlu_lax6 on July 03, 2004, 01:44:52 AM

Thanks! The mails were from people on my http://geteducation.topcities.com/ allow list...

Title: Re: Did you find a solution?
Post by: boringgit on July 04, 2004, 12:02:23 PM

Sorry - I have to admit I actually left my old job (the one where I had to set up the FTP) without completing that project...

Ahemm..

Quote from: "iFX_guest"

By the way, does it make a difference whether you've got SME setup as a Server & Gateway OR a Private Server & Gateway?  Can it be done with both set ups? or will it only work with one of them?  I don't need any other port open externally, just FTP to one external server with a fixed IP (they have a PHP script that transfers files).

Kind of an uneducated answer, but in my years of using SME I have found that whatever it does to lock itself down when you put it into private server and gateway is tough to circumvent.

All I wanted externally was webmail, but I just couldn't "break" SME into giving it to me in private mode, so I had to go back to public.

Quote

If I had a second box (which I don't :-( ) I'd have set up Smoothwall and not used SME for the firewall - probably would have saved a lot of hassle, but it must be possible to restrict it without having to yet another pc to the equation, right?

Never tried Smoothwall, but I have tried Mandrake Security and Clarkconnect. Neither of them was a patch on SME (Although they do appear to offer more options, they don't seem as reliable).

Did you try the methods suggested above, I was doing fairly well before my departure?