ftp set up

Bill Moran wmoran at potentialtech.com
Tue Mar 6 13:24:18 UTC 2007 

Please wrap your lines around 72 characters.

In response to Vizion <vizion at vizion.occoxmail.com>:
> 
> I wonder if someone could point me to a reliable detailed resource for
> configuring an ftp server on freebsd 6.1 for both incoming and outgoing
> files (including anonymous ftp).
> 
> I do not want anonymous uploaders to view existing file names in
> ftp/incoming or be able to download from incoming. I want the server as
> secure as is reasonably practicable. The notes in the freebsd handbook are
> not really comprehensive enough for me. 

Please don't do this.  Please don't even try.

Never try to use the word "secure" in the same sentence as "ftp".  They don't
fit in the same sentence.

Set up ssh, then have Windows users use WinSCP.

Let me tell a little story.  A few years back I was asked to set up "secure
ftp" for a client.  I argued, but he insisted, and "the customer is always
right", so I set it up for him.

The plan, to keep it secure, was to enable the FTP server when it was needed,
and disable it when the transfer was complete.

Well, one day he forgot to turn it off.  A few weeks later he went to enable
it for another transfer and noticed a bunch of files on the server he didn't
recognize.

Someone had guessed the password and was using his FTP server to transfer files
of a most unsavory nature.

After we destroyed the files, changed the passwords, etc -- he decided to keep
using the FTP (in spite of the incident).  The only problem, he argued, was
that we'd forgot to turn it off.

But the crook now had our address.  The next time he enabled that server, it
wasn't more than a few hours before the crook was using it to move around
his files again.  The guy must have set up some monitoring to alert him when
the FTP site came up, then he either had a sniffer to get the password or
he was able to brute-force it really fast.

I tell that story when people tell me that the data their transferring isn't
sensitive, and therefore using FTP isn't a security risk.  It still is.  The
only time it's OK to use FTP is when it's download only and the files are
publicly available.  Any other time, FTP is a liability.

-- 
Bill Moran
http://www.potentialtech.com

More information about the freebsd-questions mailing list