I own an FTP server, and need port 21 open, how do I keep it secure?

security port ftp
8,853

Solution 1

FTP is a security risk because it transmits login information (including passwords) in plain/text, so you'll need to wrap it up in encryption. If you need to use FTP specifically, then OpenVPN can wrap it up very nicely for you in a fully encrypted stream:

  OpenVPN (free and open source)
  http://www.openvpn.net/index.php/open-source.html

Your server and all clients that need to use your FTP server will then have to have OpenVPN installed.

Of course, you might find it easier to just use one of the more secure versions of FTP known as SFTP or FTPS since many FTP clients have built-in support for this. One really good one is FileZilla which supplies complete and independent client and server applications, and complies with the relevant RFCs:

  FileZilla (free and open source)
  http://www.filezilla-project.org/

Solution 2

There are numerous solutions to this problem, with various levels of complexity and convenience.

  1. Secure passwords on the accessible accounts. If you use good passwords, odds are people won't get in unless there is some other vulnerability.
  2. Allow FTP access only from certain IP addresses. If you know you're going to be accessing your machine from specific places only, just allow those to connect and block all others.
  3. Linux systems have something called DenyHosts which will block IPs that seem to be acting maliciously towards your machine.
  4. Port Knocking will enable access to a port only after a series of connection attempts have been made to a predetermined set of ports. For example, try to connect on port 20, 35, 16, and 1, then port 21 would be opened. I'm not sure if there is a implementation of this for Windows though...

Best of luck!

Share:
8,853

Related videos on Youtube

Nathaniel Hirschler
Author by

Nathaniel Hirschler

Updated on September 18, 2022

Comments

  • Nathaniel Hirschler
    Nathaniel Hirschler over 1 year

    I was wondering, because I need both my port 21 open on my router and my firewall for it to work, but then it seems as though it's wide open for attack. Is there any way I can keep it secure? Luckily, on my router I have port 21 open for only the computer that has the ftp server, so it's not compromising my entire network, just the ftp server. I have Windows XP, so it worries me even more because more attacks are made for XP, I'm sure.

    • user1686
      user1686 about 13 years
      There indeed are attacks for Windows XP. But they cannot reach your computer; if you only forwarded port 21, then the only thing reachable from outside is the FTP server, not the often-exploited SMB or NetBIOS components (which, by the way, are blocked by default in XP firewall).
  • Randolf Richardson
    Randolf Richardson about 13 years
    Regarding item 2: Limiting access to a certain IP address is a good step, but it doesn't prevent third parties from observing data transfers which is why encryption is so important. Since FTP isn't encrypted, a third party observer can get a copy of data as it is transferred. Also, if a third party gains control of a router between client and server, then they have the option to re-route packets for the permitted client IP to access your server from anywhere (with control of the router, they can also easily sniff packets to see login information as well as data on unencrypted data streams).
  • Randolf Richardson
    Randolf Richardson about 13 years
    Regarding item 4: This is security by obscurity, although it can help a little bit (and it is an interesting technique). Of course, if a third party observer can observe the "Port Knocking" technique and repeat the steps later. Where "Port Knocking" is used, OTP (One-Time-Password) type techniques are highly recommended such that a given knocking sequence would be limited to only a single use.
  • UNK
    UNK about 13 years
    I'd argue that "Port Knocking" is no more security than obscurity than passwords themselves are. It's still a password, it's just made of connection attempts rather than characters.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Sucuri 404javascript.js security issue or internal server error
Basic Ubuntu FTP Server
How to ensure that anonymous FTP has been disabled on a Solaris 10 system?
I have 2 computers with Linux, how can I send with ftp files from computer1 to computer2 (shell command)?
Is FTP on router secure?
Source port 443?
How to close suspicious port 999 garcon, is it malware?
What's the real security risk in VSFTPD of pasv_promiscuous=yes?
Should I run my small website in port 80, 8080, or 81?
PureFTPd : How to have user isolation?