Security Basics mailing list archives
Re: Secure FTP
From: Michael Louie Loria <mlloria () lorztech com>
Date: Tue, 27 Mar 2007 16:04:34 -0700
FileZilla Server supports SFTP jbeauford () EightInOnePet com wrote:
SSL-Explorer MaddHatter wrote:We have a public facing FTP server that we would like to secure. ... What is the best way to secure this FTP server? I've = tried SFTP, but was just curious as to what else is out there.There's nothing you can do to "fix" FTP. _If_ you really want FTP, SFTP (a separate draft standard based on ssh) is the way to go. You could direct customers to a popular and user-friendly client such an WinSCP (http://winscp.net). For the server, you could use OpenSSH through Cygwin or something similar (the price is right -- free). My favorite is WinSSHD (http://www.bitvise.com/), which is reasonably priced. Or there's lots of less-reasonably-priced commercial solutions. For other ideas, there's also SSL-FTP (traditional FTP wrapped in SSL), which seems to have fallen out of favor. You could use normal FTP but require clients connect to an encrypted VPN before initiating the FTP session (*ick*). For your application, you probably don't need FTP at all. Here's what I'd suggest. Make an SSL-protected web page to authenticate your clients and allow them to upload files via a web form. You have complete control over the interface, what happens to the files, who can put what where, and all the security concerns. It's all your company's code, so nobody else can decide to change/remove the one essential feature you need(ed). Your customers certainly already have a web browser, so they don't need to download and learn to use another foreign program. If you're a Windows shop -- and it sounds like you are -- you can just add onto the IIS setup you're already using, no need to install, configure, maintain, and secure another service. I think the cheapest SSL certificate provider right now is GoDaddy.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Secure FTP aaronr (Mar 23)
- Re: Secure FTP Ali, Saqib (Mar 26)
- Re: Secure FTP Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Secure FTP Scott Ramsdell (Mar 26)
- Re: Secure FTP MaddHatter (Mar 26)
- RE: Secure FTP jbeauford (Mar 27)
- Re: Secure FTP Michael Louie Loria (Mar 28)
- RE: Secure FTP jbeauford (Mar 27)
- <Possible follow-ups>
- Re: Secure FTP Krymson (Mar 26)