Security Basics mailing list archives

Re: Secure FTP

From: Michael Louie Loria <mlloria () lorztech com>
Date: Tue, 27 Mar 2007 16:04:34 -0700

FileZilla Server supports SFTP

jbeauford () EightInOnePet com wrote:

SSL-Explorer

MaddHatter wrote:

We have a public facing FTP server that we would like to secure.
          ... What is the best way to secure this FTP server?  I've =
tried SFTP, but was just curious as to what else is out there.

There's nothing you can do to "fix" FTP. _If_ you really want FTP,
SFTP (a separate draft standard based on ssh) is the way to go. You
could direct customers to a popular and user-friendly client such an
WinSCP (http://winscp.net). For the server, you could use OpenSSH
through Cygwin or something similar (the price is right -- free). My
favorite is WinSSHD (http://www.bitvise.com/), which is reasonably
priced. Or there's lots of less-reasonably-priced commercial
solutions.       

For other ideas, there's also SSL-FTP (traditional FTP wrapped in
SSL), which seems to have fallen out of favor. You could use normal
FTP but require clients connect to an encrypted VPN before initiating
the FTP session (*ick*).   

For your application, you probably don't need FTP at all. Here's what
I'd suggest. Make an SSL-protected web page to authenticate your
clients and allow them to upload files via a web form. You have
complete control over the interface, what happens to the files, who
can put what where, and all the security concerns. It's all your
company's code, so nobody else can decide to change/remove the one
essential feature you need(ed). Your customers certainly already have
a web browser, so they don't need to download and learn to use
another foreign program. If you're a Windows shop -- and it sounds
like you are -- you can just add onto the IIS setup you're already
using, no need to install, configure, maintain, and secure another
service. I think the cheapest SSL certificate provider right now is
GoDaddy.

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Secure FTP aaronr (Mar 23)
- Re: Secure FTP Ali, Saqib (Mar 26)
- Re: Secure FTP Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Secure FTP Scott Ramsdell (Mar 26)
- Re: Secure FTP MaddHatter (Mar 26)
  - RE: Secure FTP jbeauford (Mar 27)
    - Re: Secure FTP Michael Louie Loria (Mar 28)
- <Possible follow-ups>
- Re: Secure FTP Krymson (Mar 26)