1

We need to open an SFTP to allow some of our clients to upload files to our server. As I see it right now, there are two options:

  1. Open SFTP on our main server with restrictions (directory, user, size, etc).
  2. Create a micro server that will only respond to SFTP and upload the files to an S3 that our main server can read from.

Option 1 is faster and easier to maintain. Question is, how can I make sure it's safe?

The security measurements I want to take are the following:

  1. Run the SFTP with a restricted user.
  2. Limit SFTP to a single folder.
  3. The folder from 2 will be on a secondary volume and not our main volume, just to make sure it doesn't get full.

I found these instructions: https://passingcuriosity.com/2014/openssh-restrict-to-sftp-chroot/ which seem to cover pretty much what I plan. Only difference is the dir I'm locking the user inside would be on a different volume.

Now here's the question: do you think the plan above is safe enough? Are there any security hazards I'm missing here or maybe you think opening an SFTP on the main server is completely insane and should be avoided at all cost?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Ronen Ness
  • 125
  • 5
  • 2
    You could possibly run a second server which accesses the main server's upload folder over NFS - that way even if it does get pwned all the attacker can alter would be the uploaded files. – André Borie Feb 09 '17 at 12:28

1 Answers1

1

I think each service should be separated. IDK if you have the possibility of creating different virtual machines or setup different servers for each service which is more secure. As simple as if you are hacked, only that machine is hacked. To mix services in the same machine usually is not good idea. Of course it depends of the environment, the target and the structure.

Anyway, if is something you know is not the best but is going to be done, try to secure it:

  • Change the standard port. <- this practice is not a very good protection... you know if scanned the service is going to be shown anyway, but maybe you can avoid some bot's scanning.
  • Restrict (whitelisting) the ips. Try to allow only certain ip addresses. <- this can't be done always, it depends if your clients are going to be always the same or if you have itinerant clients.
  • If your hardware or firewall supports it, use port knocking. <- this is nice for this kind of situations.

Summary of what port knocking is:

Is a method of communication between two computers/devices. At first sight, when the client ask to the server for a service, the port is shown as closed, but if you ask for certain ports (a combination of them in a specific order), then the port is opened. This process of knocking is what gives port knocking its name.

Good luck!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48