4
1
I've seen several comments on internet in which people say something like:
"I've uninstalled SFTP server, it is much better, it remove security vulnerabilities"
What are these vulnerabilities, if there are any?
aneuryzm
Posted 2010-11-09T14:27:05.887
Reputation: 1 765
7
SFTP runs over SSH, although some servers use a separate executable for them. Whatever vulnerabilities that executable may have is what you're being protected from (although I've not heard of any myself). The protocol itself is as secure as your SSH server.
Ignacio Vazquez-Abrams
Posted 2010-11-09T14:27:05.887
Reputation: 100 516
4
SFTP has two meanings.
The old meaning of SFTP is old Secure FTP, which only secured the control channel and left the data channel unencrypted.
New SFTP is SSH FTP which secures all traffic with SSH.
New SFTP good, old SFTP bad.
Another alternative is SCP, which is usually faster than sftp.
Posipiet
Posted 2010-11-09T14:27:05.887
Reputation: 429
2I've never heard the first called SFTP. Or come across any implementations of it, ever. – Ignacio Vazquez-Abrams – 2010-11-09T15:54:50.933
Yes, it is ancient. Just as ancient as many comments on deleting it. – Posipiet – 2010-11-09T15:57:47.997
First I've heard of it and I though I knew a lot of obscure old school options. Was it, perhaps, not very common even back in the day? OTOH, such comments about the ssh tool would seem to be nonsensical, so this seems like a reasonable explanation and "sftp" is a fairly obvious thing to call your "more secure" file transfer tool... – dmckee --- ex-moderator kitten – 2010-11-09T16:24:09.137
I've actually seen a third "sftp", which stood for "slow FTP". It was designed to not saturate network connections. It never took off and I never actually ran into a server that supported it, but it was being actively talked about for a while. – CarlF – 2010-11-09T17:28:05.077
I have to agree with @Ignacio - never heard the first called SFTP. AFAIAA, that's FTPS. Have seen implementations of it, though it is rather rare. – Zayne S Halsall – 2010-11-09T17:32:45.007
3@Zayne: FTPS is FTP-over-SSL, which is sane if rare (and something somewhat different). – Ignacio Vazquez-Abrams – 2010-11-09T18:52:54.163
@Ignacio: I know what FTPS is, thanks (though I may disagree about the sane bit :P). My point was I believed Posipiet to be talking about FTP over SSH (tunneling), whereas Secure FTP AFAIR referred to SSH FTP (the sftp client from OpenSSH). And not to muddy the waters further but I think everyone is confusing Secure FTP (sftp client) with Simple FTP (RFC 913). – Zayne S Halsall – 2010-11-10T15:48:02.433
0
One other item that is related. I notice that when you open up SFTP my network starts to get a huge number of attacks (mostly from China). My guess is that they are just trying to hit SSH which also needs to be open. However, if I set up FTP with TSL/SSL I don't get any such attacks. That might imply that FTP with TSL/SSL is more secure. I mean, not that it is actually more secure, but in a practical way because it is getting less attacks.
Now, what I did do is to change my SSH port to some other number and that definitely reduced the number of attacks getting through my router to my server, but I still get more attacks using SFTP than I do using FTP with TSL/SSL. Just an observation that might interest someone viewing this thread.
Still, if you are setting up a server or a network share or something, I would recommend using a different port for SSH than the default.
Enlade
Posted 2010-11-09T14:27:05.887
Reputation: 1
I think it is important to not give someone access to SFTP that you would not want to have an account on the SFTP server. – Slartibartfast – 2010-11-09T23:59:52.267
1@Slartibartfast: Considering that you need to have a system account in order to have SSH access in order to have SFTP access... – Ignacio Vazquez-Abrams – 2010-11-10T00:08:06.120
1I think the importance of my comment is substantiated by the 480,000 search results for 'sftp only account' in google. – Slartibartfast – 2010-11-11T04:40:16.520