I own an FTP server, and need port 21 open, how do I keep it secure?

2

1

I was wondering, because I need both my port 21 open on my router and my firewall for it to work, but then it seems as though it's wide open for attack. Is there any way I can keep it secure? Luckily, on my router I have port 21 open for only the computer that has the ftp server, so it's not compromising my entire network, just the ftp server. I have Windows XP, so it worries me even more because more attacks are made for XP, I'm sure.

Nathaniel Hirschler

Posted 2011-05-25T20:52:36.270

Reputation: 113

There indeed are attacks for Windows XP. But they cannot reach your computer; if you only forwarded port 21, then the only thing reachable from outside is the FTP server, not the often-exploited SMB or NetBIOS components (which, by the way, are blocked by default in XP firewall). – user1686 – 2011-05-25T21:22:22.620

Answers

4

FTP is a security risk because it transmits login information (including passwords) in plain/text, so you'll need to wrap it up in encryption. If you need to use FTP specifically, then OpenVPN can wrap it up very nicely for you in a fully encrypted stream:

  OpenVPN (free and open source)
  http://www.openvpn.net/index.php/open-source.html

Your server and all clients that need to use your FTP server will then have to have OpenVPN installed.

Of course, you might find it easier to just use one of the more secure versions of FTP known as SFTP or FTPS since many FTP clients have built-in support for this. One really good one is FileZilla which supplies complete and independent client and server applications, and complies with the relevant RFCs:

  FileZilla (free and open source)
  http://www.filezilla-project.org/

Randolf Richardson

Posted 2011-05-25T20:52:36.270

Reputation: 14 002

3

There are numerous solutions to this problem, with various levels of complexity and convenience.

  1. Secure passwords on the accessible accounts. If you use good passwords, odds are people won't get in unless there is some other vulnerability.
  2. Allow FTP access only from certain IP addresses. If you know you're going to be accessing your machine from specific places only, just allow those to connect and block all others.
  3. Linux systems have something called DenyHosts which will block IPs that seem to be acting maliciously towards your machine.
  4. Port Knocking will enable access to a port only after a series of connection attempts have been made to a predetermined set of ports. For example, try to connect on port 20, 35, 16, and 1, then port 21 would be opened. I'm not sure if there is a implementation of this for Windows though...

Best of luck!

Ryan

Posted 2011-05-25T20:52:36.270

Reputation: 416

Regarding item 2: Limiting access to a certain IP address is a good step, but it doesn't prevent third parties from observing data transfers which is why encryption is so important. Since FTP isn't encrypted, a third party observer can get a copy of data as it is transferred. Also, if a third party gains control of a router between client and server, then they have the option to re-route packets for the permitted client IP to access your server from anywhere (with control of the router, they can also easily sniff packets to see login information as well as data on unencrypted data streams). – Randolf Richardson – 2011-05-25T21:42:56.243

Regarding item 4: This is security by obscurity, although it can help a little bit (and it is an interesting technique). Of course, if a third party observer can observe the "Port Knocking" technique and repeat the steps later. Where "Port Knocking" is used, OTP (One-Time-Password) type techniques are highly recommended such that a given knocking sequence would be limited to only a single use. – Randolf Richardson – 2011-05-25T21:47:10.233

@ Randolf: It's not strictly security by obscurity. Yes, the service doesn't advertise itself, but it should also not be open to a machine that has not performed the knock. It's obviously not as safe as a good password and public-private keypair, but it's hardly the same as just setting up your FTP port on port 21000 either. – Lukasa – 2011-05-25T21:53:47.353

2I'd argue that "Port Knocking" is no more security than obscurity than passwords themselves are. It's still a password, it's just made of connection attempts rather than characters. – Phoshi – 2011-05-25T21:59:49.150

0

FTP actually requires two ports, 21 is the main control port, and 20 is for data.

FTP is a weird protocol, it was created really early in the Internet days, before firewalls and security was thought of. As such, as designed, it sucks for firewalling.

The ftp server listens on port 21 for connections from a client. But data goes over another port. In 'classic' ftp, the server would open a connection from port 20 on the server to some ephemeral port on the client. Nowadays you can't do that, a connection from the server to a client would be blocked by a firewall, or be unavailable because of a client NAT.

In passive FTP, the server creates a new listening socket on some port for the client to connect to. Now you're trying to firewall some dynamically changing port.

That, and as others have mentioned the password is in plaintext, I'd strongly suggest http/https. It's much cleaner, unless you really need ftp. In that case, I'd only put things I'd be comfortable with anonymous ftp.

Rich Homolka

Posted 2011-05-25T20:52:36.270

Reputation: 27 121

Asked: 2011-05-25T20:52:36.270

Viewed: 8 245 times

Active: 2011-05-25T21:28:27.883