More security for FTP

[manarak]

Many sites are nowadays getting hacked after a trojan spied on the webmaster's passwords for ftp and sends them out to the bad guys.

So I have the following idea for feature requests:

- please provide a "deactivate" button on the ftp accounts list. the effect of the button would be the same as the current delete button, but ISPC would retain the settings and account name, so that the account could be reinstated with one click.

- please provide a "reactivate for duration X" function for FTP accounts.
For example, FTP accounts could be reactivated for 1, 2, 24 hours and then ISPC would automatically deactivate the account again.

- please provide the possibility to specify *PER FTP ACCOUNT* IP addresses and IP ranges that are allowed to access the FTP account.

This is something I would definitely use on my servers!

[falko]

I've added this feature request to our bugtracker.

[manarak]

thank you Falko, I reckon the IP restriction alone would already add a lot to security.

[Ben]

But isn't it more security by obscurity, as by limiting the activity time the time window for any trojan to spy the password is smaller.
Also if not enforcing this by default, I assume nobody will really take care of this option.
If the user / admin would know about the problem he would more than that make use of:
fail2ban against bruteforce on the server,
forced (or at least configured) ftps (!= sftp),
forced password policy (complexity)
forced password renewal (aging), optionally with time based deactivation.

To assist the admin, ISPConfig could alert on the ftp tab, if some of the above mentioned mitgation options are not in place.

Just as an additional idea on how to assist solving this issue.

[manarak]

Quote:

Originally Posted by Ben

But isn't it more security by obscurity, as by limiting the activity time the time window for any trojan to spy the password is smaller.
Also if not enforcing this by default, I assume nobody will really take care of this option.
If the user / admin would know about the problem he would more than that make use of:
fail2ban against bruteforce on the server,
forced (or at least configured) ftps (!= sftp),
forced password policy (complexity)
forced password renewal (aging), optionally with time based deactivation.

To assist the admin, ISPConfig could alert on the ftp tab, if some of the above mentioned mitgation options are not in place.

Just as an additional idea on how to assist solving this issue.

Actually it is not, because all the cases I saw so far have been caused by the webmaster getting a trojan on his computer which did then mail out the ftp passwords the webmaster had stored in his system.

fail2ban is not going to help, because the bots already have the password.

But I can imagine that reducing the time window will inscrease security, because the bots are very likely to give up after some time if some passwords don't work.

In the meanwhile, virus sweeps will likely detect a problem on the webmaster's computer.

And restricting ftp access to certain IPs and IP ranges (from where the webmaster connects) will help a lot by simply not letting the bots in.

[manarak]

in fact I think the restriction to IPs and IP ranges is the best protection.