Comments on Setting Up ProFTPd + TLS On Ubuntu 11.10 (Oneiric Ocelot)

Setting Up ProFTPd + TLS On Ubuntu 11.10 (Oneiric Ocelot) FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu 11.10 server.

1 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: JonTheNiceGuy

So, I've worked on a few projects which mandate the use of FTP/S rather than SFTP, and I'd just like to say, it's a fricking nightmare from the security side of things.

Sure, you get to say "We're secure, because we're using TLS", but the down side to using FTP/S is that the firewall has to open up EVERY SINGLE HIGH PORT WITH A SOURCE OF YOUR FTP/S SERVER.

Here's why. With some protocols, notably FTP, but there are others too, firewalls can read the plain text packets saying where to point the transfer to. It looks (something, offhand) like this PORT A,B,C,D,E,F, where ABCD is the IP address of your machine, and then E.F is a way of calculating the port to use (see http://www.securitypronews.com/it/networksystems/spn-21-20030917UnderstandingtheFTPPORTCommand.html for details).

FTP/S just wraps the whole conversation up in TLS, so we go from having a way of the firewall looking at the conversation and saying "Oh, you're going to use port 12345 for the data connection" and then opening up that port on the firewall to the firewall not being able to read any of the data, and then blocking whatever port it's going to instead.

 Also, if you planned to have your FTP/S server have a NAT address? That's not going to work either - remember the PORT statement before - the firewall will normally re-write the whole string, let's say you have a private IP address of 192.168.1.1 and a public IP address of 12.34.56.78, and the server wants you to use port 12345. The PORT statement will show 192,168,1,1,48,57. The firewall can't re-write your 192,168,1,1 part to 12,34,56,78 let alone work out what port it will re-write to. Some clients will ignore the IP part of the port statement, but you're still stuck on the actual port number.

 I would recommend using SFTP (SSH native file transfer system) using something like the SFTP only wrappers which are publically available.