proftp server question

[craptakular]

I followed this guide to get proftp working:

http://www.debian-administration.org/article/Setting_up_an_FTP_server_on_Debian

It told me to add this to proftp.conf:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd-tls.log
   TLSProtocol TLSv1

   # Are clients required to use FTP over TLS when talking to this server?
   TLSRequired off

   TLSRSACertificateFile    /etc/proftpd/ftpd-rsa.pem
   TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
    
   # Authenticate clients that want to use FTP over TLS?
   TLSVerifyClient off
</IfModule>

I added that and started the daemon back up, now in filezilla I can successfully connect to the FTP server via ftp, SFTP & FTPES over explicit TLS/SSL.

Have I successfully setup ssl encryption, if I use the SFTP or FTPES option in filezilla?

I'm a little confused as to what I have done, if I had linked my LAN ip to my ISP IP people could still try to guess my password and login?

My windows PC just imported the key with my user/pass, how do I limit access to my internal PC's only?

Is ssl/TLS only there to stop people "tapping into" my ftp when I am connected to it?

 

[tntcoder]

Have I successfully setup ssl encryption, if I use the SFTP or FTPES option in filezilla?

Yep. Although remember you can just use SFTP as part of SSH without requiring any 3rd party FTP daemons.

I'm a little confused as to what I have done, if I had linked my LAN ip to my ISP IP people could still try to guess my password and login?

Yes, this is still possible. Turning TLSRequired = on would enforce a secure channel, but wont block brute force attempts. If you use SFTP instead you could disable username/password authentication and just use public/private keys which is significantly more secure (stopping brute force guessing logins). As far as i know this isnt possible with FTPS though So the best solution is an IP connection whitelist, so that only trusted hosts can authenticate.

My windows PC just imported the key with my user/pass, how do I limit access to my internal PC's only?

You need an IP whitelist, and can configure it as follows (I think) in proftpd.conf. Alternatively, don't forward the ports on your router, or you could firewall it.

<Limit LOGIN>
Order deny,allow
Deny from all
Allow from 192.168.1.*
</Limit>

Is ssl/TLS only there to stop people "tapping into" my ftp when I am connected to it?

Correct, it does just provide transport layer security using a secure channel, i.e while the packets are in transit. If the host endpoints are compromised or someone steals your private SSL certificate key, you can still get pwned.

 

[craptakular]

I haven't forwarded any ports, except to get static ip's on my home lan.

All my server does is run the following:

NFS, SAMBA, mediatomb (upnp), proftp, transmission-cli and sabnzbd (usenet)

They don't need me to set my lan ip to my ISP one so in theory no one can get at it? Unless they rape my wireless connection?

 

[tntcoder]

I haven't forwarded any ports, except to get static ip's on my home lan.

All my server does is run the following:

NFS, SAMBA, mediatomb (upnp), proftp, transmission-cli and sabnzbd (usenet)

They don't need me to set my lan ip to my ISP one so in theory no one can get at it? Unless they rape my wireless connection?

So basically all your services are internally running behind NAT? In that case yer you should be fine

Assuming as you say someone doesn't hack your wireless or break into your house and plant some bugs

EDIT: if you mean some boxes in your LAN have an external static IP from your ISP, then that could be a problem and you would need to control access to services running on that box with a firewall for example.

 

[craptakular]

None of my internal lan ip's are linked to my internet IP.

So should I be ok with TLS? I may need to create a stronger user and root password. How would I go about changing them?

I have setup sudo while I install my new server, then I'mm take off sudo once it's all installed.

Additionally I will stop the ftp daemon from launching when server starts up. I will not need to use it often, mostly when Samba goes wrong.



That sound sensible?

 

[tntcoder]

To be honest, using TLS on your internal network is a bit on the overkill side. It's much more suited to untrusted public networks like the Internet. But it's good for practice and learning if that's your aim

Set strong root passwords though, that is sensible and can be done by running 'passwd' as root. Also you might as well keep sudo, there is no point in getting rid of it post-installation as it's designed as a safe way of using root as and when you need it (safer than the alternative 'su' command).

Also as you mentioned, it's a good choice to disable the FTP (and any other unused server daemons) when isnt in use as it really reduces the number of ways a potential attacker can access your network.

 

[craptakular]

ok, I'll stick with TLS and shut down FTP when I don't need it.

I am using debian Lenny with the testing repo activated, maybe it's me but it seems to setup the init.d scripts better than when I setup my old server 2 years ago. Mediatomb and transmission daemon scripts work perfectly on this one without having to trawl through google!

 

[matja]

For extra paranoia points ... check if your data connections are encrypted too; just because the control connection is encrypted, there is no guarentee that data connections are.

You should see a resonse of "200 PROT now private" or somesuch in response to the "PROT P" command. if you get "534 fallback to C" or something, then it's not using encrypted data connections.