[NTLUG:Discuss] FTP/Samba security issues

[Thomas Cameron]

On Tue, 2003-08-12 at 17:11, Richard Wolfe wrote:
> Hello all-
> 
> My company is constantly exchanging files via FTP with
> vendors/customers. Currently, we are using the FTP capabilities of our
> web host to do this. Unfortunately, this means that every time a file
> needs to be retrieved or sent, a member of the IT staff (i.e., me) has
> to take care of it. I think I have a solution, but I'd like to run it by
> the gurus here and get some feedback:
> 
> What I'd like to do is set up another (this will be three!) Linux box on
> our LAN, and open port 21 through the router to it. This box would be
> running vsftpd, and I'd plan on setting up ftp accounts for all our
> vendors/customers that need to share files with us. Then, I plan on
> mapping a samba share onto these users home directories, so that the
> non-techie people in the office can easily access it using Windows
> Explorer.
> 
> OK, sounds simple enough, right? So I guess my question is: are there
> any security issues that I'm not thinking about? I know that both FTP
> and samba are considered to be insecure by some people, but I don't
> really know enough about it to know why this is. This machine would be
> doing nothing else beside this particular task, if that makes a
> difference. Any insight or "gotchas" to keep in mind would be greatly
> appreciated.


I have exactly the same setup at several client sites.  As long as you
keep your ftp server software up to date, you ought to be fine. 
Remember that you need to open up port 20/udp and 20/tcp as well as
21/udp and 21/tcp for active ftp to work.  Since you are not allowing
any of the NetBIOS over TCP ports (137-139 and others), the Samba
service should not be accessible from the outside and therefore not a
security risk...  In theory.

Thomas Cameron, RHCE, CNE, MCSE, MCT
Cameron Technical Services, Inc.