[NTLUG:Discuss] FTP/Samba security issues
Stuart Johnston
saj at thecommune.net
Wed Aug 13 19:37:48 CDT 2003
Richard Wolfe wrote:
> Hello all-
>
> My company is constantly exchanging files via FTP with
> vendors/customers. Currently, we are using the FTP capabilities of our
> web host to do this. Unfortunately, this means that every time a file
> needs to be retrieved or sent, a member of the IT staff (i.e., me) has
> to take care of it. I think I have a solution, but I'd like to run it by
> the gurus here and get some feedback:
>
> What I'd like to do is set up another (this will be three!) Linux box on
> our LAN, and open port 21 through the router to it. This box would be
> running vsftpd, and I'd plan on setting up ftp accounts for all our
> vendors/customers that need to share files with us. Then, I plan on
> mapping a samba share onto these users home directories, so that the
> non-techie people in the office can easily access it using Windows
> Explorer.
>
> OK, sounds simple enough, right? So I guess my question is: are there
> any security issues that I'm not thinking about? I know that both FTP
> and samba are considered to be insecure by some people, but I don't
> really know enough about it to know why this is. This machine would be
> doing nothing else beside this particular task, if that makes a
> difference. Any insight or "gotchas" to keep in mind would be greatly
> appreciated.
FTP is mostly bad because usernames and password are sent in plain text.
This may or may not be a problem depending on your perspective and
situation.
You may want to consider a secure, web-based document management system.
For an extremely biased recommendation, contact me off list.
If you do go the FTP route, make sure that anonymous connections are not
enabled. I regularly see random anonymous attempts in server log files.
Stuart Johnston
More information about the Discuss
mailing list