Hello. I think in this case, as he is using proftpd, that what he is using is FTP over TLS, not SSH based SFTP.
To answer the original question: FTP over TLS is safe as long as: - you enforce everyone using it (i.e. not allowing to fallback to non- encrypted connections), configuration for that is software daemon dependent; - you use valid certificates, preferably signed by a CA you trust, either your private CA or a well known public trusted CA, avoiding self signed ones - everyone accessing it validates the certificate (which may not be easy to enforce, since it's very easy for users to just tick an option on their client to ignore the certificate...) Additionally, if you are setting up a public FTP server, be it SSH SFTP or FTP over TLS, I always recommend you complement its security with something like fail2ban to put off brute force attacks (it follows the access log and tells shorewall, or other local machine firewall you may be using, to block offenders for a certain time and they'll stop hammering). Hope this helps. On Fri, 2022-03-18 at 10:38 -0400, William Papolis wrote: > Remember … FTPS or SFTP, whatever u want to call it, is just SSH > providing a “secure tunnel” for your unencrypted FTP traffic. > > So … when trying to figure out “if SSH is secure” or any other > encrypted traffic like HTTPS or whatever, you need to look closely at > the encryption protocols you’re supporting. > > So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it > secure, right? > > For each of these, when you’re configuring it on your server, you > need to choose a “cipher” to support. Some are “more secure” than > others. > > For context … TLSv1 was released in 1999 and deprecated in 2020 … so, > NOT SECURE! > > TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE! > > For TLSv1 and TLSv1.1, I would disable support for those protocols on > my server. Not even accept attempts to connect! > > TLSv1.2 was released in 2008 and I would ONLY use it with a few > cipher suites (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other > “secure suites” so, YES, SECURE! > > TLSv1.3 … it’s the latest and I would still be “picky” on which > cipher suite I choose, (like ChaCha20-Poly1305) is kinda my current > favorite. > > So why do we continue to support older TLS versions? Well, for > “compatibility”. We are always making a trade-off between “security” > and “compatibility”. > > If the level of “security” you choose, “blocks” many users from > “getting access”, then it’s “not really working”, is it? > > You need to make sure the client software that’s installed will work > with the server software decisions you’re making. > > I hope this helps. > > Bill > > Sent from my iPhone > > > On Mar 18, 2022, at 9:21 AM, Vieri Di Paola > > <vieridipa...@gmail.com> wrote: > > > > Is FTPS considered insecure? > > > > proftpd example: > > > > ServerName "MH FTP server" > > ServerType standalone > > DefaultServer on > > AccessGrantMsg "User %u has successfully logged into MH FTP > > server." > > RequireValidShell off > > UseReverseDNS off > > IdentLookups off > > Port 0 > > UseIPv6 off > > MaxInstances 30 > > <Global> > > Umask 022 > > PassivePorts 2990 3000 > > MultilineRFC2228 on > > ShowSymlinks off > > DefaultTransferMode binary > > MaxClients 30 "ERROR: reached maximum user limit (%m)." > > MaxClientsPerUser 20 "ERROR: reached maximum connections per user > > limit (%m)." > > MaxLoginAttempts 3 > > DefaultRoot ~ > > AllowOverwrite on > > AllowOverride off > > AllowRetrieveRestart on > > AllowStoreRestart on > > DelayEngine on > > TLSEngine on > > TLSLog /var/log/proftpd_tls.log > > TLSProtocol TLSv1 TLSv1.1 TLSv1.2 > > TLSRequired on > > TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem > > TLSRSACertificateKeyFile > > /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem > > TLSVerifyClient off > > TLSOptions AllowClientRenegotiations NoSessionReuseRequired > > ClamAV on > > ClamServer 127.0.0.1 > > ClamPort 3310 > > <Limit SITE_CHMOD> > > DenyAll > > </Limit> > > Include /etc/proftpd/user_list > > </Global> > > <VirtualHost 10.1.2.1> > > ServerName "MHSC FTP server" > > Port 21 > > MasqueradeAddress mhsc.domain.org > > TransferLog /var/log/proftpd_xfer_mhsc.log > > </VirtualHost> > > <VirtualHost 10.1.3.1> > > ServerName "MHSI FTP server" > > Port 21 > > MasqueradeAddress mhsi.domain.org > > TransferLog /var/log/proftpd_xfer_mhsi.log > > </VirtualHost> > > User ftp > > Group ftp > > DebugLevel 0 > > SystemLog /var/log/proftpd.log > > WtmpLog off > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
