Security of SFTP

We run a public FTP server, which lives in a DMZ.  The entire Internet is allowed to FTP to it.  It also runs SSH.  The firewall only lets admins connect to the SSH port (port 22).

We've had a request from some partners to switch from FTP to SFTP.  Of course in concept that makes sense (encryption and strong authentication).  But the problem I see with SFTP through OpenSSH is that it runs over port 22, just as a part of SSH.

So in order to enable SFTP, I have to open port 22 up to the world.  I don't like that.  I realize there are ways to not allow an FTP user interactive SSH login, but I still don't like it.  

Is it possible to run SFTP on another port using a special server process?  Or some other way to solve this problem?
LVL 1
shanepresleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chris_calabreseCommented:
No, this is not possible. It is the client that makes SFTP SFTP instead of SSH. The server is the same.

If you don't want to open SSH up to the world, I suggest looking at FTPS (FTP/SSL, an IETF standards-track revision to the FTP protocol). There are many client and server implementations available for both *nix and Windows, some free and some $$$.

See http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html for additional information.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nemesis-ServicesCommented:
so let me get this right !!! you already allow FTP in from the entire internet - which FTP is NOT secure, but you do not want to allow SSH from the entire internet !!!! well obviously you need to go away and think about it.

Solution is simply just get the partner's public ip address and only allow they're ip addresses to SSH into the firewall, also you can use FTP over SSH2 with program like SecureFX which will allow SFTP (ssh2) then use the ftp protocol after doing and SFTP into the server, that way the user doesn't get ssh into the server, also you can set the shell env to be e.g: /bin/nologin
0
chris_calabreseCommented:
Nemesis-Services,

Just because shanepresley cares about the security of his server doesn't mean he cares about the security of the data in the FTP archive. These are not the same thing.

For example, many sites allow anonymous FTP for grabbing public software. But the admins still want the systems to be secure.

In this case, it sounds like FTP was originally considered "good enough" but that situation is changing. Thus, shanepresley is asking a reasonable question, IMO.
0
shanepresleyAuthor Commented:
Thanks chris_calabrese, that was a helpful alternative.  And yes you are correct, the FTP data was public.  Then need for SFTP came because we are going to start publishing data that is not classified as public.  

Nemesis-Services, while I see your point that FTP is "insecure", I also don't like the idea of opening up port 22 to the entire Internet (I can't lock it down, dynamic clients).  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.