Learn how to a build a cloud-first strategyRegister Now


Security of SFTP

Posted on 2004-11-29
Medium Priority
Last Modified: 2010-04-11
We run a public FTP server, which lives in a DMZ.  The entire Internet is allowed to FTP to it.  It also runs SSH.  The firewall only lets admins connect to the SSH port (port 22).

We've had a request from some partners to switch from FTP to SFTP.  Of course in concept that makes sense (encryption and strong authentication).  But the problem I see with SFTP through OpenSSH is that it runs over port 22, just as a part of SSH.

So in order to enable SFTP, I have to open port 22 up to the world.  I don't like that.  I realize there are ways to not allow an FTP user interactive SSH login, but I still don't like it.  

Is it possible to run SFTP on another port using a special server process?  Or some other way to solve this problem?
Question by:shanepresley
  • 2
LVL 14

Accepted Solution

chris_calabrese earned 2000 total points
ID: 12700798
No, this is not possible. It is the client that makes SFTP SFTP instead of SSH. The server is the same.

If you don't want to open SSH up to the world, I suggest looking at FTPS (FTP/SSL, an IETF standards-track revision to the FTP protocol). There are many client and server implementations available for both *nix and Windows, some free and some $$$.

See http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html for additional information.

Expert Comment

ID: 12700874
so let me get this right !!! you already allow FTP in from the entire internet - which FTP is NOT secure, but you do not want to allow SSH from the entire internet !!!! well obviously you need to go away and think about it.

Solution is simply just get the partner's public ip address and only allow they're ip addresses to SSH into the firewall, also you can use FTP over SSH2 with program like SecureFX which will allow SFTP (ssh2) then use the ftp protocol after doing and SFTP into the server, that way the user doesn't get ssh into the server, also you can set the shell env to be e.g: /bin/nologin
LVL 14

Expert Comment

ID: 12700941

Just because shanepresley cares about the security of his server doesn't mean he cares about the security of the data in the FTP archive. These are not the same thing.

For example, many sites allow anonymous FTP for grabbing public software. But the admins still want the systems to be secure.

In this case, it sounds like FTP was originally considered "good enough" but that situation is changing. Thus, shanepresley is asking a reasonable question, IMO.

Author Comment

ID: 12701164
Thanks chris_calabrese, that was a helpful alternative.  And yes you are correct, the FTP data was public.  Then need for SFTP came because we are going to start publishing data that is not classified as public.  

Nemesis-Services, while I see your point that FTP is "insecure", I also don't like the idea of opening up port 22 to the entire Internet (I can't lock it down, dynamic clients).  

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question