Securing FTP Servers

Hello!

There's a Python script called Hostsdeny which blocks unauthorized login attempts to the SSH server. It allows a certain number of login attempts and then permanently blocks the person's IP or hostname after too many login attempts...

I'm wondering if there's something similar for ProFTP?
LVL 21
Julian MatzJoint ChairpersonAsked:
Who is Participating?
 
xDamoxConnect With a Mentor Commented:
Hi,

I think you can use a tool called pam_abl you can enable it on Proftpd if you compiled proftpd with PAM
support:

http://www.hexten.net/pam_abl/
0
 
PsiCopCommented:
I don't have an answer to your Question, but I do have to wonder why you'd use plain ol' FTP when the SSH suite supports Secure FTP (SFTP).
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Yes, I have been planning on looking into SFTP. Can you recommend any good SFTP servers?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
PsiCopCommented:
Open Source/Freeware --> http://www.openssh.org

Commercial Implementation --> http://www.tectia.com

Closed Source/Commercial --> http://www.ssh.com
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Ok, I may have misunderstood... I know about SSH, using it as sftp and all that but the problem is I cannot hand out SSH logins to every virtual host on my server. I don't know exactly how it would work, but it would probably need to run on a separate port... Is it possible to simply replace the proftpd server with an sftp server??
0
 
PsiCopCommented:
Yes. SSH/SFTP will use the same authentication that ProFTPd would have. I'm not sure I understand the difference between handing out ProFTPd logins and SFTP logins.

If you're worried that by giving users SFTP you also give them shell access via SSH, then you can address that quite reasonable concern with rssh (http://www.pizzashack.org/rssh).
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Well, on my server it's not possible for FTP users to login into SSH/SFTP. Basically, an FTP user can only edit or upload files that are located within their home directory or sub-directories and if the FTP user has ownership of these files. It runs chroot-ed.

As far as I know SSH uses /etc/passwd/ for authentication?? but none of the FTP users are listed there...
0
 
PsiCopCommented:
Ah. The OpenSSH sshd server can use PAM. But yes, lacking that, it uses /etc/passwd
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Well, actually I do have PAM, and the SSH config file has 'usePAM yes', so maybe it does use PAM, but I'm not really sure of how PAM actually works...
0
 
PsiCopCommented:
SFTP is merely an additional service of SSH. It transfers files instead of providing an interactive shell session.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Ya, I know, but I don't know enough about it to be able to offer it to my clients...
For example, I have used sFTP myself, not as root user, just a regular user without priviledges, but I was able to skip around all sorts of files and folders. I wasn't able to edit them, but was able to download them. Whereas with FTP, a user cannot leave their home directory... Does this make sense??

I use server admin software similar to Plesk which creates all virtual hosts. On this I can enable SSH access for certain users, but the default is that they have no access to port 22. Just FTP on 21.
0
 
PsiCopConnect With a Mentor Commented:
Ah, then you need the chroot "helper" in rssh to impose chroot-like funtionality on SFTP clients.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Thanks for all your help!
-Julian.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.