Secure FTP server
Question: am I safe to give out FTP access from an FTP server I run on the Linode to people who could be running exec commands at will? Could they ever access the filesystem root with a nefarious command? Is my FTP server secure?
1 Reply
Just to clarify, are you using FTP or SFTP when you attempt to make these connections? In general, FTP alone is something I can't recommend since it has a number of security flaws, the most severe being that it sends packets unencrypted in plaintext which can easily be read by passive tools like packet sniffers. I can strongly recommend using SFTP instead as a different option. You should always be able to make an SFTP connection by using syntax similar to the following:
sftp username@yourIPaddress
Additionally, to further secure your connection, you should be able to create sftp jails. For a little more information regarding how to do this, I'm including some of our documentation below which should help:
If your FTP server is more publicly facing, it would absolutely benefit from a number of proper security controls as well, such as strong file-level encryption, permissions, robust logging, firewalls, and whitelists or blacklists. Though I don't think that remote code execution will be a major threat if you follow good security practices, it's worth putting the time and effort into this security, and making sure that you have a number of strong controls in place for a defense-in-depth approach. For a little more information regarding how you might do this, I'm including some additional documentation
on a few of these topics below which I hope might help:
https://www.linode.com/docs/security/securing-your-server/
https://www.linode.com/docs/tools-reference/linux-users-and-groups/
https://www.linode.com/docs/security/using-fail2ban-for-security/
https://www.linode.com/docs/uptime/logs/use-logrotate-to-manage-log-files/