FTP Server with TLS

[netman4ttm]

I just recently set up a ftp site on FreeBSD 7.0 using pureftp.
The site is setup to use ftpes; ftp over explict TLS/SSL.

The problem is that most of our clients can use filezilla which supports the transport security layer BUT we have on e client that uses an automated system that only recognizes ftp.

So we now have a system that will use both ftp and ftpes.

We are pushing them to get into the 21st century (not likely) so the issue facing us is does their use of ftp put the entire site at risk. They are the only client using ftp and privilege separation is strictly enforced.

[wige]

I guess it really depends what is being FTP'd, and in what ways that person's credentials can be abused. In most schemes, SSL is only used to encrypt the username and password, not the data being transmitted. This is typically sufficient, as the important part is to secure the login credentials and the data does not need to be secured. Other schemes will encrypt the payload as well as the authentication.

Assuming the data itself is not sensitive, there are a few considerations I can think of...

1. Account Compromise. The user's upload account could be compromised. From your post, I assume the user is using FTP to upload some type of file to you. Depending on the server settings, an attacker might be able to gain read/write permission to that folder. Mitigation for this (assuming the user does not need to download anything) would be to make sure that the FTP user has write only access to the specific dedicated folder, and that the folder is set so that no files can be executed in that folder, by anyone, ever. You may also want to turn off read capabilities except for whatever process uses the uploaded file. This can help protect against certain directory transversal attacks (the user uploads a script with the compromised login information, then passes a specially crafted URL to an HTTP server on the same computer that accesses the file, triggering an exploit).

2. Abuse of services. Typically, all FTP accounts correspond to a recognized user of the system. Even if that username has been locked down, it is possible that some services on the system will still accept those credentials when they shouldn't, and it could open an attack vector. (for example, are you sure that those credentials won't work for CPANEL? What about the /~username/ path in Apache? etc.) For that reason, I would suggest checking with the FTP server maker about creating an Alias account, which lets you create a username and password that can be set as aliases for another real user. That way if the logon credentials do fall into the wrong hands, they won't be recognized by the server's user authentication system as a valid account.

[netman4ttm]

Unfortunately the data is sensitive and while it is encrypted I am not feeling comfortable with ftp.
The server itself is hardened with only ports 21 and 53 open. I thought about using sftp but the idea of opening traffic on port 22 seemed to be asking for more trouble.
The server does use DNS to check the source of the uploads/downloads; they do both so permissions need to allow for read/write.

We are changing their passwords frequently which does not make for a happy client.

I guess what has me up in arms is that TLS is not that new and clearly the way to go with a protocol such as ftp that you would think large companies would adopt it quickly.