Update: Make FTP server slightly more secure

John shared a great idea in his comment to my “FTP: a trip down the memory lane” post: when using some FTP servers you can specify the range of passive ports, allowing you to tighten your router ACL (otherwise you’d have to allow inbound connections to all TCP ports above 1024).

If you’re using wu-ftpd, the port range is specified with the passive ports configuration directive in the ftpaccess configuration file. ProFTPD uses PassivePorts configuration directive and recommends using IANA-specified ephemeral port range. Pure-FTPd takes a more cryptic approach: the port range is specified in the –p command-line option.

3 comments:

  1. vsftpd has pasv_min_port and pasv_max_port to limit the range of the passive ports used.

    ReplyDelete
  2. As I pointed out in the previous post - if you want security then you don't want FTP - switch to SSH and all will be well in the world.

    ReplyDelete
  3. Ivan Pepelnjak21 May, 2010 09:46

    Can't agree more ... the problem is usually in client or server availability. For example, no SSH/SFTP from Microsoft (the push WebDAV), only FP extensions or FTP for Frontpage (until MS Expression Web 3).

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.