On 11/17/19 21:43, Trent W. Buck wrote:
I see you're matching vsftpd. I very very strongly recommend you... encourage your end users to switch from FTP to SFTP. :-) (Many (most?) Windows FTP clients can do SFTP these days.)
It's always fun to see the systems people and the network people argue over this.
Everybody should obviously discontinue using plaintext FTP, but FTPS (i.e. FTP over TLS) is a thing that exists, and is generally a much smaller configuration change for an existing FTP service than switching to SFTP (i.e. the SFTP subsystem of the SSH protocol).
Using SFTP also admits a lot of protocol features that you Do Not Want if all you're after is file transfers. Configure it a bit wrong and your users get a shell, the ability to forward ports from the public address of your SFTP server to their client, the ability to forward ports from their client to whatever internal hosts they want on the same internal network as your SFTP server, a VPN, X11 forwarding etc.
By contrast, the disadvantage of FTPS is that it uses separate control and data connections, and because it's encrypted, the firewall can't snoop the control connection to see which ports it will use for the data connection. So the only way to really make it work is to allow clients to make outgoing connections to arbitrary unprivileged ports. Then you have to convince the client's network administrator to allow that.
But the alternative is to allow outgoing connections to the SSH port. Which, because it's opaque and supports port forwarding and VPN and so on, effectively allows the same thing anyway.
