On December 22, 2003 08:37 pm, Bob Smith wrote: > Pete, > > I heard back from my upstream ISP. Apparantly they are blocking some of > the standard abuse ports, FTP being one of them. Most of their > downstream systems are Windows systems, so I don't really blame them for > taking the extra precautions. > > He has two suggestions for me. One is use a non-standard port for FTP, > which I can test and try with vsftpd. The other is that he can open the > firewall for my IP address and ports, which from the sound of the email > is not his desired answer. > > Since I will have some in-experienced users on the system, I'm sure > there's reasons for having standard ports, not the least of which is > that Windows 2K FTP does not support setting its port. However, other > Windows based FTP packages do, such as Globescape. So the question is, > as a practice, is using non-standard FTP ports acceptable? > > Thanks > > -Bob Hi Bob, There are a few things to consider. There is certainly nothing wrong with using a service on a non-standard port, however, it may interfere in the future if you add a service that uses the non-standard port. As far as security, although it hides the port, it may also invite curiosity trying to figure out what you are listening for. The last thing you mention is likely the most important and will cause you the most pain. Anyone who needs to connect to your server must set their client up right, and avoid using the provided client which they may be used to. If they were all behind a Linux box at one or two sites, you could port forward outbound from those sites and the clients would never know. If you have a static IP and your ISP is willing, then having a hole opened up is the simplest, from your point of view. Regardless of all that, the best solution, if you know who the clients are, instead of installing a new FTP client, would be to set them all up with ssh clients (putty or ?) and use sftp via ssh ports which are almost always open. You have all the security of ssh and you can stay off your ISP bad list :) -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
