Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring a firewall to accept SFTP incoming 2

Status
Not open for further replies.
bazil2

bazil2

Technical User
Feb 15, 2010
148
DE
(Elementary user)

Someone would like to send files to our server using SFTP

After researching this, it would appear that SFTP 'belongs' to or rather is a subset of SSH

Would the following approach be correct:

1) Open the SSH port on the firewall
2) Ascertain the incoming users static IP address and restrict incoming SSH requests to this user
3) Create a new user on the target server with password and home directory

Best regards


 
Sort by date Sort by votes
Open the SSH port on the firewall
Click to expand...

Actually changing the SSH port would be more secure.

Open sshd_config and change port 22 to some number higher than 49152, open open that port in the firewall and restart the ssh daemon. That reduces the risk of having SSH attacked should the user NOT have a fixed IP.
"crackers and hackers" will then be just banging heads with a closed port at your firewall rather than the SSH server daemon.

But don't forget to change your SSH client to use the new port.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Upvote 0 Downvote
@ChrisHirst,

I don't mean to be offensive, but I am surprised that someone with your level of activity on this forum would advocate changing the SSH port as a means of security. Changing the port may work against a simple script kiddie, but anybody can find the new port in seconds with a simple scan. Security through obscurity is dubious at best. It would be far more effective to secure the SSH server directly than to try to obfuscate it. Use key based authentication, disable direct root logins, and discourage scripting by using fail2ban.

 
Upvote 0 Downvote
Changing ports is an ADDITION to your server security NOT the be all and all of your security.

Sure "dedicated crackers" will often find a way in regardless. It IS the annoying "script kiddy cracker" that are, for most server admins, the ones to stop. They know enough to be a ********* nuisance, but not quite enough to be a serious threat, and your server probably isn't well known enough to be attracting the attention from the "advanced" hackers/crackers.

Your firewall should be stopping port scans, so changing the SSH port removes your server from the script kiddies target practice range. Personally I'd rather bounce them off the firewall than let them get a potential foothold.



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
421
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
194
spamjim
spamjim
malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
154
malpa
malpa
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
73
Steve Bowman
Steve Bowman
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
84
kasperelectronics
kasperelectronics

Part and Inventory Search

Sponsor

Back
Top