Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring a firewall to accept SFTP incoming 2

Status
Not open for further replies.

bazil2

Technical User
Feb 15, 2010
148
DE
(Elementary user)

Someone would like to send files to our server using SFTP

After researching this, it would appear that SFTP 'belongs' to or rather is a subset of SSH

Would the following approach be correct:

1) Open the SSH port on the firewall
2) Ascertain the incoming users static IP address and restrict incoming SSH requests to this user
3) Create a new user on the target server with password and home directory

Best regards


 
Open the SSH port on the firewall

Actually changing the SSH port would be more secure.

Open sshd_config and change port 22 to some number higher than 49152, open open that port in the firewall and restart the ssh daemon. That reduces the risk of having SSH attacked should the user NOT have a fixed IP.
"crackers and hackers" will then be just banging heads with a closed port at your firewall rather than the SSH server daemon.

But don't forget to change your SSH client to use the new port.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
@ChrisHirst,

I don't mean to be offensive, but I am surprised that someone with your level of activity on this forum would advocate changing the SSH port as a means of security. Changing the port may work against a simple script kiddie, but anybody can find the new port in seconds with a simple scan. Security through obscurity is dubious at best. It would be far more effective to secure the SSH server directly than to try to obfuscate it. Use key based authentication, disable direct root logins, and discourage scripting by using fail2ban.

 
Changing ports is an ADDITION to your server security NOT the be all and all of your security.

Sure "dedicated crackers" will often find a way in regardless. It IS the annoying "script kiddy cracker" that are, for most server admins, the ones to stop. They know enough to be a ********* nuisance, but not quite enough to be a serious threat, and your server probably isn't well known enough to be attracting the attention from the "advanced" hackers/crackers.

Your firewall should be stopping port scans, so changing the SSH port removes your server from the script kiddies target practice range. Personally I'd rather bounce them off the firewall than let them get a potential foothold.



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top