Best way to secure FTP Server for authenticated users only !

Protecting your Linux box

Best way to secure FTP Server for authenticated users only !

Postby zaib » Mon May 23, 2011 11:00 am

Assalam Alaekum, Dear LP Members,

I need a suggestion.

Network ip setup is.

Users LAN = 10.10.0.0/8

SQUID PROXY+GW = 192.168.1.1
MT WAN IP = 192.168.1.2 , GW=192.168.1.1 [Squid]
MT LAN IP = 10.10.0.1
DMASoftlab RADIUS = 10.10.0.2



(When user connects via vpn dialer in order to use internet service, he gets 172.16.0.0/16 ip series & then all user/MT data NAT/forwarded to Squid)

FTP Server ips = 10.10.0.5 (WIN2003, Main http WEB site for sharing Media)
FTP Server ips = 10.10.0.6 (WIN2003, FTP1 for VIDEOS,MP3 etc)
FTP Server ips = 10.10.0.7 (WIN2003, FTP2 for VIDEOS,MP3 etc)


The setup shown in the attached picture also have 3 FTP servers to serve around 1000-1500 users (5 TB sharing media)
What is the best way to secure FTP Server? means only authenticated users should be able to access the FTP server.

What can be done so that only vpn connected users should be able to connect to FTP server.

One idea was to add another LAN card in MT with 172.16.0.0 series or 10.10.0.x and put all FTP servers behind Mikrotik (in DMZ environment), but this would create a lot of of load on Mikrotik (5TB sharing access), Any better solution?


Regards,
ZAIB :)
Regards,

SYED JAHANZAiB

web: http://aacable.wordpress.com
msn: aacable@hotmail.com
zaib
Naik
 
Posts: 97
Joined: Thu Jan 10, 2008 3:11 pm
Website: http://aacable.wordpress.com
WLM: aacable@hotmail.com
Yahoo Messenger: johny_reico@yahoo.com
Location: Karachi

Postby mudasir » Tue May 24, 2011 2:52 pm

Salam Zaib bhai,

Normally at this level using local ips for VPN is not a very good idea...and if using so then securing FTP site can be a bit headache.

At this level normally live ips are used for VPN users for many different purposes. Also if live ips are used then you can simple install a simple firewall at FTP server and only allow live ips not local ips, and by doing this you can secure your server. but this will create another issue for you related to bandwidth from FTP server.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby zaib » Fri Jun 17, 2011 3:37 pm

mudasir wrote:Salam Zaib bhai,

Normally at this level using local ips for VPN is not a very good idea...and if using so then securing FTP site can be a bit headache.At this level normally live ips are used for VPN users for many different purposes. Also if live ips are used then you can simple install a simple firewall at FTP server and only allow live ips not local ips, and by doing this you can secure your server. but this will create another issue for you related to bandwidth from FTP server.


Dear Mudasir,

You are absolutely right, this was the first thing that cam into my mind when designing the network , usually at this level, using local ips are not a good choice. Using Live ip's saves you from many hurdles like Web Logging, Sharing Security etc etc.But as the 'Operator' is not willing to use live ip's at a moment, So I guess I have to stick with the 'FTP behind MT DMz' option.

The operator demand is to setup FTP on Windows Server. I guess I have to do some googling if IIS FTP authentication can be done via FREERADIUS. Any Idea on this ? :oops:


I have to search if there is a way that IIS can authenticate with FREERADIUS ?? any idea
Regards,



SYED JAHANZAiB



web: http://aacable.wordpress.com

msn: aacable@hotmail.com
zaib
Naik
 
Posts: 97
Joined: Thu Jan 10, 2008 3:11 pm
Website: http://aacable.wordpress.com
WLM: aacable@hotmail.com
Yahoo Messenger: johny_reico@yahoo.com
Location: Karachi

Re: Best way to secure FTP Server for authenticated users on

Postby zaib » Thu Sep 29, 2011 7:49 pm

I moved on to Linux base sharing server. Using Apache with FREE-RADIUS as authentication method.

Maybe this will help some one . . .

http://aacable.wordpress.com/2011/09/29 ... -optional/
Regards,



SYED JAHANZAiB



web: http://aacable.wordpress.com

msn: aacable@hotmail.com
zaib
Naik
 
Posts: 97
Joined: Thu Jan 10, 2008 3:11 pm
Website: http://aacable.wordpress.com
WLM: aacable@hotmail.com
Yahoo Messenger: johny_reico@yahoo.com
Location: Karachi


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron