FTP server in the Cloud: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
No edit summary
Line 4: Line 4:
''Parent page: [[CC-Cloud]]''
''Parent page: [[CC-Cloud]]''


There are two main ways that an FTP server can be configured, anonymous access, or authenticated access. In both case there are better alternatives. If you require anonymous FTP you really should only allow read access to the files, otherwise anyone could upload malicious files to your server which is a very big security vulnerability. A better alternative to anonymous FTP with read access is HTTP which can allow the public to download files from your server (see for example [[Creating a Webserver on CC-Cloud]]). If on the other hand you wish to have authenticated FTP, a much better option is to use SFTP (see [[Transferring files#From your personal computer]]), which uses the SSH protocol and can easily work with [[Ssh keys|ssh key]] authentication and is already configured to work on Linux VMs. There is also an encrypted version of FTP, FTPS (different from SFTP) which uses [[Configuring Apache to use SSL | SSL certificates]] for encryption rather than ssh keys.  Another issue with using authenticated FTP on Compute Canada cloud is that in most cases the FTP daemon maps authentication credentials to system accounts. This requires the associated system account to have a password which is against the cloud Acceptable Usage Policy which states that users may only access VMs with key-pair authentication. If there is still a good reason to use FTP over one of the alternatives given above see the linked to guides below on how to setup FTP on a VM. One issue to keep in mind is the ports that FTP uses, FTP uses port 21 to initiate file transfer requests, but the actual transfer can take place on a randomly chosen port above port 1025, though the details of this can vary depending on the mode with which FTP operates in. This means that to allow FTP access on your VM you must open port 21 and very likely also ports 1025 and above (see [[OpenStack#Security Groups]] for information about opening these ports into your VM). This large range of open ports is part of the reason other protocols are preferred to FTP.
There are two main ways that an FTP server can be configured, anonymous access, or authenticated access. In both case there are better alternatives. If you require anonymous FTP you really should only allow read access to the files, otherwise anyone could upload malicious files to your server which is a very big security vulnerability. A better alternative to anonymous FTP with read access is HTTP which can allow the public to download files from your server (see for example [[Creating a Webserver on CC-Cloud]]). If on the other hand you wish to have authenticated FTP, a much better option is to use SFTP (see [[Transferring files#From your personal computer]]), which uses the SSH protocol and can easily work with [[Ssh keys|ssh key]] authentication and is already configured to work on Linux VMs. There is also an encrypted version of FTP, FTPS (different from SFTP) which uses [[Configuring Apache to use SSL | SSL certificates]] for encryption rather than ssh keys.  Another issue with using authenticated FTP on Compute Canada cloud is that in most cases the FTP daemon maps authentication credentials to system accounts. This requires the associated system account to have a password which is against the cloud Acceptable Usage Policy which states that users may only access VMs with key-pair authentication. If there is still a good reason to use FTP over one of the alternatives given above see the linked to guides below on how to setup FTP on a VM.
 
This [https://help.ubuntu.com/lts/serverguide/ftp-server.html guide] describes how to setup an FTP server in Ubuntu.
 


=Better alternatives to FTP=
If you have the freedom to choose an alternative to FTP consider the follow options if you need:
If you have the freedom to choose an alternative to FTP consider the follow options if you need:


Line 14: Line 12:
:; Read Only: Use HTTP, see [[Creating a Webserver on CC-Cloud]]
:; Read Only: Use HTTP, see [[Creating a Webserver on CC-Cloud]]
:; Read/write: Providing anonymous write access to your server is a very bad idea. Anyone could upload a file, with the potential for it to be a malicious script or executable.
:; Read/write: Providing anonymous write access to your server is a very bad idea. Anyone could upload a file, with the potential for it to be a malicious script or executable.
; Authenticated FTP: If you are authenticating FTP users, a better and easier alternative is [[SFTP]].<br/>Another alternative is [https://en.wikipedia.org/wiki/FTPS FTPS], which is an extension of FTP which uses [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] to encrypt data sent and received. When authenticating users via passwords the transmitted data should be encrypted or else there is a possibility that an eavesdropper could discover the password. In addition it is generally a bad idea to allow password logins on your VM as there are many automated brute-force password attempts made on any machine connected to the internet. Instead use ssh-key authentication (see [Ssh keys]). [[SFTP]] can be configured to use ssh-key authentication (if form windows see [Connecting with MobaXTerm], if connecting from Linux see .
; Authenticated FTP: If you are authenticating FTP users, a better and easier alternative is [[SFTP]].<br/>Another alternative is [https://en.wikipedia.org/wiki/FTPS FTPS], which is an extension of FTP which uses [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] to encrypt data sent and received. When authenticating users via passwords the transmitted data should be encrypted or else there is a possibility that an eavesdropper could discover the password. In addition it is generally a bad idea to allow password logins on your VM as there are often many automated brute-force password attempts made on any machine connected to the internet. Instead use ssh-key authentication (see [SSH Keys]). [[SFTP]] can be configured to use ssh-key authentication.


=Setting up FTP=
If you do not have freedom to choose an alternative see one of the below guides which best matches your operating system
*[https://help.ubuntu.com/lts/serverguide/ftp-server.html Ubuntu guide]
*[https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-centos-6--2 CentOS 6 guide]
The ports that FTP uses must be open on your VM (see [[OpenStack#Security Groups]] for information about opening these ports into your VM). FTP uses port 21 to initiate file transfer requests, but the actual transfer can take place on a randomly chosen port above port 1025, though the details of this can vary depending on the mode with which FTP operates in, for example Port 20 can also be involved (see this [http://www.techrepublic.com/article/how-ftp-port-requests-challenge-firewall-security/5031026/ article] for more details on ports used by FTP). This means that to allow FTP access on your VM you must open port 21 and very likely also ports 1025 and above. This large range of open ports is part of the reason other protocols are preferred to FTP.


[[Category:CC-Cloud]]
[[Category:CC-Cloud]]
</translate>
</translate>

Revision as of 21:10, 21 December 2016


This article is a draft

This is not a complete article: This is a draft, a work in progress that is intended to be published into an article, which may or may not be ready for inclusion in the main wiki. It should not necessarily be considered factual or authoritative.



Other languages:

Parent page: CC-Cloud

There are two main ways that an FTP server can be configured, anonymous access, or authenticated access. In both case there are better alternatives. If you require anonymous FTP you really should only allow read access to the files, otherwise anyone could upload malicious files to your server which is a very big security vulnerability. A better alternative to anonymous FTP with read access is HTTP which can allow the public to download files from your server (see for example Creating a Webserver on CC-Cloud). If on the other hand you wish to have authenticated FTP, a much better option is to use SFTP (see Transferring files#From your personal computer), which uses the SSH protocol and can easily work with ssh key authentication and is already configured to work on Linux VMs. There is also an encrypted version of FTP, FTPS (different from SFTP) which uses SSL certificates for encryption rather than ssh keys. Another issue with using authenticated FTP on Compute Canada cloud is that in most cases the FTP daemon maps authentication credentials to system accounts. This requires the associated system account to have a password which is against the cloud Acceptable Usage Policy which states that users may only access VMs with key-pair authentication. If there is still a good reason to use FTP over one of the alternatives given above see the linked to guides below on how to setup FTP on a VM.

Better alternatives to FTP[edit]

If you have the freedom to choose an alternative to FTP consider the follow options if you need:

Anonymous FTP
Read Only
Use HTTP, see Creating a Webserver on CC-Cloud
Read/write
Providing anonymous write access to your server is a very bad idea. Anyone could upload a file, with the potential for it to be a malicious script or executable.
Authenticated FTP
If you are authenticating FTP users, a better and easier alternative is SFTP.
Another alternative is FTPS, which is an extension of FTP which uses TLS to encrypt data sent and received. When authenticating users via passwords the transmitted data should be encrypted or else there is a possibility that an eavesdropper could discover the password. In addition it is generally a bad idea to allow password logins on your VM as there are often many automated brute-force password attempts made on any machine connected to the internet. Instead use ssh-key authentication (see [SSH Keys]). SFTP can be configured to use ssh-key authentication.

Setting up FTP[edit]

If you do not have freedom to choose an alternative see one of the below guides which best matches your operating system

The ports that FTP uses must be open on your VM (see OpenStack#Security Groups for information about opening these ports into your VM). FTP uses port 21 to initiate file transfer requests, but the actual transfer can take place on a randomly chosen port above port 1025, though the details of this can vary depending on the mode with which FTP operates in, for example Port 20 can also be involved (see this article for more details on ports used by FTP). This means that to allow FTP access on your VM you must open port 21 and very likely also ports 1025 and above. This large range of open ports is part of the reason other protocols are preferred to FTP.