Sign in with
Sign up | Sign in
Your question

SSH or IPSec for FTP Server

Last response: in Windows XP
Share
Anonymous
February 10, 2005 3:01:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

How do i enable SSH or IPSec for FTP Server which is running on windows 2000 ?
What are the procedures to follow if i need to secure the FTP Authentication
over network /Internet ?

Regards
San

More about : ssh ipsec ftp server

Anonymous
February 11, 2005 4:16:35 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

There's no SSH in Windows, so IPsec would be your choice if you don't want
to add third-party SSH.


On the server, create an IPsec policy with this rule:

filter list: from any-ip:any-port to my-ip:21/tcp
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn


On the clients, create an IPsec policy with this rule:

filter list: from my-ip:any-port to server-ip:21/tcp
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn


This will protect the authentication, but it won't protect data transfer.
If you do want to protect data transfer, add this rule to the server:

filter list: from my-ip:20/tcp to any-ip:any-port
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn


And add this rule to the clients:

filter list: from server-ip:20/tcp to my-ip:any-port
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn


Note that this will encrypt only port mode file transfers. If the client
requests passive mode, the transfer will be cleartext (but the authentication
is still encrypted). Passive mode is difficult to encrypt; the server can
choose any random high port it wants to for the data transfer. That means
you'd need this additional filter list on the server:

filter list: from any-ip:any-port to my-ip:any-port (PASV mode)

But see what that does? It requires *any* connection from *anywhere* to use
IPsec!


Steve Riley
steriley@microsoft.com



> How do i enable SSH or IPSec for FTP Server which is running on
> windows 2000 ? What are the procedures to follow if i need to secure
> the FTP Authentication over network /Internet ?
>
> Regards
> San
!