Hello, I'm new to servers and the like - I've been using SFTP for my file transfers from my server, but it's been getting too slow for my taste, and the data doesn't need to be encrypted.
1. Hence, I want to change to flat FTP, but am concerned about opening the port to the Internet - What is the best practice for running an FTP server and protecting the open FTP port? I've read several solutions online which don't seem to be that effective, such as 'port-knocking.' Given that FTP file servers are so common, I have to imagine there are more robust security protocols?
2. Somewhat unrelated - I also use a VPN, which, similarly, while faster than SFTP, is too slow for me. I've been a bit confused as to the differences in encryption technique between SFTP and VPN (I understand the latter is a tunneled connection, but I don't understand where the encryption layer is).
The problem w/ not using encryption w/ FTP is that your username/password is passed in the clear too. So presumably you'd still want/need that protected. And once you do that, you're back into encryption mode again. IOW, it's all or nothing.
Yes, leaving ports open does pose somewhat of a risk. While it’s not a complete solution, a little “security through obscurity” wouldn’t hurt; change your external port to something else, something that would require a search (e.g., 34990). Most hackers are only going to check the well-known ports and move on. Many ISPs block many of the well-known ports too.
Personally, I only use port forwarding on very rare occasions, basically when I have no other choice. What I will do is use a VPN so that I’m always local to my home network. This also solves any potential firewall issues, which are all too common w/ FTP. I’ll use either a PPTP VPN (although OpenVPN would be better), or LogMeIn Hamachi (very powerful product, and easy to use). In the case of Hamachi, you don’t need to open ports because it’s service-based and opens ports from behind your router.
Secure protocols like SFTP differ from a VPN in that the SFTP protocol encrypts the data portion (i.e., payload) of its packet.s A VPN is similar in that it too encrypts its data portion of the packets, only in that case that data is your protocol, headers and all! So in theory you could send SFTP over a VPN resulting in double encryption (wouldn’t make sense, but you could do it). A VPN is more of a multi-purpose encryption tool, and is particularly useful for those things that would otherwise have no protection (HTTP, FTP, SMB, telnet, etc.), whereas protocols like SFTP, HTTPS, SCP, etc., take responsibility for their own encryption. Notice too, because the VPN hides the entire protocol of its payload (header and all), it hides what you’re doing. It becomes impossible, for example, for the ISP to block access to protocols they might consider dangerous, an annoyance, sources of malware or illegal activities, etc.
There’s also SSH tunneling. It has many of the characteristics of a VPN. I find it can be a bit of hassle because it’s applications based and requires a proxy. And your application has to support being proxied. That alone limits its usefulness. But I do still use it from time to time.
1. What I am wondering though still is: how do web FTP servers work? If a website allows a download - isn't that transmitted via FTP? If so... how are such file servers protected?
2. This may stray from the original question - but I already have Hamachi set up as a VPN - I share a folder on the VPN with files in it so I can access them from various remote machines.
Is there functionality that I could use with VPN beyond this? I use WinSCP to access files, and UltraVNC to do remote desktop... I have a feeling I've fragmented the functions across different programs here...
FTP is FTP. No matter who's providing the service, it's the same commands, using the same internet, pumping the same unencrypted data over the internet. So it only makes sense that FTP servers be used for non-sensitive data. I’m sure in some cases FTP providers will provide a secure option (SFTP, a VPN, etc.), perhaps at additional cost (e.g., web hosting site).
As I said, VPNs are more of a generic tool, and as such could be used in numerous ways to solve different problems. In contrast, secure protocols like SFTP or WinSCP are providing protection on a per app/protocol basis. One of the beauties of Hamachi is that you can run just about any protocol over it, including all unsecured protocols (http, ftp, vnc (free version is not encrypted), smb, etc.). So you can just go about your business as if you were behind the safely of your local firewall.
Here’s an example of how having Hamachi in your bag of tricks opens the door to other useful purposes.
Can all this become “fragmented” to some degree over time? Sure, because most of the time there are several ways to solve the same problem, and some are better than others depending upon circumstances. You just have to experiment a bit and learn for yourself what the differences are. Frankly, it’s good to have several options available, just in case one is not working, blocked by the ISP, down for maintenance, etc.