FTP vs VPN

[CaptainSTX]

For most home users what are the advantages of running a local VPN server for inbound connections to access files vs. FTP?

Other than the data being transmitted being encrypted I don't see many assuming that you properly secure your FTP server.

VPN puts a heavy load on your router and slows down your connection.

While you can easily connect using PCs running an OpenVPN client, many mobile devices can't so you need to use PPTP which isn't that secure.

I use an FTP server to make all my personal photos available on line if I want to show them to someone using a phone, tablet, PC etc. They quickly download using even a slow connection and/or a slow device.

The files are all on an USB thumb drives attached to a router double NATed behind my primary router.

Port 21 is only forwarded from my primary to secondary router during the hours 8 AM - 6 PM local time. The USB drives are connected to my N66U ASUS router

I use a secure fifteen character password. The Tomato software is set to only allow three connection attempts every ninety seconds.

All files and folders are set to be read only. One of thumb drives has a mechanical switch that makes the drive read only.

All the photos are backed up elsewhere and off line.

The FTP server is set to only allow a single connection at any one time.

In looking at the router's logs for the past several months I don't show a single attempt to hack into my FTP connected drives.

In summary I am able to quickly download files using readily available FTP clients on all type of devices. What's the downside other than the files are not encrypted? I would be concerned if I was downloading the formula for Coke or McDonalds secrete sauce receipe but I use it to show photos and on occasion an article I have clipped.

 

[sinshiva]

it's not so much that the files aren't encrypted as that credentials are all transferred in the clear. it would be a simple matter to use something like wireshark while you were accessing the ftp server if you were on a public hotspot. there are people out there that apparently will leave a device near such a hotspot to sniff out cleartext credentials.

so basically, even though you may have a complex password, if somebody happens to be sniffing on a network between you and the server, they'll have your information.

 

[CaptainSTX]

it's not so much that the files aren't encrypted as that credentials are all transferred in the clear. it would be a simple matter to use something like wireshark while you were accessing the ftp server if you were on a public hotspot. there are people out there that apparently will leave a device near such a hotspot to sniff out cleartext credentials.

so basically, even though you may have a complex password, if somebody happens to be sniffing on a network between you and the server, they'll have your information.

Good point? I do however, when using my PCs or smartphones at public hot spots connect using a VPN client. Even when using VPN if you have to connect using PPTP your attack method could work as PPTP isn't very secure.

 

[sinshiva]

well, pptp is considerably more secure than using ftp by itself. people are really only beginning to learn to exploit the weaknesses of pptp, but it wont be long before people will just have to use premade software at the right location due to flaws with how it handles the initial exchange that's supposed to secure the transfer of credentials, and there's the weak cipher used; the same one used by WEP. the reason it took so much longer to break pptp is that the initial exchanges were significantly more secure [edit]than[/edit] with WEP, iirc, but not secure enough.

 

[CaptainSTX]

At the remote end if you connect to an unknown gateway to the internet there will always be some risk.

What I am more concerned about is preventing access to my home LAN. And then if even someone gets access limiting it only to the files on the USB which for the most part are only photos taken from my travels. If all someone can do is look at my pictures of the Grand Canyon do I really care?

I am still not convinced that using FTP puts me at that much of a risk as long as it is set up correctly and you monitor it. If you see a problem you can change passwords or disable the FTP server. Connect from known safe APs or use a VPN client on a PC to avoid man in the middle attacks.

 

[sinshiva]

yea, i think ftp is fine when locked down appropriately. i'd do things like make sure to rename the administrative user to something non default, lock down anonymous access to prevent it from traversing up to parent directories, etc. i used to use an ftp server that only had an anonymous user and would use sftp to drop stuff in. also, you should make sure anonymous users aren't able to do things like create directories, etc. i remember one time i had like everything locked down except the ability to create directories and i opened it up to find like a million different folders lol. also make sure that the ftp server doesn't have the ability to execute programs, some can do that.

pretty much, with some common sense ftp can be made safe enough. plenty of businesses and such prefer to distribute files this way rather than via http due to less overhead or whatever.

 

[stevech]

Disable anonymous user login.

A year+ of running an FTP server.. some observations
several times a month, an automated process from one host out there will loop doing login attempts that all fail due to guessing the wrong username/password. I avoided having admin or root or any such user names. If it persists, I notice and put that IP address in the FTP server's banned list.

Most of my logins are for read-only; no uploads. Most legitimate logins are from M2M devices - no human in the loop.

 

[CaptainSTX]

I only have a single named account with an eight character name.

Anonymous access is blocked as well as administrative account access. Tomato has a nice set of controls and security features.

The only wrinkle I have run into is some FTP client applications do not allow passwords longer than fifteen characters. I had been using a twenty one character sentence which I had to truncate to work with all clients. With a three tries every ninety seconds limitation on log in attempts a brute force attack just isn't going to be practical especially when my FTP server is only available for ten hours daily.

FTP is working fine for my application and if it is set up correctly I just don't see enough of a security risk to justify the complications and throughput drop to make VPN worth while.

 

[stevech]

yes, same for me.
I should add that I have the FTP server arranged to require passive-mode FTP sessions. That gets rid of a lot of eastern European crud.

 

[sinshiva]

i do have to admit, last time i ran a public ftp server was over a decade ago; the internet was a bit safer then. at least, i was able to get away with a restricted ftp anonymous account. y'all are definitely right in that you should at minimum only use a heavily restricted user for 'public' access.

i also would manually block the bruteforce attempts. 100% of the bruteforce attempts were against default admin account names lol. otherwise, they'd be running every available command to test anon access.