Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a “secure tunnel” for your unencrypted FTP traffic.
So … when trying to figure out “if SSH is secure” or any other encrypted traffic like HTTPS or whatever, you need to look closely at the encryption protocols you’re supporting. So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it secure, right? For each of these, when you’re configuring it on your server, you need to choose a “cipher” to support. Some are “more secure” than others. For context … TLSv1 was released in 1999 and deprecated in 2020 … so, NOT SECURE! TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE! For TLSv1 and TLSv1.1, I would disable support for those protocols on my server. Not even accept attempts to connect! TLSv1.2 was released in 2008 and I would ONLY use it with a few cipher suites (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other “secure suites” so, YES, SECURE! TLSv1.3 … it’s the latest and I would still be “picky” on which cipher suite I choose, (like ChaCha20-Poly1305) is kinda my current favorite. So why do we continue to support older TLS versions? Well, for “compatibility”. We are always making a trade-off between “security” and “compatibility”. If the level of “security” you choose, “blocks” many users from “getting access”, then it’s “not really working”, is it? You need to make sure the client software that’s installed will work with the server software decisions you’re making. I hope this helps. Bill Sent from my iPhone > On Mar 18, 2022, at 9:21 AM, Vieri Di Paola <vieridipa...@gmail.com> wrote: > > Is FTPS considered insecure? > > proftpd example: > > ServerName "MH FTP server" > ServerType standalone > DefaultServer on > AccessGrantMsg "User %u has successfully logged into MH FTP server." > RequireValidShell off > UseReverseDNS off > IdentLookups off > Port 0 > UseIPv6 off > MaxInstances 30 > <Global> > Umask 022 > PassivePorts 2990 3000 > MultilineRFC2228 on > ShowSymlinks off > DefaultTransferMode binary > MaxClients 30 "ERROR: reached maximum user limit (%m)." > MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit (%m)." > MaxLoginAttempts 3 > DefaultRoot ~ > AllowOverwrite on > AllowOverride off > AllowRetrieveRestart on > AllowStoreRestart on > DelayEngine on > TLSEngine on > TLSLog /var/log/proftpd_tls.log > TLSProtocol TLSv1 TLSv1.1 TLSv1.2 > TLSRequired on > TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem > TLSRSACertificateKeyFile > /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem > TLSVerifyClient off > TLSOptions AllowClientRenegotiations NoSessionReuseRequired > ClamAV on > ClamServer 127.0.0.1 > ClamPort 3310 > <Limit SITE_CHMOD> > DenyAll > </Limit> > Include /etc/proftpd/user_list > </Global> > <VirtualHost 10.1.2.1> > ServerName "MHSC FTP server" > Port 21 > MasqueradeAddress mhsc.domain.org > TransferLog /var/log/proftpd_xfer_mhsc.log > </VirtualHost> > <VirtualHost 10.1.3.1> > ServerName "MHSI FTP server" > Port 21 > MasqueradeAddress mhsi.domain.org > TransferLog /var/log/proftpd_xfer_mhsi.log > </VirtualHost> > User ftp > Group ftp > DebugLevel 0 > SystemLog /var/log/proftpd.log > WtmpLog off > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
