Filezilla has FTP access even though Proftpd server is stopped

Webmin version:1.973
Virtualmin version: 6.15
Usermin version:1.823
OS: Ubuntu 20.04

I have a fresh installation with 2 virtual servers active. Proftpd is installed but currently stopped. However I am still able to use Filezilla with the SFTP - SSH protocol and access files on the site. The chroot and file directory restrictions seem to be ignored.

How is tit possible to have FTP service when Proftpd is stopped? Is there a 2nd FTP server that is also enabled by the initial Virtualmin installation?

You said it yourself…it’s SSH. Some FTP clients also speak SSH, and it is possible to interact with SSH in an FTP-like manner. If you don’t want a user to have ssh, you need to set their shell to something that can’t login.

If you want chroot, you need to enable Jails (but jails are not really a security feature…filesystem permissions provide security, Jails are just an aesthetic thing).

This makes sense.
I have enabled chroot in “Owner Limits”. Is there another setting or procedure to enable Jails?

Why are you running SSH on the default port anyway?

It doesn’t matter much what port ssh runs on. A determined attacker won’t be put off by using different ports, at which point the only security you have is the strength of your passwords (and the excellent security record of OpenSSH). Port knocking is probably an effective deterrent, but too complicated to ask less technical users to use (so is changing service ports, for that matter).

Not by itself, no. But if you also use CSF’s “Port Scan Tracking” feature on all the commonly-abused default ports (including those for other operating systems, like 3389 for Windows RDP), you at least stop the bots and script kiddies. (It may also be doable in fail2ban. I’m not familiar with fail2ban other than knowing that it exists.)

Agreed. But a lot of attackers (probably most) are dumb bots and random miscreants.

Another reason why CSF is a good tool. All you have to do is fill in the ports and protocols (in a GUI, mind you) to enable it. It’s configured, but not enabled, by default. There are reasons why @Ilia and I love CSF.

Maybe these and other SSH-hardening strategies (keys, authorized users, etc.) can be built into Virtualmin so they can be done from the GUI by less-sophisticated users. They’re really not all that hard to do from the terminal, but they carry the risk of users locking themselves and other authorized users out due to syntax errors and other dumb admin tricks.

Then again, if Virtualmin can modify those settings, then Virtualmin itself becomes a potential security risk. So maybe not.

EDIT: The other benefit to changing the service port is that it gives the SSH daemon a break. The failed logins reported by SSH are typically zero when it’s running on a non-standard port. They’ve all been swatted away by the firewall like so many flies.

Richard

Personally, I like changing default ports for SSH and other services (when possible), and block all attempts to perform port-scanning, because it helps to keep the server logs much cleaner from “garbage”, generated by ridiculous amount of attempts, when bots trying to connect/authenticate. It is a waste for drives I/O.

1 Like

Default fail2ban install does the job:

tsdo ‘fail2ban-client status sshd’|grep “Total banned”
|- Total banned: 9168
|- Total banned: 1292
|- Total banned: 126
|- Total banned: 78
|- Total banned: 195
|- Total banned: 61
|- Total banned: 505
|- Total banned: 13810

Running on port 22, never bothered changing.

Yeah, I figured it could. I use CSF because I like it, out of habit, and because it populates some blocklists I maintain.

Richard

I don’t mean the system administrator of the server. I mean regular users…the web developers uploading content, the clients uploading images, etc. Sure, if you just run your servers for your own use and don’t have any less technical users, go nuts. Make it as hard to use as you like! :wink:

2 Likes

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.