Unsure FTP protocol

Re: Unsure FTP protocol

Hope someone can chip in on your question. Changing the port numbers and setting a password already helps a bit. There are ways to setup a gateway firewall that could help with security, like allowing only a very specific machine(PC) to access it form outside.

Would be Interesting to know the FTP server by itself with no items in the directory it points could be a risk.

Re: Unsure FTP protocol

It will open an unsecured backdoor into the local network through which a hacker can install bots that can obtain all passwords, etc.

Re: Unsure FTP protocol

Hans could you explain the workflow needed in this case?

Is the FTP transfer from the MFP to the PC on the LAN then transferred over WAN or from the MFP over WAN?

As far as I can gather if the file has been received and the FTP service configured to use a strong password the transferred file is real hard to get to. But if the packets have been captured that password is easy to get to. So if someone is actively trying to get to that metadata like the password and file description they can and then download the file in question from that server. If the local network is properly secured the risk of that is reduced a lot except if your hacker can gain access to the network physically or via wireless and so start sniffing around. If its over WAN there is ways the hacker can direct the FTP traffic to them selves. Where the FTP server itself can be dangerous is if someone send malware that you then somehow execute by mistake.

If the router is setup with good security like IP filtering, MAC filtering, administrator access then the local network and would pose much less of a risk but FTP was not designed with security in mind at all.

Re: Unsure FTP protocol

The answer could lie with FTP over SSL or FTPS involving setting up certificates all round including on the MFP that supports it. Not my expertise. SFTP using SSH is one FTPS the other not sure if KM works with either.

Why not the hated SMB in this case?

Re: Unsure FTP protocol

Allan the reason for asking was that an IT-guy from a customer was bragging loudly in the presence of the customer that the Scan>FTP I installed, was a very irresponsible act from my side and I never EVER should have done that.

In this case the MFP scans directly to a NAS, nothing else and the data does not even stay in the NAS

He claimed that I should have known that and that I had put the customer's network at a very high risk.......

You can imagine how I felt after this.

Hans

Re: Unsure FTP protocol

FTP is considered an unsecure protocol because it doesn't encrypt things like usernames and passwords.

FTPS is a sercure file transfer protocol that uses client certs - FTP over TLS (FTPS)

Re: Unsure FTP protocol

I think running a local FTP server for the purpose of scan-to-folder can't be a major security risk/breach - if someone is able to access it from the outside/WAN you'll probably have some more pressing issues to adress

Re: Unsure FTP protocol

It depends on the client. Almost all compliance standards now require as a minimum encryption in transit for data, if not encryption at rest as well. FTP is going to fail that requirement. Even for smaller customers, the risk is likely high because they likely are using consumer grade equipment which is likely out of support, or unmanaged.

If you're setting up an FTP server with no credentials (anonymous authentication) then you also have no control over who can access files sent to it. If configured with passwords, those are sent to the server in the clear so any traffic sniffer can pull them. Even if it's working as a middleman before the file is moved somewhere else, you have a period of time where the files are in the clear.

It's 2022: FTP is a protocol from a very different era. It should be considered as dead as SMB1 in any modern network. Its time has passed.

Sent from my Pixel 6 Pro using Tapatalk

Re: Unsure FTP protocol

"He claimed that I should have known that and that I had put the customer's network at a very high risk...."

The IT guy was right but he is also a Jerk. Shake it off and get on with your day. Some IT guys need to build themself up to justify their existence and the overprice charges. Karma is a bitch.

Re: Unsure FTP protocol

Yea I can Imagine. Its rough. You have integrity and then this ass-hole comes and does that. It hurts.
Go back and tell them if this is a security risk the network is not secure to begin with.

Exactly my reasoning. If your security on your LAN is good and you have both front end Firewall, DMZ and back end firewall then FTP in my opinion is just fine to use. If your threat is your staff then not much you can do.

Yea it will his competence will come into question with an attitude like that.

Re: Unsure FTP protocol


It's true that FTP is something from the past and genereally I wouln't set it up of course. I also recommend to replace equipment that it heavily outdated.

On the other hand there are certain kinds of customer that sticks to hard and software as long as it "works". Typicals sign's: Old computers with old OS, no IT support partner/admin, old MFPs (bought, not rented), sometimes even crappy furniture LOL... Fortunately our maintanance contracts states clearly that the customer (as beeing the operator) is in charge for installing and maintaining "his end" of IT set-up self responsibility. We do just offer "assistance" for the initial set up, adding drivers to new computers and stuff like that - all has nothing to do with the maintanance contract.

If scan to ftp is the only way for keeping that kind of customer I'd check if the maintanance contract is worth enough to talk about these kinds of "workaround" and explain that this is what it is and of course not according method to modern standards - like I explain that I'm not be able to get all spare parts for his MFP. At the end of the day the resposibility to keep up the IT security isn't mine as long as there isn't any agreement for maintaining the IT security.

Re: Unsure FTP protocol

My Solution for this "Problem":

Install a local FTP Server. Then let that FTP Server save whatever you need to a directory in a different subnet. From that subnet you can open a https server that allows you to securely transfer your data.


Or you transfer them with a ssh and vpn.

Re: Unsure FTP protocol

Anohter idea i have is: Why dont just use Email? Almost every MFP can send Emails by now. Would open very less security holes in your System.

Re: Unsure FTP protocol

Well, I don't know for my customers, but for me in my office this is too clunky. I have myself that nice "Quick 'n Easy FTP Server" on my workstation running with a dedicated folder for receiving scans and I will be happy with it until I got hacked and then perhaps reconsider.

Hans