2

Im able to connect to my managed Linux Ubuntu Server only through

FTP using explicit SSL (Auth TLS) with IP restriction

and

SFT over SSH without IP restriction

Question: which method is more secure to upload and download files?

Update:

Secure against what? Sniffing, spoofing, brute force attacks and other basic attack methods.

eva last
  • 23
  • 4
  • 1
    Welcome to the community. IP restriction in my opinion is not that great when you have Dynamic IPs on the client... If you in theory have a static IP, which you wouldn't even change if you get DDoSed then you should be fine. – Sir Muffington Nov 13 '22 at 15:54
  • Just to clarify, with `SFT over SSH` you mean SFTP, right? – Spyros Nov 13 '22 at 17:40
  • Why exactly this choice, i.e. why not apply IP restriction to SSH too? What about the authentication - password or keys? – Steffen Ullrich Nov 13 '22 at 17:42
  • Secure against *what*? Using what software? – vidarlo Nov 13 '22 at 18:22
  • @SirMuffington thx a lot. Yes i have a static IP. – eva last Nov 14 '22 at 04:30
  • @Spyros im not sure, as far as i know its called FTPS – eva last Nov 14 '22 at 04:30
  • @SteffenUllrich it is a managed server and i have no option for SSH with IP restriction only without – eva last Nov 14 '22 at 04:30
  • @vidarlo updated my question - see "sniffing, spoofing, brute force attacks and other basic attack methods" – eva last Nov 14 '22 at 04:30
  • @evalast: *"it is a managed server and i have no option for SSH with IP restriction only without"* - so the question is only about using the server, these services are enabled anyway (i.e. the attack surface is there no matter if you use the service)? And again, do you need to use passwords or do you have the choice of key based authentication? – Steffen Ullrich Nov 14 '22 at 05:34

1 Answers1

1

This question has beed discussed in stackexchange and online already (e.g. see this article) but I'll try to address your specific points.

As a clarification:

Assuming that you have the first and second options available, both are encrypted so sniffing does not have any significant effect (unless you can somehow find the decryption key, of course).

Spoofing is a quite broad subject, but I assume that you mean either server impersonation (where your computer is tricked into thinking that an attacker's computer is the legit FTPS/SFTP server) or a man-in-the-middle attack. In this case, it all depends on the setup; the FTPS clients and server should use valid CA certificates (that they can use to verify each other's keys); the SSH server should have its public key transfered to clients through a secure channel before any client connects to it. If you take all the security measures that are required for each type of server, then spoofing becomes very difficult to succeed.

Brute force attacks are dealt with differently, depending on the type of the server and the type of authentication you're using (password or key based). In general, key based authentication is immune against password brute force attacks (because it does not use passwords). Aside from that, if the server or system has some sort of protection against brute force attacks (e.g. account disabling after a number of failed attempts) then you can mitigate its impact (although, locking an account essentially transforms a brute force to a denial of service).

So, in general, with good security practices, both can be seen as equally secure. Having said that, I personally prefer SFTP, the OpenSSH implementation in particular, for the following reasons:

  • it has stood the test of time, security wise (also see here). This makes me feel comfortable using it
  • you can configure key based authentication which makes brute force attacks useless
  • it's easier to use with firewalls - FTP can be active or passive and requires two ports (one for control, one for data) which makes configuring a firewall a bit more complicated compared to SFTP
Spyros
  • 1,451
  • 1
  • 14
  • thx for the detailed answer. How does the restricted IP adress play into this? – eva last Nov 17 '22 at 09:29
  • 1
    @evalast by restricting the IPs that can connect to the server, you restrict where an attacker can attack from. This is beneficial against active attacks (i.e. brute force attacks in the context of your question) and will produce more value if it is used in combination with all the other recommended protection measures – Spyros Nov 17 '22 at 10:33