Rework Recommended Action for SFTP

[vpetersson]

We need to rework the recommend action for SFTP, as well as adding additional info.

Here's the existing Recommended Action:

Title: Consider moving to SFTP. Body: There appears to be an FTP server running on {devices}. FTP is generally considered insecure as the credentials are sent unencrypted over the internet. Consider switching to an encrypted service, such as SFTP.

Please rework this as per these instructions.

[Menmarin]

tl;dr version

---

We have detected an FTP server running on {devices}. FTP is an unsecure method of transferring files as unencrypted and on unsecure protocols. Consider switching to a more secure service such as SFTP. Other examples include FTPS, AS2 and HTTPS.

---

Gthub Version

---

FTP relies on clear-text usernames and passwords for authentication. The data transferred using this protocol is unencrypted. This means the data is vulnerable to sniffing, spoofing and brute force attacks. These are just some of the many vulnerabilities of FTP.

Alternatives to FTP that are more secure are:

• SFTP
  • Uses encryption during data transmission. This makes the data incredibly difficult/near impossible to decipher.
  • Uses Public key authentication. Impervious to brute force attacks and is a secure way of idenitfying users of the network.
  • Uses data integrity and authenticity checks. This verifies that the contents of the original file are unchanged and that they came from a legit source.
  • Host Authentication. This enables clients to verify whether or not the server they are connecting to is the one they intended.
• FTPS
• AS2
• HTTPS

We do recommend SFTP as that is the easiest to setup and has a decent level of security.

[vpetersson]

• This is missing the 'FAQ version'
• AS2 and HTTPS are not suitable replacements
• "FTP is an unsecure method of transferring files as unencrypted and on unsecure protocols." doesn't read well
• "[...] and brute force attacks" - being unencrypted has nothing to do with being brute force'able
• "Uses Public key authentication." -> It doesn't have to. It supports it.

[Menmarin]

tl;dr version

---

We have detected an FTP server running on {devices}. FTP is an unsecure method of transferring files as they are unencrypted and run on unsecure protocols. Consider switching to a more secure service such as SFTP or FTPS.

Gthub Version

---

FTP relies on clear-text usernames and passwords for authentication. The data transferred using this protocol is unencrypted and unsecure. This means the data is vulnerable to sniffing, spoofing and brute force attacks. These are just some of the many vulnerabilities of FTP.

Alternatives to FTP that are more secure are:

• SFTP
  • Uses encryption during data transmission. This makes the data incredibly difficult/near impossible to decipher.
  • Supports public key authentication. Impervious to brute force attacks and is a secure way of idenitfying users of the network.
  • Uses data integrity and authenticity checks. This verifies that the contents of the original file are unchanged and that they came from a legit source.
  • Host Authentication. This enables clients to verify whether or not the server they are connecting to is the one they intended.
  • Connecting to SFTP can be done either by user ID/password that are encrypted, or through the generation and supplying of SSH keys. The possibilty of using both to decrease risk of an attack is also there.
• FTPS
  • FTPS works similarly to SFTP, except it adds an extra layer of security through validation through certificates. When an individual tries to use FTPS to transfer data without the valid certificate, FTPS will deny access to the server.
  • This added layer is similar to a double edged sword, in that the organisation either needs to use a general certificate, or create their own.

We do recommend SFTP as that is the easiest to setup and has a decent level of security. Depending on the size of your organisation and resources it can offer, FTPS can be a formidable line of defense to protect your data.

I'm not sure if the github version here is the right amount of info for the FAQ version and you would like me to expand on that I have for a github version

[vpetersson]

• 'unsecure' -> 'insecure'
• "This verifies that the contents of the original file are unchanged and that they came from a legit source." - what do you mean by this? FTP verifies too. Source?
• "user ID" -> "username"
• "or through the generation and supplying of SSH keys." - how is this different than "Supports public key authentication"?
• "FTPS works similarly to SFTP, except it adds an extra layer of security through validation through certificates. When an individual tries to use FTPS to transfer data without the valid certificate, FTPS will deny access to the server." - this is incorrect. Certificates are used for encrypting the communication. Sure, you can use this for host validation too.

We do recommend SFTP as that is the easiest to setup and has a decent level of security. Depending on the size of your organisation and resources it can offer, FTPS can be a formidable line of defense to protect your data.

I would probably recommend SFTP instead, as it has a very solid security track record through as it's provided by OpenSSH.

I'm not sure if the github version here is the right amount of info for the FAQ version and you would like me to expand on that I have for a github version

Yeah, i think this length is reasonable. What it's missing is actionability. What are some SFTP/FTPS servers? Where can I learn more?

[vpetersson]

@fshmcallister Are you taking over this one?

[Menmarin]

tl;dr version

---

We have detected an FTP server running on {devices}. FTP is an insecure method of transferring files, as they are unencrypted and run on insecure protocols. Consider switching to a more secure service such as SFTP or FTPS.

Gthub Version

---

FTP relies on clear-text usernames and passwords for authentication. The data transferred using this protocol is unencrypted and insecure. This means the data is vulnerable to sniffing, spoofing and brute force attacks. These are just some of the many vulnerabilities of FTP.

Alternatives to FTP that are more secure are:

• SFTP
  • Uses encryption during data transmission. This makes the data incredibly difficult/near impossible to decipher.
  • Supports public key authentication. Impervious to brute force attacks and is a secure way of idenitfying users of the network.
  • Uses data integrity and authenticity checks. This verifies that the contents of the original file are unchanged and that they came from a legit source.
  • Host Authentication. This enables clients to verify whether or not the server they are connecting to is the one they intended.
• FTPS
  • FTPS uses certificates to encrypt communication (similar to public key authentication). Certain tools allow certificates to be requested and created.
  • When a trusted certificate authority signs these certificates, it acts as an ensurer that the client is being connected to a trusted and secure server. This can prevent a Man-in-the-Middle attack.
  • Learn more about FTPS here.

Here is a list of some of the best free ftps and sftp servers on the market as of now.

We do recommend SFTP as that is the easiest to setup and has a decent level of security. Depending on the size of your organisation and resources it can offer, FTPS can be a formidable line of defense to protect your data.

 

FAQ Version

---

[vpetersson]

@Menmarin

Here is a list of some of the best free ftps and sftp servers on the market as of now.

...except that the entire list is for Windows

[Menmarin]

There's a list there for linux FTPS and SFTP servers, would you like me to just reference them manually or link to tutorials on how to use them?

[vpetersson]

Let's just use two examples: proftpd and vsftpd. Both of those have been around for ages and are probably as good as an FTP(S) server gets.

[a-martynovich]

@fshmcallister ?

[Menmarin]

tl;dr version

---

We have detected an FTP server running on {devices}. FTP is an insecure method of transferring files, as they are unencrypted and run on insecure protocols. Consider switching to a more secure service such as SFTP or FTPS.

---

Gthub Version

---

FTP relies on clear-text usernames and passwords for authentication. The data transferred using this protocol is unencrypted and insecure. This means the data is vulnerable to sniffing, spoofing and brute force attacks. These are just some of the many vulnerabilities of FTP.

Alternatives to FTP that are more secure are:

• SFTP
  • Uses encryption during data transmission. This makes the data incredibly difficult/near impossible to decipher.
  • Supports public key authentication. Impervious to brute force attacks and is a secure way of idenitfying users of the network.
  • Uses data integrity and authenticity checks. This verifies that the contents of the original file are unchanged and that they came from a legit source.
  • Host Authentication. This enables clients to verify whether or not the server they are connecting to is the one they intended.
• FTPS
  • FTPS uses certificates to encrypt communication (similar to public key authentication). Certain tools allow certificates to be requested and created.
  • When a trusted certificate authority signs these certificates, it acts as an ensurer that the client is being connected to a trusted and secure server. This can prevent a Man-in-the-Middle attack.
  • Learn more about FTPS here.

We do recommend SFTP as that is the easiest to setup and has a decent level of security. Depending on the size of your organisation and resources it can offer, FTPS can be a formidable line of defense to protect your data.

Two of the tried and tested services that we recommend are:

• proftpd
• vsftpd

  ---

[a-martynovich]

@Menmarin this is in the wrong format. @fshmcallister please provide the right format.

[fshmcallister]

TITLE An FTP service has been detected

TL;DR We have detected an FTP service. FTP is an insecure method of transferring files, as they are unencrypted and run on insecure protocols. Consider switching to a more secure service such as SFTP or FTPS.

FAQ

FTP relies on clear-text usernames and passwords for authentication. The data transferred using this protocol is unencrypted and insecure. This means the data is vulnerable to sniffing. These are just some of the many vulnerabilities of FTP.

Alternatives to FTP that are more secure are:

SFTP

• Uses encryption during data transmission. This makes the data incredibly difficult/near impossible to decipher.
• Supports public key authentication. Impervious to brute force attacks and is a secure way of identifying users of the network.
• Uses data integrity and authenticity checks. This verifies that the contents of the original file are unchanged and that they came from a legit source.
• Host Authentication. This enables clients to verify whether or not the server they are connecting to is the one they intended.

FTPS

• FTPS uses certificates to encrypt communication (similar to public key authentication). Certain tools allow certificates to be requested and created.
• When a trusted certificate authority signs these certificates, it acts as an ensurer that the client is being connected to a trusted and secure server. This can prevent a Man-in-the-Middle attack.
• Learn more about FTPS [here](https://www.serv-u.com/solutions/what-is-file-transfer-protocol-secure).

We do recommend SFTP as that is the easiest to setup and has a decent level of security. Depending on the size of your organisation and resources it can offer, FTPS can be a formidable line of defense to protect your data.

Two of the tried and tested services that we recommend are:

* [proftpd](http://proftpd.org) * [vsftpd](https://help.ubuntu.com/community/vsftpd)

Code Snippet

To uninstall your FTP server, run the following command:

$ sudo apt-get purge ${FTP-PACKAGE}

[a-martynovich]

@vpetersson I don't know what you meant by ${FTP-PACKAGE} in your code snippet, but at the moment we don't detect which ftp services are installed, we only detect that port 21 is open, as we were told to. In order to do this we need to have a list of ftp services, and even then it will contradict the RA text: first we are recommending proftpd and vsftpd, then we are recommending to uninstall one them (because this is pretty much the choice you get on Ubuntu for example).

That is why I left ${FTP-PACKAGE} as is, without substitution. This is what's going to be displayed in the terminal block. Should I leave it or should I remove it all together?

[vpetersson]

@vpetersson I don't know what you meant by ${FTP-PACKAGE} in your code snippet, but at the moment we don't detect which ftp services are installed, we only detect that port 21 is open, as we were told to. In order to do this we need to have a list of ftp services, and even then it will contradict the RA text: first we are recommending proftpd and vsftpd, then we are recommending to uninstall one them (because this is pretty much the choice you get on Ubuntu for example).

That is why I left ${FTP-PACKAGE} as is, without substitution. This is what's going to be displayed in the terminal block. Should I leave it or should I remove it all together?

Good point. Yeah let's just remove the code snippet for this one.