Hmm … I used the word “secure” and now, “upon reflection”, I think it’s the 
wrong word.

Instead of thinking about it as … “is it secure”? Maybe we should think about 
it as … “has anybody broken the encryption yet?”

Then … for the choices that aren’t “broken“ yet, maybe we think about those as 
… “harder to break?”

Because, in time, sooner or later, everything becomes “insecure” or “broken”. 
Our job, managing and maintaining servers is … to stay in the “safe zone” where 
stuff isn’t “insecure yet”,

Bill

Sent from my iPhone

> On Mar 18, 2022, at 10:38 AM, William Papolis <wpapo...@gmail.com> wrote:
> 
> Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a 
> “secure tunnel” for your unencrypted FTP traffic.
> 
> So … when trying to figure out “if SSH is secure” or any other encrypted 
> traffic like HTTPS or whatever, you need to look closely at the encryption 
> protocols you’re supporting. 
> 
> So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it secure, 
> right?
> 
> For each of these, when you’re configuring it on your server, you need to 
> choose a “cipher” to support. Some are “more secure” than others.
> 
> For context … TLSv1 was released in 1999 and deprecated in 2020 … so, NOT 
> SECURE!
> 
> TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE!
> 
> For TLSv1 and TLSv1.1, I would disable support for those protocols on my 
> server. Not even accept attempts to connect!
> 
> TLSv1.2 was released in 2008 and I would ONLY use it with a few cipher suites 
> (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other “secure suites” so, 
> YES, SECURE!
> 
> TLSv1.3 … it’s the latest and I would still be “picky” on which cipher suite 
> I choose, (like ChaCha20-Poly1305) is kinda my current favorite.
> 
> So why do we continue to support older TLS versions? Well, for 
> “compatibility”. We are always making a trade-off between “security” and 
> “compatibility”.
> 
> If the level of “security” you choose, “blocks” many users from “getting 
> access”, then it’s “not really working”, is it?
> 
> You need to make sure the client software that’s installed will work with the 
> server software decisions you’re making.
> 
> I hope this helps. 
> 
> Bill
> 
> Sent from my iPhone
> 
>> On Mar 18, 2022, at 9:21 AM, Vieri Di Paola <vieridipa...@gmail.com> wrote:
>> 
>> Is FTPS considered insecure?
>> 
>> proftpd example:
>> 
>> ServerName "MH FTP server"
>> ServerType standalone
>> DefaultServer on
>> AccessGrantMsg "User %u has successfully logged into MH FTP server."
>> RequireValidShell off
>> UseReverseDNS off
>> IdentLookups off
>> Port 0
>> UseIPv6 off
>> MaxInstances 30
>> <Global>
>> Umask 022
>> PassivePorts 2990 3000
>> MultilineRFC2228 on
>> ShowSymlinks off
>> DefaultTransferMode binary
>> MaxClients 30 "ERROR: reached maximum user limit (%m)."
>> MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit 
>> (%m)."
>> MaxLoginAttempts 3
>> DefaultRoot ~
>> AllowOverwrite on
>> AllowOverride off
>> AllowRetrieveRestart on
>> AllowStoreRestart on
>> DelayEngine on
>> TLSEngine on
>> TLSLog /var/log/proftpd_tls.log
>> TLSProtocol TLSv1 TLSv1.1 TLSv1.2
>> TLSRequired on
>> TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem
>> TLSRSACertificateKeyFile
>> /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem
>> TLSVerifyClient off
>> TLSOptions AllowClientRenegotiations NoSessionReuseRequired
>> ClamAV on
>> ClamServer 127.0.0.1
>> ClamPort 3310
>> <Limit SITE_CHMOD>
>> DenyAll
>> </Limit>
>> Include /etc/proftpd/user_list
>> </Global>
>> <VirtualHost 10.1.2.1>
>> ServerName "MHSC FTP server"
>> Port 21
>> MasqueradeAddress mhsc.domain.org
>> TransferLog /var/log/proftpd_xfer_mhsc.log
>> </VirtualHost>
>> <VirtualHost 10.1.3.1>
>> ServerName "MHSI FTP server"
>> Port 21
>> MasqueradeAddress mhsi.domain.org
>> TransferLog /var/log/proftpd_xfer_mhsi.log
>> </VirtualHost>
>> User ftp
>> Group ftp
>> DebugLevel 0
>> SystemLog /var/log/proftpd.log
>> WtmpLog off
>> 
>> 
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to