Hmm … I used the word “secure” and now, “upon reflection”, I think it’s the wrong word.
Instead of thinking about it as … “is it secure”? Maybe we should think about it as … “has anybody broken the encryption yet?” Then … for the choices that aren’t “broken“ yet, maybe we think about those as … “harder to break?” Because, in time, sooner or later, everything becomes “insecure” or “broken”. Our job, managing and maintaining servers is … to stay in the “safe zone” where stuff isn’t “insecure yet”, Bill Sent from my iPhone > On Mar 18, 2022, at 10:38 AM, William Papolis <wpapo...@gmail.com> wrote: > > Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a > “secure tunnel” for your unencrypted FTP traffic. > > So … when trying to figure out “if SSH is secure” or any other encrypted > traffic like HTTPS or whatever, you need to look closely at the encryption > protocols you’re supporting. > > So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it secure, > right? > > For each of these, when you’re configuring it on your server, you need to > choose a “cipher” to support. Some are “more secure” than others. > > For context … TLSv1 was released in 1999 and deprecated in 2020 … so, NOT > SECURE! > > TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE! > > For TLSv1 and TLSv1.1, I would disable support for those protocols on my > server. Not even accept attempts to connect! > > TLSv1.2 was released in 2008 and I would ONLY use it with a few cipher suites > (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other “secure suites” so, > YES, SECURE! > > TLSv1.3 … it’s the latest and I would still be “picky” on which cipher suite > I choose, (like ChaCha20-Poly1305) is kinda my current favorite. > > So why do we continue to support older TLS versions? Well, for > “compatibility”. We are always making a trade-off between “security” and > “compatibility”. > > If the level of “security” you choose, “blocks” many users from “getting > access”, then it’s “not really working”, is it? > > You need to make sure the client software that’s installed will work with the > server software decisions you’re making. > > I hope this helps. > > Bill > > Sent from my iPhone > >> On Mar 18, 2022, at 9:21 AM, Vieri Di Paola <vieridipa...@gmail.com> wrote: >> >> Is FTPS considered insecure? >> >> proftpd example: >> >> ServerName "MH FTP server" >> ServerType standalone >> DefaultServer on >> AccessGrantMsg "User %u has successfully logged into MH FTP server." >> RequireValidShell off >> UseReverseDNS off >> IdentLookups off >> Port 0 >> UseIPv6 off >> MaxInstances 30 >> <Global> >> Umask 022 >> PassivePorts 2990 3000 >> MultilineRFC2228 on >> ShowSymlinks off >> DefaultTransferMode binary >> MaxClients 30 "ERROR: reached maximum user limit (%m)." >> MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit >> (%m)." >> MaxLoginAttempts 3 >> DefaultRoot ~ >> AllowOverwrite on >> AllowOverride off >> AllowRetrieveRestart on >> AllowStoreRestart on >> DelayEngine on >> TLSEngine on >> TLSLog /var/log/proftpd_tls.log >> TLSProtocol TLSv1 TLSv1.1 TLSv1.2 >> TLSRequired on >> TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem >> TLSRSACertificateKeyFile >> /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem >> TLSVerifyClient off >> TLSOptions AllowClientRenegotiations NoSessionReuseRequired >> ClamAV on >> ClamServer 127.0.0.1 >> ClamPort 3310 >> <Limit SITE_CHMOD> >> DenyAll >> </Limit> >> Include /etc/proftpd/user_list >> </Global> >> <VirtualHost 10.1.2.1> >> ServerName "MHSC FTP server" >> Port 21 >> MasqueradeAddress mhsc.domain.org >> TransferLog /var/log/proftpd_xfer_mhsc.log >> </VirtualHost> >> <VirtualHost 10.1.3.1> >> ServerName "MHSI FTP server" >> Port 21 >> MasqueradeAddress mhsi.domain.org >> TransferLog /var/log/proftpd_xfer_mhsi.log >> </VirtualHost> >> User ftp >> Group ftp >> DebugLevel 0 >> SystemLog /var/log/proftpd.log >> WtmpLog off >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
