Ticket #2600 (new security issue)
Opened 2 years ago
Enforce SSL for FTP
|Reported by:||BenBE||Owned by:|
|Component:||Config Files||Version:||ispCP ω 1.0.7|
Since blank FTP is an unencrypted protocol ispCP should aim to enforce a minimum set of security over such protocols. An quite easy way is with proFTPd to reject any logins which are made without active encryption via TLS.
While this change to the configuration of proFTPd is only a few lines it's not much work für ispCP and the GUI tools either:
- in ispCP you have to change ftp_connect to ftp_ssl_connect in the directory selection code
- in the File Manager you have to use $connect_func (gui/tools/filemanager/includes/filesystem.inc.php around line 60 and in the function below) from ftp_connect to ftp_ssl_connect
With only those two minor changes you win a great deal of security as this reduces the risk of MITM attacks on the FTP connection.