Setting up an FTP to host art

[the_randomizer]

So, I joined an artwork site where the user can create a gallery. The problem is, after speaking to the admin (who has to add people manually) is that it's only done by setting up FTP server. I do in a program called FileZilla, well need to back up a bit. I followed this tutorial here https://revision3.com/oneoff/hak5gtae5/ and did so accordingly. But now, I admit that I'm wary, wary that some nut will you know, cause malicious files and or malware to be installed via the FTP, despite the fact that the admin of this site has to add users manually and not just anyone can have one. He set up the username and password, which I told the FTP program not to remember.

Should I be wary/paranoid about having the FTP I set up sync at set intervals? Are there things I can do to make sure I reduce the likelihood of being compromised?

 

[Foxi4]

No, you should not be paranoid. People use FTP all the time. Use the usual security measures you use and you should be fine. Worrying about FTP is a lot like worrying about HTML.

 

[the_randomizer]

No, you should not be paranoid. People use FTP all the time. Use the usual security measures you use and you should be fine. Worrying about FTP is a lot like worrying about HTML.

What are the usual settings that you'd recommend? And I'm kind of in a pickle. See, before I used FileZilla (as per the admin's suggestion) I used the tools in Windows 7 to set one up, and it's already synced once so far, however, I can use FileZilla as well, and it shows the FTP I made prior to installing it (if that makes any sense). With FileZilla, it prompts me for a password each time and I set it so it doesn't remember it. Anyways, what I want to know is, now that the network drive (as Win 7 calls it), is already in place. What do I do to make that more secure?

Again, I installed the network drive via the FTP wizard in Win 7, but afterwords installed FileZilla, which sees the network drive. Navigating to the drive in explorer does not prompt a password but FileZilla does.

 

[Foxi4]

My experience with FTP'ing stuff is rather limited, in the sense that I mostly use it to transfer files within my local network, not across the world wide web. I think that if you're using a good password and you're behind a ye olde Firewall (which opens the FTP port only when you want to communicate through it), you should be fine.

 

[the_randomizer]

My experience with FTP'ing stuff is rather limited, in the sense that I mostly use it to transfer files within my local network, not across the world wide web. I think that if you're using a good password and you're behind a ye olde Firewall (which opens the FTP port only when you want to communicate through it), you should be fine.

I don't know about how the firewall is handling the FTP, how could I find out? The port, I don't know what port it uses, FileZilla left it blank in the entry in the settings. Hell, I don't even know how to configure the firewall in Windows 7 to further protect me when I do use the FTP. Some assistance with configuring the firewall for the FTP would be most welcome. I have the firewall that comes with the OS, but nothing fancy, I just want to make sure I do it right.

 

[Foxi4]

I don't know about how the firewall is handling the FTP, how could I find out? The port, I don't know what port it uses, FileZilla left it blank in the entry in the settings. Hell, I don't even know how to configure the firewall in Windows 7 to further protect me when I do use the FTP. Some assistance with configuring the firewall for the FTP would be most welcome. I have the firewall that comes with the OS, but nothing fancy, I just want to make sure I do it right.

You're probably using SFTP (Secure FTP), so the default port for that is 22. As for hints on making that more secure, I'm not your man, sorry.

 

[the_randomizer]

You're probably using SFTP (Secure FTP), so the default port for that is 22. As for hints on making that more secure, I'm not your man, sorry.

Damn, well, either way, I don't see any settings for that, or know for sure if it is port 22..... Now I'm really unsure.

 

[FireEmblemGuy]

A) If you didn't put a port into Filezilla and it connected anyways, then either it's the default port (21 for FTP, 22 for SFTP) or it was appended to the address of the server (for example, sftp://myftp.net:5017 or sftp://192.168.0.1:5017, where the port is the number after the colon; ftp:// in place of sftp:// if it's not a Secure FTP server). Either way, if you don't feel the password the admin gave you is secure, ask them to change it to something you feel is more secure if there's not a tool to change it yourself. Giving the admin a specific password to use means opening up anything that uses that password to abuse by the admin, though - if you can't change it yourself, don't ask the admin to change it to something you're uncomfortable giving out to other people.

B) In a lot of ways, an FTP server login is pretty much the same as any other website login - unless the site is hacked, you're likely safe if the password's not saved locally (and if the bad guy gets access because you saved it locally, then you've probably already got much bigger security issues anyways). Even then, unless you're syncing by default, you'll probably notice most malicious files on the remote server before you choose to download them.

 

[the_randomizer]

A) If you didn't put a port into Filezilla and it connected anyways, then either it's the default port (21 for FTP, 22 for SFTP) or it was appended to the address of the server (for example, sftp://myftp.net:5017 or sftp://192.168.0.1:5017, where the port is the number after the colon; ftp:// in place of sftp:// if it's not a Secure FTP server). Either way, if you don't feel the password the admin gave you is secure, ask them to change it to something you feel is more secure if there's not a tool to change it yourself. Giving the admin a specific password to use means opening up anything that uses that password to abuse by the admin, though - if you can't change it yourself, don't ask the admin to change it to something you're uncomfortable giving out to other people.

B) In a lot of ways, an FTP server login is pretty much the same as any other website login - unless the site is hacked, you're likely safe if the password's not saved locally (and if the bad guy gets access because you saved it locally, then you've probably already got much bigger security issues anyways). Even then, unless you're syncing by default, you'll probably notice most malicious files on the remote server before you choose to download them.

The sever has a script to sync every few hours or so, I don't get to choose when to do that, and I trust the admin, so that won't be an issue AFAIK. But again, I can't change how often it syncs, I just get a little worried is all. I don't know what port it uses on my end, and FileZilla only connects if I know the password. But normally, I can access the FTP folder in Explorer, but there is no settings or way for Windows 7 to change those AFAIK.

It only connects if I enter a password, FileZilla won't connect when I open it, I have to hit "reconnect" and enter the credentials.


To sum up:


Created FTP folder using art site's FTP URL, make folder in Windows 7 using its already available tools, but after I made that network drive (as the OS calls it), the admin suggested FileZilla. I do so, using the FTP and it shows the director/FTP folder I made earlier. Now, what I need to find out is, I can make accessing the folder in FileZilla secure, but, given the fact I can use Windows Explorer to access it directly, without FileZilla, can I change the settings in the OS itself to prompt a password every time?

 

[FireEmblemGuy]

When you were setting it up in Windows, there should've been a box to check about remembering the password. If you selected it, I don't know how to make it forget the password, short of removing it from your network drives and re-adding it.

 

[the_randomizer]

When you were setting it up in Windows, there should've been a box to check about remembering the password. If you selected it, I don't know how to make it forget the password, short of removing it from your network drives and re-adding it.

Damn, I must have done that. What will this do to that art already synced to the site's server? I suppose I can just copy it over to the new drive and then delete the old one.

 

[FireEmblemGuy]

Unless I'm seriously misunderstanding the setup, the 'drive' in Windows Explorer is basically just a shortcut to the FTP server - it's the same as bookmarking GBATemp or Facebook in your browser. Deleting it from the network in Windows ought to just delete the link to the server, not the contents of the server itself.

 

[the_randomizer]

Unless I'm seriously misunderstanding the setup, the 'drive' in Windows Explorer is basically just a shortcut to the FTP server - it's the same as bookmarking GBATemp or Facebook in your browser. Deleting it from the network in Windows ought to just delete the link to the server, not the contents of the server itself.

No, it didn't, and I made sure to not save the password this time, and it seems to be prompting me with a password for the shortcut as well as in FileZilla, so, it looks like I'm headed in the right direction. Though, it doesn't prompt me for the password each time I go back and forth but possibly prompting me after X amount of minutes, (maybe 10 to 15). One thing is certain, I feel better about that. What can I do to further secure myself, using settings in the firewall?

 

[FireEmblemGuy]

On that front, I have no idea. I've never bothered setting one up, honestly. I'd think a firewall would let anything from a trusted connection through anyways, regardless of if it was viewed as malicious or not, and I'd like to think Windows would keep the port closed if there wasn't something on your side requesting to open it.

It might be worth noting that, from what I can tell, any FTP that you can connect to through Windows' networking tool isn't a Secure FTP server - I just tried adding my own SFTP server in the Windows 10 preview and it only recognized standard FTP. Still, under most circumstances that's more a a privacy issue than a security issue - unless you're worried about your ISP watching what you're uploading or downloading I can't see it mattering for the majority of people.

 

[the_randomizer]

On that front, I have no idea. I've never bothered setting one up, honestly. I'd think a firewall would let anything from a trusted connection through anyways, regardless of if it was viewed as malicious or not, and I'd like to think Windows would keep the port closed if there wasn't something on your side requesting to open it.

It might be worth noting that, from what I can tell, any FTP that you can connect to through Windows' networking tool isn't a Secure FTP server - I just tried adding my own SFTP server in the Windows 10 preview and it only recognized standard FTP. Still, under most circumstances that's more a a privacy issue than a security issue - unless you're worried about your ISP watching what you're uploading or downloading I can't see it mattering for the majority of people.

I don't think they monitor that crap at all, and I trust the admin with the password I gave him. But I have Windows 7's firewall and MSE for antivirus along with MalwareBytes so, for security, I should be fine. It seems to prompt the password after a set interval, that's good. Anyways, thanks for your guys' help

 

[jurassicplayer]

Rather trivial thing to note:

SFTP =/= SFTP =/= FTPS =/= FTP over SSH

SSH/Secure file transfer protocol = Using ssh to move files
Simple file transfer protocol = Definitely not what you want for security
File Transfer Protocol Secure = Uses TLS and SSL to magic your stuff into mumbo jumbo during transfer, but it's still FTP at heart
File Transfer Protocol over SSH = Shoves normal FTP through an SSH tunnel