FTP backups or something more secure

We have been using ftp based backups, in addition to full VM backups in the datacenter, as our “offsite”, break glass, backup strategy. We are changing our ftp provider, and in doing some research it seems that some people are suggesting not using ftp, over concerns of security. The ftp backup would be from the datacenter instance running FreePBX to another datacenter hosting the ftp server, with firewall rules only allowing known IPs access to the ftp server receiving the backups. Is this secure enough, or do I need another backup technology?

It is true that ftp is not a secure option mainly because there is no encryption between the client and server. Also, if securing the ftp site with a username and password, the username and password are also sent over the internet in plain text without encryption. This opens the door for a bad actor to be able to steal your files or account credentials if they have access to the network between your servers and can spy on the traffic.

If it were me, I would prefer to use the SSH option to send my files over the internet. SSH adds a layer of encryption and can prevent bad actors from gaining access to your files or account information.

If you have an AWS account, S3 is another pretty secure option that relies on HTTPS encryption to transport your files, however, it’s unknown if anyone at Amazon would have access to your files.

1 Like

If in any way there is a concern that your network is open to a “man in the middle” leak then theoretically there is a possibility that your data is compromised.

I’m pretty sure that that that is should be the least of your concerns.

After many years of doing this (and occsionally not getting it right) I find that 99.99% of all leaks will be through using UDP:5000-5999 for SIP signalling, having tcp:5038 open to the interwebs or unprotected http:80 access

1 Like

@dicko I actually find a majority of hacks are actually from tftp. They will request on ever mac until they get a password. Since there is no password, there is no fail2ban. Then once they get the password they are able to connect. Same probably for non password protected http provisioning.

I won’t disagree with that but I don’t use tftp nor http for provisioning. So udp/69 is closed and thus never seen.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.