Secure Management of Port 22
Overview
Opening TCP port 22 globally poses significant security concerns due to its association with Linux OpenSSH service, which enables SSH protocol for command-line access. To address this concern, SFTP Gateway v3 implements several key security practices.
Port Management
OpenSSH Port Reassignment:
Default SSH service port moved from TCP 22 to TCP 2222.
Port TCP 2222 should always be restricted exclusively to sysadmin IP address ranges.
Ports TCP 80 and 443 should also be locked down to sysadmin IP ranges.
Custom Java Application
- Dedicated SFTP Service:
SFTP Gateway v3 employs a custom Java application to provide the SFTP protocol over TCP port 22.
This Java-based service explicitly denies SSH attempts, effectively eliminating the SSH remote command-line attack vector.
Security Mitigations
Brute Force Attack Protection:
Built-in protection against brute force attacks.
After a defined number of failed authentication attempts, the attacker's IP address is temporarily blocked (held in memory).
Authentication Recommendations:
- Strongly recommend key-based authentication to prevent credential theft, weak passwords, and password reuse attacks.
Per-user IP Allow-list:
Supports per-user IP allow-listing for enhanced security.
IP allow-lists can be progressively expanded based on logs indicating specific SFTP user access patterns.
Recommended Security Best Practices
Always restrict critical management ports (2222, 80, 443) to trusted IP ranges.
Enable key-based authentication for all SFTP users.
Regularly review SFTP logs and update per-user IP allow-lists for improved access control.
Utilize built-in brute force protection to mitigate dictionary-based authentication attacks.