220.127.116.11 FTP Servers
The third most common service, after web and email that a company may provide to Internet users is FTP, the File Transfer Protocol.
FTP servers make available files for download over the Internet (or your intranet). They can also be used to accept uploads from business partners, customers, employees, etc.
FTP needs ports TCP 20 and 21 open in a firewall to function across the firewall. Port 20 is used for the data connection, which transfers the actual file contents from one system to the other. Port 21 is used for the control connection, over which FTP commands and responses are sent.
There are two primary aspects of an FTP server to consider when hardening it (other than various features of the FTP protocol which are interesting to hackers): user authentication and file access permissions.
FTP servers accept connections in either authenticated mode or unauthenticated mode. Authenticated mode connections send the user and password across the network, and assume no ones running a sniffer on your network. Because sending authentication information across the network like this is a bad idea, newer FTP servers feature a Secure/FTP protocol that handles authentication in a more secure manner, using techniques like challenge/response.
Unauthenticated FTP connections, commonly referred to as anonymous FTP, are another barrel of laughs. Presumably youve heard of the concept of Warez pirated software. Well, Warez traders need lots of disk space and bandwidth to store and distribute their software and they often find it on random anonymous FTP sites around the net that have at least one directory writeable by the anonymous FTP user. If all of a sudden, your Internet connection seems very slow, and your FTP logs very large, you might have accumulated some Warez on your FTP server.
If you have to allow anonymous FTP access for one reason or another, OK but make sure that you dont offer anonymous users a writeable directory if possible.
File access permissions refer to which FTP users have access (and what type of access read, write, delete, etc.) to which resources on the server. Some FTP servers rely strictly on OS security to set up these permissions. If the OS would allow that user to have access to that file/directory normally, the FTP server lets them have it. Other FTP servers start with that level of security and then add onto it an additional file access control configuration file that further restricts those permissions when files are accessed in the context of an FTP server.
A potential issue you can face on an FTP server is that of a denial of service, caused by uploaded files filling up the FTP file system or disk. Once this has happened, no other users can upload files, until the disk full condition is remedied. This problem is exacerbated if the file system or disk used for FTP uploads is the same one that contains the OS and the logs, since it may cause the FTP server to stop logging transfers (when it is still allowing downloads) or crash altogether. To help guard against this, set disk quotas on users who access the system via FTP (including whichever user ID is used for anonymous logins).372
Also, FTP is susceptible to man-in-the-middle attacks, because of the unencrypted nature of the FTP protocol.
The details of securing your FTP server are of course application-specific. For information on the version of FTP supplied with Windows .NET Server, check the Windows .NET Server Security Handbook373. For information on FTP in Linux, see Hacking Linux Exposed374 by Hatch et. al.
In addition to making sure that your FTP server software is up to date, we recommend that only those users requiring FTP be given access to it (avoid anonymous FTP if possible), and that you carefully monitor the directories available through FTP. Also, make sure that you log FTP logins and file uploads and downloads. Due to the potential for the FTP server being compromised, it is best if the logs are kept on a separate system (so that an attacker cant easily delete evidence).
372. Crothers, Tim, Internet Lockdown, Hungry Minds, October, 2001, http://www.nerdbooks.com/item.html?id=0764548611
373. Peikari, Cyrus, and Seth Fogie, Windows .NET Server Security Handbook, Prentice-Hall, April, 2002, http://www.nerdbooks.com/item.html?id=0130477265
374. Hatch, Brian, James Lee and George Kurtz, Hacking Linux Exposed, Osborne, April, 2001, http://www.nerdbooks.com/item.html?id=0072127732
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.