Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.3  Application Hardening

Previous Topic/Section
3.5.3.3  Email Servers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.5.3.5  DNS Servers
Next Topic/Section

3.5.3.4  FTP Servers

The third most common service, after web and email that a company may provide to Internet users is FTP, the File Transfer Protocol.

FTP servers make available files for download over the Internet (or your intranet). They can also be used to accept uploads from business partners, customers, employees, etc.

FTP needs ports TCP 20 and 21 open in a firewall to function across the firewall. Port 20 is used for the “data” connection, which transfers the actual file contents from one system to the other. Port 21 is used for the “control” connection, over which FTP commands and responses are sent.

FTP

FTP is the File Transfer Protocol, used to upload and download files across the network.

FTP uses TCP port 20 for its data connection and port 21 for its control connection.


Security-Related Aspects of FTP

There are two primary aspects of an FTP server to consider when hardening it (other than various “features” of the FTP protocol which are interesting to hackers): user authentication and file access permissions.

FTP servers accept connections in either authenticated mode or unauthenticated mode. Authenticated mode connections send the user and password across the network, and assume no one’s running a sniffer on your network. Because sending authentication information across the network like this is a bad idea, newer FTP servers feature a Secure/FTP protocol that handles authentication in a more secure manner, using techniques like challenge/response.

Unauthenticated FTP connections, commonly referred to as “anonymous FTP,” are another barrel of laughs. Presumably you’ve heard of the concept of “Warez” – pirated software. Well, Warez “traders” need lots of disk space and bandwidth to store and distribute their software… and they often find it on random anonymous FTP sites around the net that have at least one directory writeable by the anonymous FTP user. If all of a sudden, your Internet connection seems very slow, and your FTP logs very large, you might have accumulated some Warez on your FTP server.

If you have to allow anonymous FTP access for one reason or another, OK – but make sure that you don’t offer anonymous users a writeable directory if possible.

[spacer]Of Course You Know, This Means WAR!

Note that if a Warez geek does find and use your server, and then you shut off his/her access, you’ve just dramatically upped your network’s chances of being attacked by a group of software “traders” annoyed at losing “their” site and trying to re-own it. (Author Helen has experienced this phenomenon first-hand, and oh boy, they can have you on their “preferred target” list for years!)


File access permissions refer to which FTP users have access (and what type of access – read, write, delete, etc.) to which resources on the server. Some FTP servers rely strictly on OS security to set up these permissions. If the OS would allow that user to have access to that file/directory normally, the FTP server lets them have it. Other FTP servers start with that level of security and then add onto it an additional file access control configuration file that further restricts those permissions when files are accessed in the context of an FTP server.

A potential issue you can face on an FTP server is that of a denial of service, caused by uploaded files filling up the FTP file system or disk. Once this has happened, no other users can upload files, until the disk full condition is remedied. This problem is exacerbated if the file system or disk used for FTP uploads is the same one that contains the OS and the logs, since it may cause the FTP server to stop logging transfers (when it is still allowing downloads) or crash altogether. To help guard against this, set disk quotas on users who access the system via FTP (including whichever user ID is used for anonymous logins).372

Also, FTP is susceptible to man-in-the-middle attacks, because of the unencrypted nature of the FTP protocol.

Securing Your FTP Server

The details of securing your FTP server are of course application-specific. For information on the version of FTP supplied with Windows .NET Server, check the Windows .NET Server Security Handbook373. For information on FTP in Linux, see Hacking Linux Exposed374 by Hatch et. al.

In addition to making sure that your FTP server software is up to date, we recommend that only those users requiring FTP be given access to it (avoid anonymous FTP if possible), and that you carefully monitor the directories available through FTP. Also, make sure that you log FTP logins and file uploads and downloads. Due to the potential for the FTP server being compromised, it is best if the logs are kept on a separate system (so that an attacker can’t easily delete evidence).


 __________________

372. Crothers, Tim, Internet Lockdown, Hungry Minds, October, 2001, http://www.nerdbooks.com/item.html?id=0764548611

373. Peikari, Cyrus, and Seth Fogie, Windows .NET Server Security Handbook, Prentice-Hall, April, 2002, http://www.nerdbooks.com/item.html?id=0130477265

374. Hatch, Brian, James Lee and George Kurtz, Hacking Linux Exposed, Osborne, April, 2001, http://www.nerdbooks.com/item.html?id=0072127732

Previous Topic/Section
3.5.3.3  Email Servers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.5.3.5  DNS Servers
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.