|Get this Security+ CertiGuide for your own computer.|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
(Page 8 of 10)
Hardening FTP Servers
FTP servers are used to exchange
data internally and between internal and external sources. FTP uses
ports 20 and 21 for its data and control connections, so those ports
must be open in your firewall to allow transmission of data between
external and internal sites. As with other application servers, keep
up to date with patches and consult vendor-specific and user community
documents describing secure configuration of your particular software.
When securing an FTP server, consider:
Hardening DNS Servers
- User authentication (limit access to only those
users who really need it; avoid Anonymous access if you
can, and use a secure FTP variant such as S/FTP to avoid transmitting
passwords across the network in cleartext; when the original FTP protocol
is used, you are susceptible to password and data sniffing and man-in-the-middle
- File permissions (carefully set file permissions
on your server to ensure that users have access to only those files
you wish them to have access to).
- Restricting uploads (restrict upload permission
to only those users who need it; this reduces the number of accounts
which if compromised can upload unauthorized files to your server).
- Disk quotas (setting a disk quota for users allowed
to upload reduces the likelihood that they can DoS your FTP server by
filling up its disk space).
- If you run your FTP server and web server on
the same machine (bad idea), do not allow the FTP server access to web-server-related
directories (scripts, HTML pages, etc.
DNS servers provide domain name service
information to clients who need to map hostnames to IP addresses. DNS
uses TCP and UDP port 53 for communication with clients and other nameservers
on internal and external networks. The most widely used UNIX DNS software,
BIND, has historically had many security issues (as have most other
DNS servers), so keep up with software updates to your DNS server.
Some actions to consider taking when hardening a DNS server, in addition
to the obvious actions of securing the underlying OS, include:
- Follow vendor and community-provided guidelines
for secure configuration; this can help guard against spoofing and DNS
cache poisoning (the insertion of invalid information in the DNS cache,
which can be used to redirect traffic to non-legitimate sites).
- Run the DNS server as an unprivileged user, so
that if it is compromised via a buffer overflow, the attacker cannot
run code with administrative privileges.
- Restrict zone transfers (batched DNS info updates)
from your primary name server to your secondary name servers, to minimize
DoS vulnerability and risks of other exploits.
- Configure redundant DNS servers, so that an outage
on one machine doesnt remove access to DNS information for your
- Locate a secondary DNS server in a distant area
(both in terms of wire topology, and in terms of geography) for fault
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.