[ydl-gen] Attempted hack of FTP server
Geert Janssens
janssens-geert at telenet.be
Tue Aug 29 07:14:44 MDT 2006
On Tuesday 29 August 2006 14:37, Eric Dunbar wrote:
>
> I think I've got the basics down (allow/deny ports/protocol/single IP
> address), but, frankly, I don't think my server is any more secure
> than it was before (at the moment, that is).
>
> I already had a router in front of the server and until recently it
> only redirected requests (a few ports, including 80 and 443) to apache
> on the server (now also port 21).
>
You may need to redirect more ports for ftp, depending on the type of ftp you
will allow (active of passive). Port 21 is the control channel for ftp. It is
used (among others) to negociate which port to use for the datachannel. This
is usually a random, unused port above 1024. Your firewall will have to open
this port somehow as well.
I believe with passive ftp, this data port should be open on the server as the
client will try to connect to that port, while with active ftp, it's the
server trying to connect to the data port on the client.
Some firewalls are 'ftp-aware' meaning they monitor ftp connections to the
control port (21), in order to sniff out the future data port, and open it
dynamically. I could be wrong, but I don't think iptables is that smart. You
can google for it.
If not, you can try if active ftp suits your needs (this means, your client
hosts and their firewalls are capable of it). In the worst case, you will
have to figure out if vsftpd has a way to configure which ports can be set
for passive ftp, so you can open a limited range via iptables. I don't know
of vsftpd can do this. I'm using proftpd here (on fedora), and that one has
this option.
> I guess now I've blocked access to one IP (though, it's easy to change
> IPs if you're not static) but I couldn't figure out how to specify a
> range for the IP "source address or network" using trial and error in
> WebMin (it didn't like "192.1.1.*" or "192.1.1.1-192.1.1.5" or
> "192.1.1."). The man page for iptables didn't help me figure out the
> formatting either (I'm not sure whether this is indeed the option that
> will allow me to specify a range of IPs or my own little network
> (192.168.0.*):
A range would be specified as 192.1.1.0/24 or 192.1.1.0/255.255.255.0 (instead
of 192.1.1.*). Similarly your own little network would become 192.168.0.0/24
or 192.168.0.0/255.255.255.0.
The /xx indicates the number of 1 bits in your network mask. So a networkmask
of 255.255.255.0 translates into 24, 255.255.0.0 would be 16, 255.255.255.255
would be 32 and so on.
Hopefully this helps you along with the network range specifications for
iptables.
Regards,
Geert
More information about the yellowdog-general
mailing list