[ydl-gen] Attempted hack of FTP server

Peter-Paul peter-paul at multiweb.nl
Tue Aug 29 07:31:11 MDT 2006 

One humble remark: (as reply to Geert),
IPTables, is infact 'that smart' to recognize passive ftp initiations.
IPTables is able to do Stateful packet inspection.
(I quote): "This means that the firewall keeps track of each connection 
passing through it and in certain cases will view the contents of data 
flows in an attempt to anticipate the next action of certain protocols. 
This is an important feature in the support of active FTP and DNS, as 
well as many other network services."

--

Geert Janssens wrote:

>On Tuesday 29 August 2006 14:37, Eric Dunbar wrote:
>  
>
>>I think I've got the basics down (allow/deny ports/protocol/single IP
>>address), but, frankly, I don't think my server is any more secure
>>than it was before (at the moment, that is).
>>
>>I already had a router in front of the server and until recently it
>>only redirected requests (a few ports, including 80 and 443) to apache
>>on the server (now also port 21).
>>
>>    
>>
>You may need to redirect more ports for ftp, depending on the type of ftp you 
>will allow (active of passive). Port 21 is the control channel for ftp. It is 
>used (among others) to negociate which port to use for the datachannel. This 
>is usually a random, unused port above 1024. Your firewall will have to open 
>this port somehow as well.
>I believe with passive ftp, this data port should be open on the server as the 
>client will try to connect to that port, while with active ftp, it's the 
>server trying to connect to the data port on the client.
>Some firewalls are 'ftp-aware' meaning they monitor ftp connections to the 
>control port (21), in order to sniff out the future data port, and open it 
>dynamically. I could be wrong, but I don't think iptables is that smart. You 
>can google for it.
>If not, you can try if active ftp suits your needs (this means, your client 
>hosts and their firewalls are capable of it). In the worst case, you will 
>have to figure out if vsftpd has a way to configure which ports can be set 
>for passive ftp, so you can open a limited range via iptables. I don't know 
>of vsftpd can do this. I'm using proftpd here (on fedora), and that one has 
>this option.
>
>  
>
>>I guess now I've blocked access to one IP (though, it's easy to change
>>IPs if you're not static) but I couldn't figure out how to specify a
>>range for the IP "source address or network" using trial and error in
>>WebMin (it didn't like "192.1.1.*" or "192.1.1.1-192.1.1.5" or
>>"192.1.1."). The man page for iptables didn't help me figure out the
>>formatting either (I'm not sure whether this is indeed the option that
>>will allow me to specify a range of IPs or my own little network
>>(192.168.0.*):
>>    
>>
>
>A range would be specified as 192.1.1.0/24 or 192.1.1.0/255.255.255.0 (instead 
>of 192.1.1.*). Similarly your own little network would become 192.168.0.0/24 
>or 192.168.0.0/255.255.255.0.
>The /xx indicates the number of 1 bits in your network mask. So a networkmask 
>of 255.255.255.0 translates into 24, 255.255.0.0 would be 16, 255.255.255.255 
>would be 32 and so on. 
>
>Hopefully this helps you along with the network range specifications for 
>iptables.
>
>Regards,
>
>Geert
>_______________________________________________
>yellowdog-general mailing list
>yellowdog-general at lists.terrasoftsolutions.com
>http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>
>  
>

More information about the yellowdog-general mailing list