[ydl-gen] Attempted hack of FTP server

Geert Janssens janssens-geert at telenet.be
Tue Aug 29 07:42:43 MDT 2006 

Peter-Paul,

Thank you for the update. As I said, I didn't know.

In our specific case, it doesn't matter whether or not iptables is capable of 
it. Our ftp server negociates TLS before any data connection is setup. By 
definition, the secured TLS connection can't be tracked, so the firewall has 
no idea which port to open. As a result we implemented a solution that opens 
a limited range of harmless ports in order to get ftps working.

I am curious in general though, does iptables perform this statefull packet 
inspection by default, or is there some configuration required for it ?

Regards,

Geert

On Tuesday 29 August 2006 15:31, Peter-Paul wrote:
> One humble remark: (as reply to Geert),
> IPTables, is infact 'that smart' to recognize passive ftp initiations.
> IPTables is able to do Stateful packet inspection.
> (I quote): "This means that the firewall keeps track of each connection
> passing through it and in certain cases will view the contents of data
> flows in an attempt to anticipate the next action of certain protocols.
> This is an important feature in the support of active FTP and DNS, as
> well as many other network services."
>
> --
>
> Geert Janssens wrote:
> >On Tuesday 29 August 2006 14:37, Eric Dunbar wrote:
> >>I think I've got the basics down (allow/deny ports/protocol/single IP
> >>address), but, frankly, I don't think my server is any more secure
> >>than it was before (at the moment, that is).
> >>
> >>I already had a router in front of the server and until recently it
> >>only redirected requests (a few ports, including 80 and 443) to apache
> >>on the server (now also port 21).
> >
> >You may need to redirect more ports for ftp, depending on the type of ftp
> > you will allow (active of passive). Port 21 is the control channel for
> > ftp. It is used (among others) to negociate which port to use for the
> > datachannel. This is usually a random, unused port above 1024. Your
> > firewall will have to open this port somehow as well.
> >I believe with passive ftp, this data port should be open on the server as
> > the client will try to connect to that port, while with active ftp, it's
> > the server trying to connect to the data port on the client.
> >Some firewalls are 'ftp-aware' meaning they monitor ftp connections to the
> >control port (21), in order to sniff out the future data port, and open it
> >dynamically. I could be wrong, but I don't think iptables is that smart.
> > You can google for it.
> >If not, you can try if active ftp suits your needs (this means, your
> > client hosts and their firewalls are capable of it). In the worst case,
> > you will have to figure out if vsftpd has a way to configure which ports
> > can be set for passive ftp, so you can open a limited range via iptables.
> > I don't know of vsftpd can do this. I'm using proftpd here (on fedora),
> > and that one has this option.
> >
> >>I guess now I've blocked access to one IP (though, it's easy to change
> >>IPs if you're not static) but I couldn't figure out how to specify a
> >>range for the IP "source address or network" using trial and error in
> >>WebMin (it didn't like "192.1.1.*" or "192.1.1.1-192.1.1.5" or
> >>"192.1.1."). The man page for iptables didn't help me figure out the
> >>formatting either (I'm not sure whether this is indeed the option that
> >>will allow me to specify a range of IPs or my own little network
> >>(192.168.0.*):
> >
> >A range would be specified as 192.1.1.0/24 or 192.1.1.0/255.255.255.0
> > (instead of 192.1.1.*). Similarly your own little network would become
> > 192.168.0.0/24 or 192.168.0.0/255.255.255.0.
> >The /xx indicates the number of 1 bits in your network mask. So a
> > networkmask of 255.255.255.0 translates into 24, 255.255.0.0 would be 16,
> > 255.255.255.255 would be 32 and so on.
> >
> >Hopefully this helps you along with the network range specifications for
> >iptables.
> >
> >Regards,
> >
> >Geert
> >_______________________________________________
> >yellowdog-general mailing list
> >yellowdog-general at lists.terrasoftsolutions.com
> >http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> >HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general at lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'

More information about the yellowdog-general mailing list