[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ftp

Hi

On Thu, Mar 01, 2001 at 11:35:21AM +0100, Giacomo Mulas wrote:
> On Thu, 1 Mar 2001, Konrad Mader wrote:
> 
> > what is to do to enable ftp through the Firewall (debian2.2,
> > Kernel2.2). www and Mail works fine so I think
> 
> There are two separate problems:
> 
> 1) allowing ftp from the oustide world to some host in your protected LAN
> 2) allowing ftp from your protected LAN to the outside world
> 
> which one do you want? They are different and somewhat tricky
> problems, due to the way in which ftp works by default
> ("active" ftp). This kind of problems is (very!) much simpler
> with the stateful and "intelligent" firewalling capabilities
> of the new stable Linux kernel branch (2.4.x) than with
> (stateless) firewalling of the 2.2.x kernels (unless you run
> an user space stateful firewall utility such as spf, packaged
> for Debian unstable but easily compilable from sources on
> potato).

You might want to consider using an ftp proxy instead of
NAT/IP_MASQ/port forwarding etc.

The TIS Firewall Toolkit has a simple FTP proxy you could use.
There's also the SuSE proxy suite, which the last time I looked
at it consisted only of an FTP proxy (although they were
planning on adding other proxies.)

SuSE's proxy allows for incomming connections to be forwarded to
an internal machine transparently.  (You just tell people your
firewall is your FTP server and when they connect to the
firewall the proxy relays the commands/data to your real FTP
server.)  For internal users connecting to external FTP servers,
they just need to use "user@host" for the username.  Some FTP
clients support FTP proxies and you can tell them to use the
"user@host" method.  For others, you can just type in the
"user@host" wherever you would normally have the username.

e.g.:

$ ftp firewall.example.org
Connected to firewall.example.org.
220 firewall.example.org FTP server (Version 1.7 - 1999/10/22 09:22:47) ready.
Name (lion:michael): anonymous@ftp.example.com
331 Anonymous login ok, send your complete e-mail address as password.
Password:
230-Welcome to example.com's FTP server!
230-
230-All transfers are logged.  Please report problems to ftp-admin@example.com.
230-
230-There are currently 144 ftp users logged in.
230-
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

> I would not recommend allowing the outside world authorized
> ftp to a host in your protected LAN: username and passwords
> are sent unencrypted, and a sniffing "bad guy" could easily
> steal access to an (unprivileged) user account to your ftp
> server. The bad guy avoids doing anything suspicious, and
> patiently waits. Then, as soon as a local exploit is found to
> which that computer is vulnerable, the bad guy becomes root...

True, so maybe FTP over SSL or FTP over SSH would be a better
idea if this sort of functionality is required:

ftp://ftp.internic.net/internet-drafts/draft-murray-auth-ftp-ssl-00.txt

http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1
http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8

> Allowing only anonymous access is somewhat less risky (but
> still risky), since you do not need to set up a full shell
> account for it and the only way for an intruder to break in
> through it is through a security flaw in the ftp daemon
> itself.

An FTP proxy can protect against this to some extent... as long
as the proxy is itself not vulnerable to any security flaws.
The proxy is normally much simpler than an FTP server, and is
therefore more easy to audit, so, theoretically, there is less
chance of a flaw in the proxy than in the server.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: