|
Home > Archive > IIS FTP Server > August 2004 > ftp security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Quick question. Will allowing ftp connections only from specific IP's make
it any more "secure" I have done this but port 21 is still showing up on a
port scan. In my mind, this is still leaving it vulnerable.
Thanks
| |
| Paul Lynch 2004-08-10, 5:56 pm |
| On Tue, 10 Aug 2004 17:17:44 -0400, "DOUG" <none@nospam.com> wrote:
>Quick question. Will allowing ftp connections only from specific IP's make
>it any more "secure" I have done this but port 21 is still showing up on a
>port scan. In my mind, this is still leaving it vulnerable.
>
>Thanks
Doug,
The port will still be open as seen in your port scan but the IP
address restriction you have configured will prevent any other IP
addresses than those you specified from connecting.
It is also worth poitning out that if you are really concerned about
security then you should consider another method of file transfer
since FTP was never designed with security in mind.
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
Regards,
Paul Lynch
MCSE
| |
|
| Thanks - but I guess what I need defined is "connecting". I undersatnd that
this will limit the ability to establish an FTP connection. What I am not
clear aobut I guess is what happens when an FTP server is exploited. Will
this limit a hacker from hacking this box if his/her IP is not specified on
the firewall to allow ftp to this server?
"Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:62iih05iu17hqtvrtj9phqdr4i9tqtmopc@
4ax.com...
> On Tue, 10 Aug 2004 17:17:44 -0400, "DOUG" <none@nospam.com> wrote:
>
>
> Doug,
>
> The port will still be open as seen in your port scan but the IP
> address restriction you have configured will prevent any other IP
> addresses than those you specified from connecting.
>
> It is also worth poitning out that if you are really concerned about
> security then you should consider another method of file transfer
> since FTP was never designed with security in mind.
>
> Information About the IIS File Transmission Protocol (FTP) Service
> http://support.microsoft.com/?id=283679
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Alun Jones [MSFT] 2004-08-11, 5:56 pm |
| "DOUG" <none@nospam.com> wrote in message
news:eQQ$KFzfEHA.704@TK2MSFTNGP09.phx.gbl...
> Thanks - but I guess what I need defined is "connecting". I undersatnd
that
> this will limit the ability to establish an FTP connection. What I am not
> clear aobut I guess is what happens when an FTP server is exploited. Will
> this limit a hacker from hacking this box if his/her IP is not specified
on
> the firewall to allow ftp to this server?
It depends on the particular exploit that your putative attacker is using.
If it's something that occurs in TCP, and can be abused before the
connection is announced to the FTP server (for instance, if you can send a
SYN packet that somehow causes the system to break), then no, an
application-level filter will not help. But, as long as the filter is
functioning correctly, it will protect you against attacks that are targeted
against the FTP server application itself.
Note that I'm talking in general terms here - there are no such attacks that
I am aware of.
As you note, though, you'll get protection earlier in the packet exchange if
you restrict the hacker's IP address at the firewall (either an edge
firewall unit, or the firewall on your OS), or using IPSec filters.
Alun.
~~~~
| |
| Alun Jones [MSFT] 2004-08-11, 5:56 pm |
| "Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:62iih05iu17hqtvrtj9phqdr4i9tqtmopc@
4ax.com...
> It is also worth poitning out that if you are really concerned about
> security then you should consider another method of file transfer
> since FTP was never designed with security in mind.
Nor was HTTP, or a number of other protocols.
But the beautiful thing about standards is that they get extended. There
are several third-party proxies you can add to an FTP server, or an FTP
client, to protect traffic between them using the FTPS protocol extension.
Alun.
~~~~
|
|
|
|
|