|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie nt
From: Lars.Troen
MERKANTILDATA.NODate: Fri Mar 17 2000 - 10:44:17 CST
- Next message: Vanja Hrustic: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags"
- Previous message: David LeBlanc: "Re: con\con is a old thing (anyway is cool)"
- Next in thread: David Grimes: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie"
- Reply: David Grimes: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie"
- Reply: Paul Cardon: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
With Firewall-1 all ports defined in the /etc/services file will be denied
connections to during an ftp session. This is defined in the file base.def
as follows:
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
set sr12 p, set sr1 0, log bad_conn)
.....
Firewall-1 does not differ between file transfers initiated from your
internal network or if you're having a public ftp server serving the
internet. This often causes problems with large file transfers, or when
transfering lots of files. Firewall administrators might of this reason
disable this function as described here:
http://www.phoneboy.com/fw1/faq/0106.html
Also Raptor Firewall has a similar setting in config.cf:
# This restricts ports rather less that allow_low_ports. Raptor strongly
# recommends that you do NOT enable this option.
ftpd.allow_named_ports=NO
I'm not sure about other firewalls, but they're likely to have similar
funcionality.
The basic line is: If you're having a public ftp server, you should put all
of it's listening ports >1023 in the /etc/services file of the firewall.
This might be difficult to check with many client pc's, and the ftp security
server might be a solution to protect them. Users will complain that some
ftp commands (quote) will not work anymore, but it's always security vs
functionality vs obscurity.
Lars
-----Original Message-----
From: Darren Reed [mailto:avalonCOOMBS.ANU.EDU.AU]
Sent: 15. mars 2000 12:43
To: BUGTRAQSECURITYFOCUS.COM
Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
client
[SNIP]
So the upshot of this is with FW-1, you're screwed until you
get the relevant fixes in place for ftp. With any proxy
based solution, you should only allow passive FTP.
Darren
- Next message: Vanja Hrustic: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags"
- Previous message: David LeBlanc: "Re: con\con is a old thing (anyway is cool)"
- Next in thread: David Grimes: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie"
- Reply: David Grimes: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie"
- Reply: Paul Cardon: "Re: Update: Extending the FTP "ALG" vulnerability to any FTP client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]