# securing ftp server



## alcopup (Nov 10, 2006)

Hacker attempted to brute force/dictionary attack my ftp server last night.

I am am using serv-U on win xp sp2 with windows firewall disabled.

I use spyware blaster (fully updated and immunised)
antivir xp with avguard (fully updated)
mcAfee personal firewall (tight security, with ftp service enabled)

I also use Adaware SE and Spybot S & D for periodic scanning.

I use a standard cable modem to connect to the internet.

Serv-U is configured for 3 usernames only and they are all restricted to read only access (downloading) and limited to the destination folder only.

I noticed that a user was logging on last night and was intending to send a message to whichever of my friends it was but when i checked the log to identify the user I noticed that the user was labelled as "user [126]" and that three attempts had been made to log in using ADMINISTRATOR as a user name. The connection was lost due to maximum log in attempts only to be replaced by "user [127]" and three more attempts.

I noted the IP address which dns resolved to a taiwanese website.

nmap noted that ftp, telnet, smtp, http and mysql where open and unfiltered on the target server but could not fingerprint the OS.

on connecting to the server by telnet to port 25 for banner grabbing and to check if smtp relay was enabled, I discovered that the server was not giving away more information than was necessary and that relay was disabled.

on connecting to the open ftp port using Firefox through privoxy and tor node, I discovered that the server accepts anonymous ftp connections but directs to an empty share folder with read only rights.

Connecting by http, again with firefox and tor, I am redirected to the websites homepage but it is in Chinese!!!!

I am getting the impression that the incoming ip was spoofed or that I was seeing an ftp bounce attack and so withdrew.

So I guess my question is, how do I make my ftp server available to friends (it is offline now) without running the risk of compromise?

I have blocked the entire ip range that the attack came from, can I do anything else to harden my security stance??

Thanks ever so much for any help you guys can give.

Regards,

Pup


----------



## Cellus (Aug 31, 2006)

First of all, just to let you know, this is not unexpected. It is infact commonplace for pretty much any server with exposure to the outside world. The Internet is very much the Wild Wild West and you just got a small taster. Welcome to the real world. :grin:

A few things to note:

* Spoofing and Bouncing is common. Any attacker with half a brain wants to be able to get away without being caught, so they'll take measures to hide themselves.
* Malicious folks like FTP servers. Mmm mmm good. If they can break into it they can break other things and use your FTP server to help distribute everything from cracks to pornography, all without your knowledge.
* The FTP standard wasn't designed with real security in mind.
* Nothing is impregnable.

Overall you want to secure yourself enough to not make yourself an easy target against script kiddies, which you seem to have done not that bad so far. There are some things you can do to better secure yourself, but keep in mind that as a home user a real professional can blow you out of the water, though chances of that aren't that high as when they go hunting after home users, they're after the real insecure computers to use as bots, zombies, servers, and whatever.

So, what can you do?

* McAfee Personal Firewall is... well... not the best Personal Firewall on the market. There are many better ones out there, including free ones. Personal recommendation for oak-solid free Personal Firewalls would be COMODO Firewall Pro. There are other good ones out there, like Sunbelt Kerio Personal Firewall as well.
* Make sure everything from Windows XP to your various pieces of software is fully updated and patched, and keep a regular eye out for updated versions of your FTP software product as they commonly contain fixes for security vulnerabilities.
* Disable Anonymous FTP Access. Period.
* Configure the ACL (Access Control List) of the NTFS folders the FTP server is serving. Even if it may seem you don't really "need" to, do it anyways.
* Serv-U is capable of implementing a few things to potentially improve security, such as implementing FTP over SSL. Take a look into it and consider using it if you wish.

There are more advanced measures available, such as implementing an IDS/IPS to act as a watchdog, but that's up to you. Keep in mind that the more you implement, the more you hinder accessibility and availability. You also must keep in mind that whatever you intend to setup is _properly configured_, or it will just provide a false sense of security. It is good to see you already have things such as logging enabled.

If you want a "project", one thing I would recommend would be to take some old beige box, any old beige box, stick two network adapters in it and set up your own DIY hardware firewall. My personal favourite of the DIY hardware firewalls is SmoothWall Express, which dedicates any ye' olde machine into a robust firewall and IDS solution. It is, not to mention, also free (open source) under the GNU General Public License, and runs on-top of its own preconfigured hardened copy of Linux, which 9 times out of 10 beats the pants off of any Windows machine in security. It also comes with Snort, which is without a doubt one of the absolute best IDS products (free and open-source as well) out there. Snort can be a heck of a challenge to setup, but SmoothWall pretty much has it all handled. You just need to updated the rules regularly. It's quite easy to install (it is pretty much pre-configured), and configuring and monitoring it is done through a web interface. Considering your apparent technical level, you shouldn't be really overloaded over installing and setting one up. But again, it's up to you whether you want to or not. This is just _icing_ and is not considered essential.


----------



## alcopup (Nov 10, 2006)

excellent advice, I have a spare box here that is well on its way to becoming a hardware firewall!

Have also implemented a rule in serv-U that bans any IP address that makes more than 3 log in attempts in 3 hours.

I am going with smoothwall on the "firewall" machine and am investigating an IDS for the local host.

Have you any experience of snort for windows? 

Anonymous access is disabled.

How do i go about configuring the ACL?

If I configure serv-U to accept only ftp over ssl, other than typing ftps to access it, is there any other conditions my friends would have to meet in order to connect?

Once again, any help or advice you can offer is hugely appreciated.

Regards,

Pup


----------

