ftp configuration clarification

ftp configuration clarification

[Chuck Hallenbeck]

Hi people,

I hope someone can help clarify something for me. I have two Linux
systems, each behind a firewall that permits anything to go out, but
accepts connections from only specified ports. I have ports 20 and 21
open on both machines. One machine runs an ftp server, vsftpd, and the
other uses the standard ftp client. Everything works great: logging in,
uploading, downloading, the works.

Except I want to implement passive mode on the server. My concern is
about my firewalls. Should I open other ports to support passive mode?
Should they be server side ports or client side ports? None of the
documentation I have discusses firewall issues, except to say passive
mode is useful when the client is behind a firewall. But what about
when the server is also behind a similar firewall?

Anybody have vsftpd working with passive mode? How in heck did you do
it?

Thanks,
Chuck

-- 
The Moon is Full
 My home page with some downloads is at http://www.mhcable.com/~chuckh
 The early bird may get the worm, but the second mouse gets the cheese.

Re: ftp configuration clarification

[Chuck Hallenbeck]

Doug,

You make a strong case for caution. Any simple way to detect the
possible compromise? I presently examine my daily log of incoming and
outgoing emails for anomalies, check for rootkits, etc., and have so
far been fortunate (I think).

BTW, the answer to my original question seems to be that I ought to
open ports on the server side to support passive mode. The only
possible benefit seems to be I could close port 20. Not much of a
benefit, and way too much risk.

Chuck


-- 
The Moon is Full
 My home page with some downloads is at http://www.mhcable.com/~chuckh
 The early bird may get the worm, but the second mouse gets the cheese.

Re: ftp configuration clarification

[Doug Sutherland]

Chuck,

I would recommend creating an SSH tunnel between client and server
then doing ftp transfers over the secure tunnel, or some other similar 
secure vpn method. I can't say I agree with recent comments stating 
who worries about security on home machines. Home machines are 
the primary target for hackers so they can be taken over and made 
into zombies sending spam and other nasty things. A single infected
PC can send a million spam per day or more. People actually sell 
access to compromised machines. Botnets have been created that 
control tens of thousands of machines at once. The FBI recently
passed a one million mark in recording number of zombie victims.
Granted most of these are windows machines, but linux is popular
enough to become a target also. Do worry about security on home
machines. If you are controlling both of those machines, I would 
recommend not opening ports at all until you need them then 
closing them when you're done.

   -- Doug

Re: ftp configuration clarification

[Doug Sutherland]

Chuck,

I once logged into one of my linux boxes and found a home directory
for someone called dave, who intalled stuff that goes out on the net
and scans other machines. This is very serious business. That means
my machine is actually doing the scanning. Nobody with any brains
does hacking from their own machine, they log in five, ten or more
machines deep. The topic of detecting breaches is a very deep one,
and if I was to have any ports pemanently open I'd look into
software that monitors changes to files like tripwire or similar. Also
set up firewall with logging rules.

I have been hacked more than once, trust me it is not fun. Hackers
look for easy entry. It's just like home security, they say you should
have bars on your basement windows not because they are
unbreachable but because they are deterrent, they make the
criminals go to someone else's home without bars. Same is true for
network security, don't make it easy for them. If you ask any security
guru they will say there is no such thing as guaranteed network security.
It is a trade off of risk versus cost, where cost is the effort expended in
securing your system. The only way to be truly secure is too be off the
net. Not viable for most but having ports open when you don't to is an
invitation. If you do that, get on security alert lists and follow the known
exploits, update your network software (dns, ftp, etc) as soon as new
versions are created to fix exploit bugs.

  -- Doug

Re: ftp configuration clarification

[Doug Sutherland]

I forgot to mention the more simple and more effective. 
I used to run more than several machines at once, and
left them on the net all the time, with lax security because
I was unaware of vulnerability. I thought it was cool to 
have all this connectivity, and all the granduer of linux
and other nix with all their free network software.

Now I do this, when I go to sleep or am not actually on
my computer I press the button on my cable modem 
that shuts off the network. No network means nothing 
to scan and find. If I walk out the door I now actually
shutdown my computer. I have bios password. I have
bios set to not boot from anything but the hard drive.
I have restricted parm in lilo, which means you cannot
enter boot parms. Perhaps I am paranoid but after 
being hacked one becomes jittery.

I used to proudly proclaim that I never get viruses 
and such because I was smart, then I was humbled.

  -- Doug

Re: ftp configuration clarification

[Chuck Hallenbeck]

Doug,

Many thanks. Your observations are very sobering. I do keep good logs
here, but do not scan them as often as I should. 

Chuck

-- 
The Moon is Full
 My home page with some downloads is at http://www.mhcable.com/~chuckh
 The early bird may get the worm, but the second mouse gets the cheese.