10.7. FTP Server Security

Previous page
Table of content
Next page

10.7. FTP Server Security

Up to now, I have been explaining how to configure a Linux FTP server. Now I will take a look at some examples of using the server in ways other than as intended, and ways of protecting against this.

Examples that will be considered in this section shocked the Internet community and security specialists, because the FTP server can be used to carry out practically any type of attack: spread viruses, Trojans, and spam; break into servers; and even anonymously scan remote computer ports. In short, FTP server can be used as a hacker tool.

10.7.1. Intercepting Connections

As you should remember, the process of connecting to the FTP server and the subsequent file transfer comprise the following steps:

  1. The client connects to the server.

  2. The server supplies authorization.

  3. The client requests a file transfer.

  4. The server opens a port and sends the pertinent information to the client.

  5. The client connects to the specified port number and downloads or uploads the file.

Although it is difficult, it is possible to redirect the data connection from the authorized client to another machine. You have to intercept the packet, in which the server sends the port number information, connect to this port before the authorized client can do this, and then upload your information to the server or download information from the server to your machine.

The more dangerous development is the file-uploading part. Because you cut in after the authorization, you can upload any data without problems, because the server does not check that the IP address, from which the connection is made, matches the IP address, from which the request for connection was made.

Most FTP servers today have a built-in function to compare the IP addresses connected to port 21 and to the data port. This makes the attack more difficult to carry out because now the hacker must fake the IP address, which is not an easy task with TCP.

Using IP-address binding does not always solve the problem. If there is an anonymous proxy server or a firewall that masks IP addresses between the FTP client and the server, the FTP server will see not the address of the FTP client but the address of the proxy or the firewall.

You could disable the passive mode, which would dispense with this issue entirely. But this would not be a universal remedy for all security issues. As you will see in the next section, the active FTP mode is also far from secure.

But what did you expect? An active-mode connection can also be intercepted, although this is somewhat difficult to accomplish. When hackers obtain access to a computer connected to an FTP server, all they have to do is to wait until the user of the compromised machine requests a data transfer, and intercept the port.

10.7.2. Scanning Ports

As mentioned in Section 1.1 , obtaining as much information as possible about the target machine is the initial break-in stage. Port scanning is one of the ways of collecting primary information. It is, however, dangerous to do this from your own computer, so hackers resort to all types of tricks to mask the scan source.

One of the tricks is placing a PHP or Perl port-scanning script on a server and scanning port from there. This method has the following shortcomings:

  • You need a server that can execute scripts, which is not always easy to come by.

  • Free servers that can execute scripts require you to register, and keep detailed activity logs. If the registration requirement is no more than a formality that is easily to get around by supplying arbitrary information, the logging part presents a big problem. Most servers nowadays are configured to watch for scanning activities conducted using their resources, and will record and call the administration's attentions to any such attempts. After that, finding the person behind the scan is only a matter of technicalities.

Hackers have come up with an excellent way to make a server scan ports. All you do is connect to an FTP server operating in the active mode.

Refresh your knowledge of how active-mode file transfer is conducted. The FTP client sends the FTP server a request specifying the port on the client computer, to which the server should connect to conduct the file transfer. In addition to the port number, to which the server will send data, the client sends the IP address. But this address does not have to be the client's address! This means that a client whose address is 192.168.1.1 can request the FTP server to connect to any port on a computer with any IP address and the server will be none the wiser. Hackers figured out how to use this peculiarity and make the FTP server scan ports on other computers.

Once I carried out a successful DoS attack on my own server. I made the FTP server scan the computer with the proxy used to connect to the Internet. The proxy server had an attack-detection system installed, which automatically blocked any connection attempts upon detecting any port-scanning attempts. (Such systems are discussed in Chapter 12 ). The scanning was successful, and I went to lunch with the feeling of a job well done. But when I returned, I was swamped with complaints that the FTP server was not working. I checked it out and everything was all right. So I started scratching my head. As it turned out, the FTP server became inaccessible to outside users connecting via the proxy server, because the proxy server detected the scanning and put the FTP server on its black list.

You can use the nmap program to scan ports using the FTP server as follows : 

 nmap -b user_name:password@ftp_server:port

As you can see, this entry looks much like the string to connect to the server using a Web browser. If an anonymous server will be used to do the scanning, the user name and the password can be omitted: 

 nmap -b ftpserver:port

If the server uses port 21, the port parameter can also be omitted.

One way of protecting against FTP port scanning is to configure the firewall to disable the active mode, that is, to block port 20, which is most often used as the FTP data port. In this case, all connections are initialized by the client only.

10.7.3. Mailings

The FTP server can be used to send email messages. This is done by placing the following text file on the server: 

 HALO mailserver.com MAIL FROM: name@server.com RCPT TO: recipient@server.com DATA The letter body .

The entries are SMTP server commands and mean the following:

  • HALO mailserver.com The SMTP server greeting; the mailserver.com parameter has to be replaced with the real server name

  • MAIL FROM: name@server.com The sender's address

  • RCPT TO: recipient@server.com The recipient's address

  • DATA The command indicating that the letter body is to follow

The last line in the file consists of only a period, because the SMTP server interprets the <CR> and <LF> characters as the end of letter. Windows generates this character combination when the <Enter> key is pressed, but Linux only generated a <CR> character. It is only important that the file has some sort of new line delimiter and does not matter what it is, because the file will be sent in the ASCII mode.

Load this file on the FTP server and execute the following two commands: 

 PORT 192,168,1,1,25 RETR filename

The first entry is the FTP PORT command, telling the server to connect to port 25 of the computer with IP address 192.168.1.1. The first four numbers are the computer's IP address, and the last is the port to connect to. This command can be used to scan server ports manually, but in this case we are after another thing.

The second entry is the command that sends to the server the filename file with SMTP commands. The SMTP server sees this as if the FTP server is giving it directives to send the letter, which it will execute. The recipient of the letter will never be able to determine its source. The letter's service information will only point to the FTP server. In this way, malefactors can send anonymous letters without worrying that they will be found out.

The most diverse types of letters can be sent: viruses, Trojans, spam, and so on. Yet another way of using the FTP server to send email messages is to place a large file there and make the server send this file to the SMTP server endlessly. Launching several such processes can be used to pull off a successful DoS attack against a weak SMTP channel.

The only way to protect against such an attack on the SMTP server side is to use mandatory authorization to gain access. In this case, the hacker will have to possess information on a real account that is allowed access to the SMTP server. The FTP server is also protected by authenticating users who want to connect to it. No anonymous connections should be allowed, especially for file uploads.


Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Visual C# 2005 How to Program (2nd Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy