Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP Security

Posted on 2004-08-10
7
Medium Priority
?
274 Views
Last Modified: 2013-12-04
Question: Does limiting ftp connections to your site to specicif IP's offer much security. I have configured my firewall to allow ftp connections to a single IP and yet port 21 is still picked up by a scan as being opened. My contention is, that if port 21 is open, it is still susceptible to vulnerabilities of that inherant with FTP. Is this a correct assumption?

Thanks
0
Comment
Question by:jstansley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 12

Accepted Solution

by:
gidds99 earned 200 total points
ID: 11767988
It offers pretty good security as limiting the connections to a single IP means that you are limiting the attack surface if there are vulrabilities in the FTP server software they are not exposed as it will not allow an FTP connection to be esablished from other IP's.

Other Experts mention IP spoofing which is easy for a determined attacker with tools which are freely available on the web.  The crucial question to ask in my opinion when considering the risks in this type of setup is, how likely is it an attacker will know the IP in the first place so he is in a position to spoof it?  Any danger from IP spoofing is very limited as I see it.

Hope this helps.
0
 

Author Comment

by:jstansley
ID: 11768058
Thanks....so you are saying that despite the fact that port 21 is listed as open on a port scan.....an attacker cannot launch an attack unless he knows the specific IP for which the server is configured to accept connections?
0
 
LVL 7

Expert Comment

by:magus123
ID: 11770117
their are scans happening every day everywhere , they are automated and they look for anything open
i remeber getting infected with a virus with in seconds going on the internet.

keep in mind these

1.nat dsl router / port forwarding for ftp  / mac cloning
2. firewall at the os  " configure it to disabl icmp " ping attacks
3. ant virus at the os
4. http://www.blackviper.com/  " services ethir listening or not need , consider removing
5.  netstat , check your open prots
6. www.dslreports.com check their forum and recommended sites to  use certain sites
that do port scans on your computer and recommend what to block or shutdown
7.  do level of ftp software and access versus user or anoyumus
8. a dedicated hardware firewall
9.logging , check who or what intrusion if any
10. peer guardian from methlabs , check out their program and the blocklist you can dowload
for known bad intrusions , works at the os level , also consider protowall.

that all i can remember for know
0
 
LVL 12

Expert Comment

by:gidds99
ID: 11770286
What I am saying is that I beleive that although port 21 is open the FTP software wont allow an FTP connection to be made unless it originates from that specific IP.  Therefore as no FTP connection can be completed it is not possible for an attacker to try and exploit any holes which may exist in the FTP server software as many holes will be exploited by an attacker sending corrupt data over a completed connection in order to exploit vulnrabilities in the FTP server software.  By confining to connections to a single IP you are preventing connections from being accepted from other IP's.

Hope this helps.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question