How Do I Make sure my FTP site is Secure?

I have an FTP site set up on a Windows XP machine using IIS 5.1.  It works fine but the client has required that we make it an FTPS site.  How do I make sure this site is secure?
Who is Participating?
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
No, IIS in xp (and indeed, in server 2008) doesn't do sftp.

SFTP isn't any form of ftp - its a file transfer protocol based on the secure shell format (SSH) - however, for security you should not install a full ssh server (even though you can) but should use the sftp server here:

that will refuse "shell" connections and supports only file transfer connections.

on the bright side, sftp is much, much easier to work though firewalls - unlike ftp and ftps, there is only one connection, it is tcp inbound, and it is on port 22 (although I would change that or you will get 20-30 chinese kiddiez per hour hammering on the password interface trying to get in :)
NotVeryFatConnect With a Mentor Commented:
I'd recommend using different software.

Try either FileZilla ( or simple but very good is FreeFTPd ( that uses SFTP.
cpet11Author Commented:
My apologies I meant SFTP, does that change anything?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Not Much you can do with IIS5.1 but you can harden your IIS to secure from threats.

cpet11Author Commented:
So your saying IIS in windows XP does NOT provide SFTP and that I have to use a program like filezilla or freesshd?
better go for GlobalScape products - Have to pay for license
Dave HoweSoftware and Hardware EngineerCommented:
erm, freesshd is, well, free....
cpet11Author Commented:
I have Freeftpd set up and it works great internally.  I have SFTP set up using port 30, I just need to open that port in my Cisco PIX Firewall and point it towards the FTP server's static internal IP.

Unfortunately Im not as experienced with ACLs as i want to be.  How do I get this through my firewall? or should I open up another ticket for that?
Dave HoweSoftware and Hardware EngineerCommented:
you should do a static nat in your pix firewall (if you don't already) then add to the ACL a "permit tcp any host <ip> eq 30")

but ooh, a pix - oldschool, haven't seen one of those for a long while....
cpet11Author Commented:
everything here is oldschool, a few are still running windows 2000, I dare say one or 2 running 98 or NT. Im going to see if I can get more info on the firewall
cpet11Author Commented:
Its a Cisco PIX 520.    what command do I need to do the NAT and ACL exactly?

SFTP on TCP port 30

Internal static IP of FTP Server:   x . x . x . 46
External Static IP of FTP server:  x . x . x . 59

Internal static IP of PIX Firewall:     x . x . x . 1
External Static IP of PIX Firewall:   x . x . x . 61
Dave HoweSoftware and Hardware EngineerCommented:
you should replace <ip> with the static external IP of the FTP server - so x.59

assuming you want to make it the fourth line of acl "outside_in" then the line would be:

access-list outside_in line 4 permit tcp any host x.x.x.59 eq 30
cpet11Author Commented:
I will try that tomorrow when I get into work.

am I correct in assuming it is standard practice in ACLs to list all "allow" statements first, "deny" statements next, and a deny all statement last?

I just want to make sure I put this rule in the right spot in my ACL, how can I view my full ACL config.

will "PIX# show config" work?  Ive worked with CLI in cisco routers and switchs but not in firewalls
Dave HoweSoftware and Hardware EngineerCommented:
usually an acl has an implicit deny all at the end - but adding an explicit one doesn't hurt.

you can do allow-then-deny, and there are arguments for that. sometimes you want to carve out a niche though - say you want to allow a port range for a given inbound, but NOT one or two specific ports. it is more efficient to block those ports, then allow the whole range, than to break up the allow into multiple smaller ranges. Sometimes also you want to put all the rules for one IP into a block, so you would allow (say) six ports on an ip, then block all other to that IP, then if someone allows a blanket access to a port further down the acl, you know that won't include the ip you just denied to.

normally to show the current acl (with line numbers) You use "show access-list <name>"
if you aren't sure which access list, then doing "show run | inc access-group" will usually show you which ACLs are applied to which interfaces.
I'm not an expert on firewalls, but in FreeFTPd you can also only allow explicit IP addresses to connect.
Dave HoweSoftware and Hardware EngineerCommented:
  Sure, but if you have a enterprise-class cisco firewall, you might as well block/allow from there :)
cpet11Author Commented:
"you should do a static nat in your pix firewall (if you don't already) then add to the ACL a "permit tcp any host <ip> eq 30") " 

youve helped me add to the ACL but what about the NAT you mentioned earlier?
Dave HoweSoftware and Hardware EngineerCommented:
if your ftp server already has an external IP I assumed you had one :)

you should have a line starting "static (inside,outside)" with the two IPs (real/lan and external) on it, and a /32 subnet mask.
cpet11Author Commented:
i though a /30 was the smallest you could go?

also commands i know should be working arnt. the command you gave me to "show run | inc access-group" does not work, "show running-config" does not work i know that command is accepted but almost all cisco OSes and is even listed in the command list for PIX firewalls from Cisco's website.

I keep getting "Type help or '?' for a list of available commands."

Is this a way of this firewall showing its age or am i missing something?  i ran these commands in privileged "enable" mode
Dave HoweSoftware and Hardware EngineerCommented:
/32 means it only applies to ONE IP - which is what you want.
/30 is the smallest practical subnet - one network (addr 0, one broadcast, two usable ips)
but for mapping its fine. similarly, if you wanted to allow two IPs though an access list (and the IPs happened to be in the appropriate positions) You could do <ip> and have it match <ip> and <ip+1>

for show run to work you need to be in enable mode - try typing "en" and your password again.
cpet11Author Commented:
I was in enabled mode, I had a # instead of a >

PIX passwd:

Welcome to the PIX firewall

Type help or '?' for a list of available commands.
MMAPIX> enable
Password: ************
MMAPIX# show run | inc access-group
Type help or '?' for a list of available commands.
MMAPIX# show run ?
Type help or '?' for a list of available commands.
Dave HoweSoftware and Hardware EngineerCommented:
maybe inc isn't supported, but it would need to be a really really old copy.

try just "show run", or failing that "show ?"

with show run you can use putty or something to copy it to a text file and search for the line there. inc is easier though.
cpet11Author Commented:
MMAPIX# sho ?
aaa             Enable, disable, or view TACACS+ or RADIUS
                user authentication, authorization and accounting
aaa-server      Define AAA Server group
access-group    Bind an access-list to an interface to filter inbound traffic
access-list     Add an access list
age             This command is deprecated. See ipsec, isakmp, map, ca commands
alias           Administer overlapping addresses with dual NAT.
apply           Apply outbound lists to source or destination IP addresses
arp             Change or view the arp table, and set the arp timeout value
auth-prompt     Customize authentication challenge, reject or acceptance prompt
blocks          Show system buffer utilization
ca              CEP (Certificate Enrollment Protocol)
                Create and enroll RSA key pairs into a PKI (Public Key Infrastru
checksum        View configuration information cryptochecksum
chunkstat       Display chunk stats
clock           Show and set the date and time of PIX
conduit         Add conduit access to higher security level network or ICMP
configure       Configure from terminal, floppy, or memory, clear configure
conn            Display connection information
cpu             Display cpu usage
crypto          Configure IPsec, IKE, and CA
debug           Debug packets or ICMP tracings through the PIX Firewall.
dhcpd           Configure DHCP Server
domain-name     Change domain name
dynamic-map     Specify a dynamic crypto map template
eeprom          show or reprogram the 525 onboard i82559 devices
enable          Modify enable password
established     Allow inbound connections based on established connections
failover        Enable/disable PIX failover feature to a standby PIX
filter          Enable, disable, or view URL, Java, and ActiveX filtering
fixup           Add or delete PIX service and feature defaults
flashfs         Show, destroy, or preserve filesystem information
fragment        Configure the IP fragment database
global          Specify, delete or view global address pools,
                or designate a PAT(Port Address Translated) address
h225            Show the current h225 data stored for each connection.
h245            List the h245 connections.
h323-ras        Show the current h323 ras data stored for each connection.
history         Display the session command history
http            Configure HTTP server
icmp            Configure access for ICMP traffic that terminates at an interfac
interface       Identify network interface type, speed duplex, and if shutdown
ip              Set the ip address and mask for an interface
                Define a local address pool
                Configure Unicast RPF on an interface
                Configure the Intrusion Detection System
ipsec           Configure IPSEC policy
isakmp          Configure ISAKMP policy
local-host      Display or clear the local host network information
logging         Enable logging facility
map             Configure IPsec crypto map
memory          System memory utilization
mtu             Specify MTU(Maximum Transmission Unit) for an interface
name            Associate a name with an IP address
nameif          Assign a name to an interface
names           Enable, disable or display IP address to name conversion
nat             Associate a network with a pool of global IP addresses
outbound        Create an outbound access list
pager           Control page length for pagination
passwd          Change Telnet console access password
pdm             Configure Pix Device Manager
processes       Display processes
rip             Broadcast default route or passive RIP
route           Enter a static route for an interface
service         Enable system services
session         Access an internal AccessPro router console
shun            Manages the filtering of packets from undesired hosts
snmp-server     Provide SNMP and event information
ssh             Add SSH access to PIX console, set idle timeout, display
                list of active SSH sessions & terminate a SSH session
static          Map a higher security level host address to global address
sysopt          Set system functional option
tech-support    Tech support
telnet          Add telnet access to PIX console and set idle timeout
terminal        Set terminal line parameters
tftp-server     Specify default TFTP server address and directory
timeout         Set the maximum idle times
traffic         Counters for traffic statistics
uauth           Display or clear current user authorization information
url-cache       Enable URL caching
url-server      Specify a URL filter server
version         Display PIX system software version
virtual         Set address for authentication virtual servers
vpdn            Configure VPDN (PPTP, L2TP) Policy
vpngroup        Configure a policy group for VPN clients
who             Show active administration sessions on PIX
xlate           Display current translation and connection slot information
cpet11Author Commented:
MMAPIX# show version

Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)

Compiled on Thu 17-May-01 20:05 by morlee

MMAPIX up 299 days 23 hours

Hardware:   AL440LX, 32 MB RAM, CPU Pentium II 267 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0090.273a.6036, irq 11
1: ethernet1: address is 0090.273a.468c, irq 10
2: ethernet2: address is 0090.273a.1f43, irq 9

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Disabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

Serial Number: 18057972 (0x1138af4)
Activation Key: 0x1d41e45c 0x775edc5d 0xcdac3343 0xf8b0f3f5
Sorry to butt in chaps, but would the firewall stuff be better as a separate question? That way, this ensures that more points can then be allocated to the very helpful firewall gurus...

Just a thought!
cpet11Author Commented:
An outside consultant helped me finish this up.  ended up having him configure the terminal using

 conduit no permit tcp host INSIDE_NOTICING eq 30 any
 conduit no permit tcp host OUTSIDE_NOTICING eq 30 any

wr m

Everything is working great now.

My original problem was solved here though, thank you for your help. Freeftpd is really easy to use.
cpet11Author Commented:
Ran into a secondary problem with the firewall, but my primary problem was getting up an SFTP which was answered and solved quickly.

I am very satisfied with the way this went.
Dave HoweSoftware and Hardware EngineerCommented:
erm, wha?

Conduits were depreciated in pix v5 - no way should a consultant still be using them in a 6.0 config :(
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.