Solved

How Do I Make sure my FTP site is Secure?

Posted on 2011-03-08
28
611 Views
Last Modified: 2012-05-11
I have an FTP site set up on a Windows XP machine using IIS 5.1.  It works fine but the client has required that we make it an FTPS site.  How do I make sure this site is secure?
0
Comment
Question by:cpet11
  • 13
  • 10
  • 3
  • +1
28 Comments
 
LVL 5

Assisted Solution

by:NotVeryFat
NotVeryFat earned 25 total points
ID: 35070597
I'd recommend using different software.

Try either FileZilla (http://filezilla-project.org/) or simple but very good is FreeFTPd (http://www.freesshd.com/) that uses SFTP.
0
 

Author Comment

by:cpet11
ID: 35070628
My apologies I meant SFTP, does that change anything?
0
 
LVL 8

Expert Comment

by:dkumar82
ID: 35070697
Not Much you can do with IIS5.1 but you can harden your IIS to secure from threats.

ref:
http://sos.its.psu.edu/guides/IIS5.pdf
0
 

Author Comment

by:cpet11
ID: 35070858
So your saying IIS in windows XP does NOT provide SFTP and that I have to use a program like filezilla or freesshd?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 100 total points
ID: 35072528
No, IIS in xp (and indeed, in server 2008) doesn't do sftp.

SFTP isn't any form of ftp - its a file transfer protocol based on the secure shell format (SSH) - however, for security you should not install a full ssh server (even though you can) but should use the sftp server here:

http://www.freesshd.com/

that will refuse "shell" connections and supports only file transfer connections.

on the bright side, sftp is much, much easier to work though firewalls - unlike ftp and ftps, there is only one connection, it is tcp inbound, and it is on port 22 (although I would change that or you will get 20-30 chinese kiddiez per hour hammering on the password interface trying to get in :)
0
 
LVL 8

Expert Comment

by:dkumar82
ID: 35073164
better go for GlobalScape products - Have to pay for license
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35073900
erm, freesshd is, well, free....
0
 

Author Comment

by:cpet11
ID: 35086108
I have Freeftpd set up and it works great internally.  I have SFTP set up using port 30, I just need to open that port in my Cisco PIX Firewall and point it towards the FTP server's static internal IP.

Unfortunately Im not as experienced with ACLs as i want to be.  How do I get this through my firewall? or should I open up another ticket for that?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35086290
you should do a static nat in your pix firewall (if you don't already) then add to the ACL a "permit tcp any host <ip> eq 30")

but ooh, a pix - oldschool, haven't seen one of those for a long while....
0
 

Author Comment

by:cpet11
ID: 35086540
everything here is oldschool, a few are still running windows 2000, I dare say one or 2 running 98 or NT. Im going to see if I can get more info on the firewall
0
 

Author Comment

by:cpet11
ID: 35086874
Its a Cisco PIX 520.    what command do I need to do the NAT and ACL exactly?

SFTP on TCP port 30

Internal static IP of FTP Server:   x . x . x . 46
External Static IP of FTP server:  x . x . x . 59

Internal static IP of PIX Firewall:     x . x . x . 1
External Static IP of PIX Firewall:   x . x . x . 61
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35086936
you should replace <ip> with the static external IP of the FTP server - so x.59

assuming you want to make it the fourth line of acl "outside_in" then the line would be:

access-list outside_in line 4 permit tcp any host x.x.x.59 eq 30
0
 

Author Comment

by:cpet11
ID: 35087869
I will try that tomorrow when I get into work.

am I correct in assuming it is standard practice in ACLs to list all "allow" statements first, "deny" statements next, and a deny all statement last?

I just want to make sure I put this rule in the right spot in my ACL, how can I view my full ACL config.

will "PIX# show config" work?  Ive worked with CLI in cisco routers and switchs but not in firewalls
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35088884
usually an acl has an implicit deny all at the end - but adding an explicit one doesn't hurt.

you can do allow-then-deny, and there are arguments for that. sometimes you want to carve out a niche though - say you want to allow a port range for a given inbound, but NOT one or two specific ports. it is more efficient to block those ports, then allow the whole range, than to break up the allow into multiple smaller ranges. Sometimes also you want to put all the rules for one IP into a block, so you would allow (say) six ports on an ip, then block all other to that IP, then if someone allows a blanket access to a port further down the acl, you know that won't include the ip you just denied to.

normally to show the current acl (with line numbers) You use "show access-list <name>"
if you aren't sure which access list, then doing "show run | inc access-group" will usually show you which ACLs are applied to which interfaces.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:NotVeryFat
ID: 35093260
I'm not an expert on firewalls, but in FreeFTPd you can also only allow explicit IP addresses to connect.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35093379
@notveryfat:
  Sure, but if you have a enterprise-class cisco firewall, you might as well block/allow from there :)
0
 

Author Comment

by:cpet11
ID: 35094481
"you should do a static nat in your pix firewall (if you don't already) then add to the ACL a "permit tcp any host <ip> eq 30") "

youve helped me add to the ACL but what about the NAT you mentioned earlier?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35094574
if your ftp server already has an external IP I assumed you had one :)

you should have a line starting "static (inside,outside)" with the two IPs (real/lan and external) on it, and a /32 subnet mask.
0
 

Author Comment

by:cpet11
ID: 35094718
i though a /30 was the smallest you could go?

also commands i know should be working arnt. the command you gave me to "show run | inc access-group" does not work, "show running-config" does not work i know that command is accepted but almost all cisco OSes and is even listed in the command list for PIX firewalls from Cisco's website.

I keep getting "Type help or '?' for a list of available commands."

Is this a way of this firewall showing its age or am i missing something?  i ran these commands in privileged "enable" mode
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35094805
/32 means it only applies to ONE IP - which is what you want.
/30 is the smallest practical subnet - one network (addr 0, one broadcast, two usable ips)
but for mapping its fine. similarly, if you wanted to allow two IPs though an access list (and the IPs happened to be in the appropriate positions) You could do <ip> 255.255.255.254 and have it match <ip> and <ip+1>

for show run to work you need to be in enable mode - try typing "en" and your password again.
0
 

Author Comment

by:cpet11
ID: 35094990
I was in enabled mode, I had a # instead of a >

PIX passwd:

Welcome to the PIX firewall

Type help or '?' for a list of available commands.
MMAPIX> enable
Password: ************
MMAPIX# show run | inc access-group
Type help or '?' for a list of available commands.
MMAPIX# show run ?
Type help or '?' for a list of available commands.
MMAPIX#
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35095037
maybe inc isn't supported, but it would need to be a really really old copy.

try just "show run", or failing that "show ?"

with show run you can use putty or something to copy it to a text file and search for the line there. inc is easier though.
0
 

Author Comment

by:cpet11
ID: 35095135
MMAPIX# sho ?
aaa             Enable, disable, or view TACACS+ or RADIUS
                user authentication, authorization and accounting
aaa-server      Define AAA Server group
access-group    Bind an access-list to an interface to filter inbound traffic
access-list     Add an access list
age             This command is deprecated. See ipsec, isakmp, map, ca commands
alias           Administer overlapping addresses with dual NAT.
apply           Apply outbound lists to source or destination IP addresses
arp             Change or view the arp table, and set the arp timeout value
auth-prompt     Customize authentication challenge, reject or acceptance prompt
blocks          Show system buffer utilization
ca              CEP (Certificate Enrollment Protocol)
                Create and enroll RSA key pairs into a PKI (Public Key Infrastru
cture).
checksum        View configuration information cryptochecksum
chunkstat       Display chunk stats
clock           Show and set the date and time of PIX
conduit         Add conduit access to higher security level network or ICMP
configure       Configure from terminal, floppy, or memory, clear configure
conn            Display connection information
cpu             Display cpu usage
crypto          Configure IPsec, IKE, and CA
debug           Debug packets or ICMP tracings through the PIX Firewall.
dhcpd           Configure DHCP Server
domain-name     Change domain name
dynamic-map     Specify a dynamic crypto map template
eeprom          show or reprogram the 525 onboard i82559 devices
enable          Modify enable password
established     Allow inbound connections based on established connections
failover        Enable/disable PIX failover feature to a standby PIX
filter          Enable, disable, or view URL, Java, and ActiveX filtering
fixup           Add or delete PIX service and feature defaults
flashfs         Show, destroy, or preserve filesystem information
fragment        Configure the IP fragment database
global          Specify, delete or view global address pools,
                or designate a PAT(Port Address Translated) address
h225            Show the current h225 data stored for each connection.
h245            List the h245 connections.
h323-ras        Show the current h323 ras data stored for each connection.
history         Display the session command history
http            Configure HTTP server
icmp            Configure access for ICMP traffic that terminates at an interfac
e
interface       Identify network interface type, speed duplex, and if shutdown
ip              Set the ip address and mask for an interface
                Define a local address pool
                Configure Unicast RPF on an interface
                Configure the Intrusion Detection System
ipsec           Configure IPSEC policy
isakmp          Configure ISAKMP policy
local-host      Display or clear the local host network information
logging         Enable logging facility
map             Configure IPsec crypto map
memory          System memory utilization
mtu             Specify MTU(Maximum Transmission Unit) for an interface
name            Associate a name with an IP address
nameif          Assign a name to an interface
names           Enable, disable or display IP address to name conversion
nat             Associate a network with a pool of global IP addresses
outbound        Create an outbound access list
pager           Control page length for pagination
passwd          Change Telnet console access password
pdm             Configure Pix Device Manager
processes       Display processes
rip             Broadcast default route or passive RIP
route           Enter a static route for an interface
service         Enable system services
session         Access an internal AccessPro router console
shun            Manages the filtering of packets from undesired hosts
snmp-server     Provide SNMP and event information
ssh             Add SSH access to PIX console, set idle timeout, display
                list of active SSH sessions & terminate a SSH session
static          Map a higher security level host address to global address
sysopt          Set system functional option
tech-support    Tech support
telnet          Add telnet access to PIX console and set idle timeout
terminal        Set terminal line parameters
tftp-server     Specify default TFTP server address and directory
timeout         Set the maximum idle times
traffic         Counters for traffic statistics
uauth           Display or clear current user authorization information
url-cache       Enable URL caching
url-server      Specify a URL filter server
version         Display PIX system software version
virtual         Set address for authentication virtual servers
vpdn            Configure VPDN (PPTP, L2TP) Policy
vpngroup        Configure a policy group for VPN clients
who             Show active administration sessions on PIX
xlate           Display current translation and connection slot information
MMAPIX#
0
 

Author Comment

by:cpet11
ID: 35095145
MMAPIX# show version

Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)

Compiled on Thu 17-May-01 20:05 by morlee

MMAPIX up 299 days 23 hours

Hardware:   AL440LX, 32 MB RAM, CPU Pentium II 267 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0090.273a.6036, irq 11
1: ethernet1: address is 0090.273a.468c, irq 10
2: ethernet2: address is 0090.273a.1f43, irq 9

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Disabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

Serial Number: 18057972 (0x1138af4)
Activation Key: 0x1d41e45c 0x775edc5d 0xcdac3343 0xf8b0f3f5
MMAPIX#
0
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 35095394
Sorry to butt in chaps, but would the firewall stuff be better as a separate question? That way, this ensures that more points can then be allocated to the very helpful firewall gurus...

Just a thought!
0
 

Author Comment

by:cpet11
ID: 35097091
An outside consultant helped me finish this up.  ended up having him configure the terminal using

 conduit no permit tcp host INSIDE_NOTICING eq 30 any
 conduit no permit tcp host OUTSIDE_NOTICING eq 30 any

wr m


Everything is working great now.


My original problem was solved here though, thank you for your help. Freeftpd is really easy to use.
0
 

Author Closing Comment

by:cpet11
ID: 35097161
Ran into a secondary problem with the firewall, but my primary problem was getting up an SFTP which was answered and solved quickly.

I am very satisfied with the way this went.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35097174
erm, wha?

Conduits were depreciated in pix v5 - no way should a consultant still be using them in a 6.0 config :(
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now