Re: Rock solid firewall and server :-) now about to punch a hole in my firewall, but need advice.
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 05/08/04
- Next message: Orak Listalavostok: "Re: How to wget download all PDF files larger than 100 Kbytes"
- Previous message: Markku Kolkka: "Re: Help - kernel-module version mismatch"
- In reply to: iffriganovitch: "Rock solid firewall and server :-) now about to punch a hole in my firewall, but need advice."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 7 May 2004 16:31:29 -0700
vidaubannais@caramail.com (iffriganovitch) wrote in message news:<7f003b70.0405061530.726f9878@posting.google.com>...
> Hi,
>
> I have a RedHat 9.0 system using firestarter as a firewall.
> I have configured the firewall to block anything, but what I really
> need as now (access to HTTP servers).
Are you saying that you do or that you do not have httpd running?
Apache? This _might_ be the easiest way to share files -- ie.,
allowing others to download files from you.
> Now, I would like to share files with friends - I think ftp is a good
> choice as my mates don't need to install an extra client software on
> the other side.
> I see that wu-ftp is very easy to use (and webmin is great to set it
> up).
Just because something is easy to use/setup is no reason to run it --
especially the less you understand how to secure it. wu-ftp has a
rather long history of security weaknesses and will probably attract a
lot of attention from crackers that imagine, probably correctly, that
you don't know how to secure it. RH no longer -- as of RH9 --
encourages it's use (partly for security reasons and partly for
copyright reasons). wu-ftp is probably securable by someone familiar
with its weaknesses and ftp in general, but it's way more server (and
way more complex) than you need. Why invite those that mean you no
good? Use something with simpler features and less complex.
> So I have setup a anonymous ftp account (I can't be asked to setup
> users etc... plus if someone is interested by what is available on the
> ftp server, good for him/her), which works fine.
>
> Now, I am about to open my ftp server to the wild by punching a hole
> on my firewall, but before doing so, I would like to know first if
> this is a security risk for the server (apart from the security
> vulnerabilities wu-ftp developers come across from time to time and
> fix quickly).
Ftp is an inherently "more dangerous" service because it actually runs
a "command shell" to process ftp commands. Also, there is nothing in
the protocol that assures that arbitrary commands are in any way
related to legitimate use by legitimate connections. Connection
tracking by the FW can help some. This provides a tempting avenue for
_planting_ and _invoking_ backdoors into your system.
> A friend of mine told me it is safe, but some others tell me that some
> people can gain root access by telnet-ing the ftp port ... Is this true?
You do _not_ need a ftp client (ie., telnet will do) to use ftp. Same
for smtp (mail).
sorry ;-( Most crackers of any skill are quite good at using telnet!
> (if it is true, it stinks!) ... Also is there anything more I
> need to know before hand?
For someone with limited familiarity of offering up inet services, the
best/easiest thing you can do is get some background -- like you're
doing now. Invoking ftpd via xinetd will let you apply access rules
_and_ means the ftp daemon is not continuously running/exposed.
Tcpwrappers is very similar. The ftp daemon only runs _after_ someone
has been authorized to use it. If you get more ambitious, you could
run Squid in front of it as a "reverse" proxy and apply access rules
(and others) there.
> I don't expect a lengthly explanation here - just a couple of pointers
> easy to understand (I have seen a lot of stuff over ftp security on
> different servers etc... on the internet, but I am not a computer pro
> ... need to hear human-understandable things here :o)
>
> Thanks!
Also check out the docs available for your distro -- RH offers a
bunch. Try this one:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ftp.html
and while your at it get the whole set at:
http://www.redhat.com/docs/manuals/linux/
Get used to checking your logs to make sure someone isn't trying to
use your server to launder connections or to use it as a porno storage
site -- sure you know how to find cleverly hidden directories? The
bad guys have much more practice at this than you. Eg., sure you
would spot the /usr/ etc directory and catch it? What about the .
directory? Or the . directory? Spaces can trick the eyeballs quite
effectively.
Do you plan to restrict file system use by ftp to a single, separate
partition? If you are going to allow your friends (and others you
don't know about) to upload as well as download files this is best.
If you're only offering downloads, why not use a web server behind
xinetd offering files from a single partition? If you're going to
allow file uploading, just accept the responsibility of requiring some
sort of authentication/authorization. At the least, it will probably
save you embarrassment. Even then, check those logs!
hth,
prg
email above disabled
- Next message: Orak Listalavostok: "Re: How to wget download all PDF files larger than 100 Kbytes"
- Previous message: Markku Kolkka: "Re: Help - kernel-module version mismatch"
- In reply to: iffriganovitch: "Rock solid firewall and server :-) now about to punch a hole in my firewall, but need advice."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
