bill's blog

Just another WordPress weblog

Browsing Posts tagged FTP

First of all we should all know by now that FTP is not the most secure protocol there is. UserIDs and passwords are passed on the wire as plain text. So my approach to finding ftp was to use Google and as a search string I entered inurl:ftp. This yielded 23,400,000 hits.


ftp://ftp.porcupine.org/pub/security/index.html

This site belongs to Wietse Venema. Those of you who are not aware of Wietse Venema is the author of Postfix… one of the most popular MTAs (or Mail Transfer Agents). Additionally he is the author of a number of security related applications, SATAN and The Coroner’s Toolkit are just two of them.  Interestingly enough his web presence is run via the ftp protocol. So technically it isn’t a web site. The site is used to distribute all of the above-mentioned applications including a few others not mentioned. All of which he has worked on! These are applications that we are UNIX administrators should be aware of, if not use on a regular basis.

Next stop back to Google… The search string inurl:ftp. inurl:mil yielded about 9,250 hits… much less BUT a bit more interesting. This time instead of using a browser to access the site I chose to use an FTP client. My choice… CyberDuck!

ftp://ftp.nga.mil

This site seems to be dedicated to the transfer of GPS and flight plan documentation. I was able to find data air traffic routes in China:

ftp://ftp.nga.mil/Aero-esfd/TO_ST_LOUIS/HAWAII/ChinaAIP Sup 08_004 (Atch)/315.jpg

OR how about Swedish Armed Forces Jeppesen approach charts?

ftp://ftp.nga.mil/Aero-esfd/TO_ST_LOUIS/GERMANY/SWEDEN MIL CL2 SUP 6029-6032 OF 2009.pdf

It seems someone in this organization is using a Nortel Ethernet Routing Switch 8600 using Software Release 4.0.3.2. This could be of interest to someone profiling this site.

ftp://ftp.nga.mil/pub2/unltest/p80rn4032.pdf

BUT of interest to me was I could upload to /pub2/giat_files/incoming. Now I must say that the directory was set up as a drop box so it could not be exploited as a warz site. As for the rest of the directories on this site permission were set so that one could down load or enter more interesting directories.

FTP can be a valuable tool. But care must be taken to secure the site as much as possible.  We use FTP to transfer files to different parts of the organization. While some of the sites are external to the company many are not! They are located behind our corporate firewalls. They are protected with firewall rules on the host itself… only certain sites have access to the manufacturing drawings, as not all individuals within the company need access to them. Where the sites are external other protocols are used sftp for one.

People need to be able to transfer data from one part of the organization to another. The mail system is NOT designed to handle the load of constant file transfers. Not only that but individuals that do transfer files via email inevitably use there inboxes as a filing cabinet for these emails.

“Oh, I need to keep this file for future reference!”

This creates problems for the email and helpdesk technicians. They have to warehouse these files and depending on governmental regulations. This could create a storage nightmare, as the files need to be kept to extended periods of time. Rebuilding users inbox is the bane of any administrator’s day!

“Why can’t they archive off these emails?”

The collection, storage, and distribution of data file is no going to go away anytime soon. With today’s push for greener IT, I fear the storage demands will only grow. One must find a method to centrally organize these assets to avoid duplication of resources. A side benefit of central storage is the ability to better control the accessibility to these files. While I’m not sure whether or not those documents at ftp://ftp.nga.mil were for public distribution, its probably safe to say that some of the materials up on that site could be used for other than there intended purpose. If you’re going to put your assets out online better protect both the host and the files they contain!

Apple’s has had ipfw (ipfirewall) since version 1.2 of OSX. ipfw is the Mac OS X built-in kernel-level IP firewall. Unfortunately, it was tucked away in directories that Apple tried to keep hidden from its users. Originally, Apple felt they were going to be able to shield end-users from the ugliness of the UNIX command line. Apple’s claim to fame has always been its GUI (the Finder), which by the way has yet to be open sourced. Editing the appropriate files with a text editor was not something Mac users were very comfortable doing. Early adopters of OSX had to either delve into the UNIX underpinnings or do without. This caused many users not to make use of ipfw. Fortunately, a graphical user interface was finally added in version 10.2. Unfortunately, the interface was not very robust.

One nice feature to be included in Leopard’s (OSX 10.5) firewall is the addition of an Adaptive Firewall. This allows you the ability to setup firewall rules based on an application rather that a particular port. What this really means for an administrator is, now you don’t have to hunt down which ports to open for say iChat. In the past you had to know UDP ports 5060, 5190, 5297, 5298, 5678, 16384 through 16403 had to be open to allow full functionality; miss one of them and you may spend a day trying to figure out why the video chat doesn’t work. Now all you have to do is specify that you want to allow iChat and the firewall knows which ports to open for you. Apple has a great Knowledge Base article of which ports to open if you’re using a hardware firewall. The article can be found at http://support.apple.com/kb/HT1507. Configuring the firewall has been moved to the Security Preference Pane. Please note: In versions of OSX prior to 10.5 it was found in the Sharing Preference Pane.

figure1Figure 1

The image in figure 1 shows the Application firewall configuration sheet. It is a bit cryptic and needs some explaining. “Allow all incoming connections“ is the same thing as having the firewall turned off. “Allow only essential services” setting turns the firewall on but limits the ports that are opened to a certain few system services, one example being zero-conf. This setting will block file sharing and remote access even though they are turned on! In an article published for Macworld online Rich Mogull explains,

“You should use this option only if you really want to block everything. I use this option when I’m on potentially hostile networks, such as those in hotels or public hotspots, and don’t want to bother with manually turning off all my shared services.” (Mogull, 2008)

The last option is “Set Access for Specific Services And Applications”. This gives you access to OSX’s Application Firewall. The basic configuration here is to select an application and then determine if you want to allow or block the network traffic going it. The Application Firewall then determines which ports to open (see figure 2). This provides for broad strokes rather than precise cuts. This is good for the casual user but not if you want or need finer control. If that is the case, you’ll need to configure ipfw using a third party application (discussed latter in this section).

figure2

Figure 2

There are two more features that should be turned on. They can be found by selecting the “Advanced…” button (see figure 2).

figure3Figure 3

The sheet that is presented when you select the “Advanced…” button allows for the enabling of logging and stealth mode (figure 3). Logging should be selected. As you start to secure your machine, you will come across situations where your firewall isn’t performing the way it should. It is a really great place to start looking for problems with your rule base. The logs detail out which rule was triggered, where (destination) the rule was triggered from, and which service was trying to be accessed. Additionally, after your firewall is properly configured it is essential to monitor this log. It will tell you where your machine is being attacked/probed and from where. Once you have this information you can tighten up firewall rules even further by enabling rule that block the attacker IP address or IP range.

Stealth mode should be enabled! But what is Stealth mode? IP based data communications can be broken down into 3 main areas.

1. TCP (or Transmission Control Protocol) is a connection based IP protocol.
2. UDP (or User Datagram Protocol) is a connectionless protocol
3. ICMP (or Internet Control Message Protocol)

Stealth mode deals specifically with one and three. They are both connection based and because of this the IP stack creates what is called a handshake between the two hosts that are trying to communicate. This handshake can be used by an attacker to probe a target machine to see which services are being run. Once this is done the attacker can then start executing attackers against the service with know vulnerabilities. Stealth mode drops the connection so that it appears to the attacker that your machine isn’t even there. The attacker sees nothing and hopefully will move onto easier prey.

One interesting thing to note with regard to the OSX 10.5’s implementation of its Application Firewall is that it creates digital signatures of the application allow using “Set Access for Specific Services and Applications”. This can present a significant problem with applications that write data back into the .app folder. One application that comes to mind is Skype.

As mentioned before the Application Firewall is great for the average user but what if you want more control? Over the years, many software developers have tried to recreate the wheel and distribute their own firewalls. These applications for the most part made setting up a firewall much more Mac like but at the cost of network performance. These third party firewalls sat on top of the networking stack rather than tying directly into ipfw. Other software developers concentrated on developing a better interface over the top of ipfw. Mac OSX’s firewall is built in as part of the core UNIX system software, so it’s a secure and efficient firewall implementation that, when enabled, won’t negatively affect network performance (White, 2008). One such third party front-end application is WaterRoof written by Hany El Imam. WaterRoof lets you add and remove rules with a simple interface. You can also set some network options and you can backup configuration and install a startup script. You can see logs and create simple or graphic statistics (El Imam, 2007).

Another nice feature of ipfw is that they can be used to both limit the network traffic trying to get to a host as well as limit what types of traffic the host can send. In corporate environments, more often than not usage of the Internet is dictated by policies. Some of these policies may and often do restrict the FTP’ing from a users desktop out onto the Internet. Trying to configure this with OSX’s built in graphic tools can be a bit restrictive. You can block an application but not necessarily the ports that that application uses to communicate with other servers on. Understanding that this is a fine line, this is where third party applications come into play. WaterRoof make that very simple. It has a built in wizard that guides you through the process.

figure4Figure 4

In figure 4, rule 1000 reads: deny ip from me to any dst-port 21,20. Translated out into English the rule is deny my machine (me) from making a connection on port 21,20 (the ports used by FTP) to anyone else (any dst). So let’s test this. In the Terminal output below, is a telnet session to an ftp server located at ip address 192.168.25.75. Normally one should see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
Connected to 192.168.25.75.
Escape character is '^]'.
220- -----------------------------------------------------------------
220- Conair's Creative FTP Server - Unauthorized Access is Prohibited!
220- The local time is Thu Jul 10 16:00:11 2008.
220- You are connected from 192.168.25.215.
220- -----------------------------------------------------------------
220- ftpcreative.st.conair.com FTP server (Version: Mac OS X Server 10.3.9 003 - +GSSAPI) ready.

But when the rule is activated you see this:

mission-control:~ billheese$ telnet 192.168.25.75 21
Trying 192.168.25.75...
telnet: connect to address 192.168.25.75: Permission denied
telnet: Unable to connect to remote host

Side Note: This administrator didn’t do such a good job at securing this host. The last line of the FTP banner clearly states which operating system the server is running and which options were compiled into the version of the FTP software the system is running. It is this information that an attacker can use to target a particular exploit against this host.

One last thing of extreme importance when dealing with configuring your firewall… Think twice before committing any change to a firewall on a remote host! If the configuration is not done properly you could lock yourself out with the only way of getting back in is through the console.

Resources:

El Imam, H., (2007), WaterRoof IPFW firewall frontend, Retrieved on Feb 2, 2009 from http://www.hanynet.com/waterroof/index.html

Mogull, R., (2008, Mar 20), How to configure Leopard’s firewall, Retrieved on Feb 3, 2009 from http://www.macworld.com/article/132558/2008/03/connect2504.html?t=234

White, K.M., (2008), Apple Training Series: Mac OS X Support Essentials (2nd Edition), Berkeley, CA: Peach Pit Press

One thing that every network administrator needs to keep in mind is without computers and end users there would be no need for your network. Why do I say this? Unfortunately over the years we’ve seen a proliferation of target attacks on companies that get perpetrated using the Internet. Money can be gotten by attacking corporate networks looking for credit card information and then selling the information for profit. In fact, the term Cyber-Warfare is no longer in the realm of science fiction. In May of 2007, Russia launched a DDOS attack against government and banking computers. The Estonian government says its state and commercial websites – including a number of banks – are being bombarded by mass requests for information – overwhelming their computer servers (bbc.uk.co, 2007).

So what are we to do? We do what man has done since the beginning of time. We build layer of defenses to thwart our attackers. We need to understand what (the data) we are trying to protect. We also need to understand what is considered normal so that when things become ‘odd’ we understand that something is not right. According to a 2005 survey conducted by the FBI, 87% of those polled have conducted security audits to serve as a baseline for a meaningful security program (fbi.gov, 2005). Baselines should be taken of end-users computers to make sure that virus and backdoors have not been infected. Servers for the same thing as well as which services are being run. Network traffic so that you have an understanding of how a healthy network should look like under normal conditions. Once baselines are completed, checks must be preformed at regular intervals to insure that no unauthorized changes have occurred. Unfortunately, in many organizations this is where things break down. In today’s economic climate, dollar and resources are scarce. Following up on procedures often take a back seat to more imminent problems of the daily break fix routine.

Once the baselines are established, rules can be entered into security device with a clear understanding of the trade-offs that will be required to secure your environment. Firewall rules can get very complicated. Many appliance-based devices try to make understanding your rules easier but others miss hitting the mark terribly. Simply put, firewall rules are a series of allow or deny statements. These statements contain criteria through which the firewall knows which to let the packet pass or stop it in its tracks. One important thing to keep in mind is whether the allow statement takes precedence over the deny statement or vice-versa. Different firewalls handle this very differently. Be sure you know how your firewall handles this otherwise you’ll find no packets getting through.

SO what do these rule look like?

Priority Action Service Source Destination Time Day
1 Deny Any * LAN * *
2 Allow Any LAN * * *
3 Deny Any 129.33.82.0/24 * * *
4 Deny FTP 192.168.1.55 WAN 9:00 - 17:00 M,T,W,TH,F
5 Allow SSH 69.0.54.198 192.168.1.45 17:00 - 9:00 *

So what does this all mean? This firewall is a deny/allow-based system. Let’s take a look at the rules one at a time:

Rule 1: Denies all access from everywhere to anywhere on the LAN. This is a pretty generic rule. It covers the network administrators it case they miss setting up an explicit rule for a service.

Rule 2: ALLOWS all users on the LAN to access any thing on the outside world. In other words LAN users can go anywhere.

Rule 3: Is an explicit rule. It stipulates that any one from the 129.33.82.0/24 network is DENIED access to ANY service even those allowed on this network.

Rule 4: Is an explicit rule that DENIES the computer using 192.168.1.55 from accessing FTP servers outside of the LAN. This rule is in effect during business hours, Monday thru Friday. (Seems this user might be abusing something).

Rule 5: Is an explicit rule that ALLOWS access to the SSH server outside of business hours. This is one way to help protect and minimize your exposure. Additionally, they cold have access an IP address to ALLOW access from thereby minimizing their exposure even more.

These rules are fairly simple and easy to follow. However in a true environment, they can get quite complex. In many corporations, firewalls are used as a means of restricting access for troublesome or abusive individuals. Unfortunately, this puts the network administrator in the role of having to deal with HR issues, rather than Human Resources dealing with the issue more directly.

Resources:

Unknown, (2005, July 25), Headline Archives, Retrieved Feb. 27, 2007 from
http://www.fbi.gov/page2/july05/cyber072505.htm

Unknown, (2007, May 17), Estonia hit by ‘Moscow cyber war’ Retrieved on January, 17, 2009 from http://news.bbc.co.uk/2/hi/europe/6665145.stm