[NCLUG] Securing ftpd

Michael Dwyer mdwyer at sixthdimension.com
Tue Mar 20 15:21:28 MST 2001


----- Original Message -----
From: "dobbster" <dobbster at dobbster.com>
To: <nclug at nclug.org>
Sent: Tuesday, March 20, 2001 1:39 PM
Subject: Re: [NCLUG] Securing ftpd


> > There /are/ Windows ports of SSH/SCP but they are usually
console-only
> > apps.  Windows users typically shudder at the thought of trying to
find
> > a file a send it using a command prompt.
> > If your users are enlightened, you might look into PuTTY, or Cygwin.
I
> > believe they both provide SCP.  If not, you can always shell out the
> > money to F-Secure...
> > I think you can find suggestions at
http://www.openssh.com/windows.html
>
> I figured there might be things like that out there.  I know my users
> won't like them, but they may have to deal with them...

I found WinSCP at that link.  Its got PuTTY built in, and works
rather well.  The interface is kind of counter-intuitive (you
cannot drag and drop files across), but its probably quite a
bit more understandable to your Windows users than straight
pscp or scp.

> They try the usual stuff - Hitting port 111, 143 and 1080 (which are
all
> closed) telnet (closed) and FTP (open, but with anon ftp disabled).  I
> run portsentry on all of my machines, which seems to help a lot - It
> automatically adds systems to hosts.deny.  inetd.conf is pretty much
> clean, except for ftp.

Probably automated scans across the 216.17 subnet.  You and
I should compare logs to see if we're getting scanned from
the same places.

Make sure FTP is the latest and greatest version.  What they
probably do is see that you are running it, then come back
later to see if it is vulnerable.

> I admit, I still run sendmail.  I've never learned much about postfix.

Using Obtuse SMTPd (part of the Juniper Firewall Toolkit) helps
the security of Sendmail quite a bit.

> Usually an individual makes a pass at my systems and then moves on,
but
> recently this one individual has stuck around.  They've tried
everything
> that I can think of to get in.

Well, good.  They're probably not in, yet, then. :)  If they
are always from the same subnet, you might be able to block
the whole subnet at the router.

> For that matter, (I know this has been discussed before) is there an
> obvious way to tell if they have succeeded?  'ls' and other commands
> still seem intact.

Run nmap (www.insecure.org) against your own machine.  Look for
mysterious ports open.





More information about the NCLUG mailing list