05/13/03 Ftp With Firewall in Place

[admin]

Yea I am looking at options for the FTP thing.. I have been looking around to see if there is any way to work around this..

[admin]

I just found this and I like the 2nd option just need to see if unix and windows both can do it..

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

[Brangwyn]

I believe Microsoft FTP only uses ports between 1024 & 5000 by default anyway, how about just opening them up ?

The following Reg key looks like it allows you to change that range

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Paramete
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: MaxUserPort Data Type: REG_DWORD Value: 65534

Valid Range: 5000-65534 (decimal) Default: 0x1388 (5000 decimal)

Doesn't look like you can reduce the range at all from what I can see.

This was taken from Q196271

[Vixen]

62 replies to this thread?? Geeeeeeeeeeeeeez

Sorry I had nothing to add so I thought I would just poke my nose in and lighten the mood.

[Brangwyn]

Another Q detailing how MS FTP Service allocates ports, seems to backup my 1024-5000 range earlier

http://support.microsoft.com/default...;en-us;Q283679

[bootNumlock]

man--this was the best post reading ever--it was like watching a cheesy drama on tv--or reading one of those bad romance novels. the character development, the plot and a cameo by Lindsey--man you can buy entertainment like this...

on a more topical note--come on everybody, this is a resellers forum, right? We all resell web space and services--how many people have there own box in here? Do you mean to tell me that nobody has had that box go down for days even? Yes we are paying for a service here, but has anyone ever sat down and calculated how cheap (inexpensive) this service is? My company bills on average $135 dollars an hour to color pictures!!! Brad and the rest of his crew practically bleed thru the eyes for all of us and some of you have the balls (as we americans sometimes say) to come in here and have a temper tantrum...

Here are some non-technical tips from your uncle bootNumlock:

1. downtime is a fact of life--get some client skills and learn how to educate your clients to this fact.

2. 99.9% uptime is measured over what time period? It doesn't matter, it will never be true and will always be true at the same time--It's like betting in vegas--the house always wins... every second that tics by is tipping the deck in their favor.

3. This is the most refreshing business relationship any of us will ever have, especially in a technology field. The people associated with vortech/matrix are genuine, dedicated and extremely polite and professional--unless you yank their chain and are dead wrong!!!

4. unless you are fleecing your clients, you can't possibly be charging that much for your hosting and your clients can't possibly be --oh, wait--sure the clients will be freaking out--they are all trying to get something for nothing (but that wouldn't apply to any of us) I relate this to my crew and my clients... This is the last thing i promise...

When you buy a car, or even better, let's say lease a car--if it breaks, who pays for it? If you have a warranty, you might use that--but you don't get money back... but if you don't have a warranty, you pay out of your pocket. Even if you are currently paying to use that vehicle, you pay to fix it if it breaks--what if your web hosting worked that way? If you did it yourself, it would work that way.

That is why we need/have matrix--they are like our warranty.

Oh wait, one last tip from uncle bootNumlock...

Anger is useless... stress is worse--guess who is the only person that can make you angry or cause you stress? Look in the mirror.

Live happy, live longer and write good code

Thank You
Good Night

[thecomputerpro]

Very nicely written bootNumlock02.

That's alls I got to say.

[Translation]
(That is all I have to say.)

[admin]

http://support.microsoft.com/default...;en-us;Q283679 is what i found today as well. But there should be away to reduce this to say 1025-1075 per server thats more then good per server but so far I can't find it. We are able to do it on the unix servers and we are testing this now in proftpd. So it may work in there but I must be able to match the ports in windows as well to get it to work for all accounts..

Good old MS has to make every thing hard.. proftpd is like one line.

[thecomputerpro]

I don't think MS makes it hard, I think we like to push the envelope and find the limits!

[admin]

It should be in the metabase for msftp but have been unable to find it on any server yet.. Not sure if I am just looking in the wrong place or what..

[Brangwyn]

I've been trolling the metabase too, haven't found anything either Brad.

Opening another 3900 ports is still at least going to be better than having 65,000 open

edit: One thing I think you need to remember is that MSFTP isn't really a "full" FTP Server, yes it follows the RFC's but I don't believe it was ever designed to be used for "real work"

[admin]

Yea windows and real work never seem to go good do they..

We could try and switch every one to serv-u but then there is anther secrity issue with that..

Is there hacks or any thing for that port rang 1025-5000 I know terminal server runs on 3389 and I know I can change that port on the server and client side.. Hmmm...

If thats the only thing in that rang then we may be safe or at least ok to allow it.

That range is pretty clear, a few trojans run there, but they are easy to catch/monitor.

[Brangwyn]

Yeah I think it should be pretty safe .. just taken a look at my IDS logs for the last month and virtually every hit on my server was on low ports anyway < 1024 (I get about 200-300 hits per day)

The vast majority of trojans communicate over high ports 30000+ though when they release their payload (the DDoS) this will be on a low port. You shouldn't really have to worry about Trojans on the system as these would require priviledged instruction usage to actually install first (perhaps achieved by a buffer overflow attack but again this would likely be on a low port to a known application).

Hi guys
I know you are working hard there to stop DDoS and make the server serving faster.
I said 2 times in support emails that after FTP firewall configuration in your server, me and some of my customers, can't connect to FTP server with their FTP clients like WS FTP.

The problem is obvous. We are back off Firewall and you are also back off firewall. So we can't move to ACTIVE MODE and your serverd cant work with PASSIVE mode. So what is the result ? Easy answer: We can't connecto to UPLOAD and DOWNLOAD through FTP server.
So this is the answert which I got from the support through the email:

As you read in the forum post, this was done to
1)increase security, making it less likely for the servers to be hacked and lose your information,
2) block unnecessary traffic, thus increasing the speed of the servers, making accessing and loading your sites faster, and
3) although some people are having problems because of this, many are not and we are helping those with problems.

So it means you are helping and many don't have any problem. But for example me and 4 of my customers in Germany and Sweden have the problem. They have some critical information which they have to update it each day. Even in some cases, when 2 customer have the problem, it means you should care about it more. Now I am so worry about more incoming complains each hour from my customers and I dont know what kind of answer I have to give to these non professional users??

Any fast and practical comment is appriciated at the moment

Alireza
From World of ICE : FINLAND