05/13/03 Ftp With Firewall in Place

As of 1:30 this afternoon the firewall is in place and i think I'm about done changing the configuration. As such you will have to use port ftp, not passive ftp to use this service. Passive is now disabled because of the range of ports it was using. We will now have a more secure network with real time tracking of all logs .

[gu10214]

All my sites for all my clients are loading extramly fast (which I love) also when using CuteFTP it's faster as well. Throughout the time I hosted with you guys this has been the fastest... ever.

Kudos and keep up the great work.

(Did the firewall upgrade contribute to this?)

[Garreg]

Yep - Thanks for the work and keeping us updated Alan..... It's appreciated

[admin]

It should make things faster as we keep tweaking the firewall getting all the bad stuff coming on to the network and really help speed things up..

[Silverbug]

hmm im having big trouble getting my ftp client to connect now, i have changed it off passive mode but when ever i try and connect now i get a 500 invalid port command. im using bullet proof ftp (bpftp) if that helps. is anyone else using it, and has got it to work?

[ramjet]

is your port set to 21?

[Silverbug]

yep

heres the ftp log:

Connecting to nt18.sniper.co.nz port 21
Connected, waiting for response...
220 nt18 Microsoft FTP Service (Version 5.0).
USER Sniperad
331 Password required for Sniperad.
PASS ********
230 User Sniperad logged in.
pwd
257 "/Sniperad" is current directory.
TYPE A
200 Type set to A.
PORT 192,168,1,142,5,103
500 Invalid PORT Command.
LIST
150 Opening ASCII mode data connection for /bin/ls.

and then it just stops. Hmm actually now that i look at it, it could be something to do with my firewall settings. opps

[Brangwyn]

Alan not everyone will be able to use FTP in active mode this could annoy a few people behind firewalls that do not have the knowledge or access to open those ports up.

Also don't forget port 20 and 21 are used for FTP.

For those who are unclear what all this Active/Passive stuff means

Active
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

Passive
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

[admin]

Brangwyn we have 20 and 21 we just can't open all them high ports or the firewall would almost be usless..

[admin]

I just tested bullet proof ftp and did not have any issues..

[Silverbug]

yeah, i know but its the firewall in this building that giving me grief

[Brangwyn]

The issue though Brad is for people who can't open those ports becuase they are behind a firewall that they have no control of .. e.g a company firewall, these people are not going to be able to connnect at all, I do not see this is neccesarily going to do anything but cause us resellers some grief which was the whole rational behind PASV being implemented in the first place, I kind of feel like we've just stepped back 10 years.

Opening 1024 > is not actually a great risk. Many well known firewall installations do this by default, DDoS attacks are rarely on ports over 1024 as they normally attack defined applicaitons which run all run in the < 1024 space. Trojans and a few nasties like that do (one DDoS I can think of does hit ICQ on port 5xxx or so and of course good ole SQL Slammer) but any IDS implemented could trap and reject this for you to. It would be fair to say though that many of the "tools" used by DDoS hackers run on high ports e.g Trinoo, TFN, TFN2K though these really fall under the "trojan" category and have required some form of priviledged exeution attack to have already occured to have first gotten these programs installed on the Server.

I'm interested in Wonderers comments there about the router in another thread too

Quote:

Question and this firewall. Can i rightly assume that your using the PIX Series or better? If so i fail to see why passive ftp would be an issue as long as your utilizing SPI. While posting the config would be bad for obvious reasons, could you please verify if you are using SPI?

Configuring rate limiting for SYN packets could provide a level of protection as well

"rate-limit {input | output} [access-group [rate-limit] acl-index] bps burst-normal burst-max conform-action action exceed-action action"

You might need to do a bit of work determining what your % should be at ( I think cisco normally recommend somewhere between 30 and 50 percent of your burst rate??? but I've not touched any cisco gear for quite some time)

[dwhite]

Quote:

Originally posted by admin
I just tested bullet proof ftp and did not have any issues..

Well Brad, I just tested my FTP connection through Dreamweaver and WS_FTP Pro, and I CANNOT get through. I have work to do and a deadline of today to do it in, so would very much appreciate an answer and resolution to this problem that your company has created. Please pay attention to what Branwyn and the rest of us are telling you and don't just tell us everything is OK because YOU can get through.

[zye]

same here - my customers already comply - i cant connect via ftp

500 Illegal PORT command.


- and also ip range 65.57.228.17X to 65.57.228.2XX is down -
already send support ticket -

and also i am running ssh on port 8XXX - i am not able to connect to my shell anymore - please correct this

!!!!!!!!!!!!!!!!!!!!!!!!!

[NetPublicist]

cpanel.nocspeed.com is down at this time also.