Page 349 - StudyBook.pdf
P. 349
Communication Security: Web Based Services • Chapter 5 333
for making files available to the public over the Internet. However, it also presents a
security threat.Anonymous connections to servers running the FTP process allow
the attacking station to download a virus, overwrite a file, or abuse trusts that the
FTP server has in the same domain.
Blind FTP involves making files available to the public only if they know the
exact path and file name. By configuring FTP servers so that users are unable to
browse the directory structure and their contents, the user is only able to download
a file if they know where it is and what it’s called. For example, if a user were
going to download a file called blinded.zip that’s stored in the PUBLIC directory
on a Web server called ftp.syngress.com, they would use a link to the file that
points to ftp://ftp.syngress.com/public/blinded.zip.
FTP attacks are best avoided by preventing anonymous logins, stopping unused
services on the server, and creating router access lists and firewall rules. If anony-
mous logons are required, the best course of action is to update the FTP software
to the latest revision and keep an eye on related advisories. It is a good idea to
adopt a general policy of regular checks of advisories for all software that you are
protecting.
FTP Sharing and Vulnerabilities
Although FTP is widely used, there are a number of vulnerabilities that should be
addressed to ensure security.As we’ll see in Exercise 5.03, FTP authentication is
sent as cleartext, making it easy for someone with a packet sniffer to view user-
names and passwords. Because hackers and malicious software could be used to
obtain this information quite easily, when traffic doesn’t need to cross firewalls or
routers on a network, it is important to block ports 20 and 21.
Port 21 is the control port for FTP, while port 20 is the data port. FTP uses
port 21 to begin a session, accessing the port over TCP to provide a username and
password. Because FTP doesn’t use encryption, this information is sent using clear-
text, allowing anyone using a packet sniffer to capture the packet and view this
information.To avoid such attacks, encryption should be used whenever possible to
prevent protocol analyzers from being used to access this data.
It is important to be careful with user accounts and their permissions on FTP
servers. If users will only be downloading files and don’t require individual
accounts, then a server could be configured to allow anonymous access. In doing
so, anyone could login to the account without a password, or by using their e-mail
address as a password. Not only does this make it easier to distribute files to users,
but it also removes the need to worry about authentication information being
www.syngress.com
