Re: firewall & security recommendation

From: David (davidwnh_at_adelphia.net)
Date: 05/21/03 

Date: Wed, 21 May 2003 20:54:05 GMT

If you are allowing public internet access to the FTP server than a better
firewall won't do you much good. They actually will if they give you a DMZ,
etc. however the point is that the majority of the protection will lie
within the configuration of the server itself. If you can limit access to
specific IP addresses then a good stateful, packet filtering firewall will
be beneficial. Windows update and the MS Baseline security Analyzer will
help you keep up with patches and some security issues, but you still have
to look at how you set up the machine. You're best to put your FTP
directories on a disk partition separate from the system partition and use
very tight ACL's being very particular about read, write, and directory
traversal rights. Also if you are not restricting the service to read only
anonymous access then you have to be very careful with the accounts you use
for access. Make sure they are accounts with few user rights, use account
lockout for bad login attempts, audit and log all FTP access, and change the
name of the admin account on the server. There are a lot of steps to take to
adequately secure an FTP server, so surf the web for the sites providing the
information appropriate for the particular ftp server you use.

> Thanks for the tips. I have everything up to date with windows update,
> however I wasn't 100% sure if this addressed every security issue. There
are

If you have several LAN users don't count out the possibility of an insider.
I have seen several instances of LAN users "hiding" their porn, mp3's, etc.
on company servers.
> only a few accounts on the FTP server and it is locked down pretty tight.
> I'm not sure how this person got in and took over. I've been looking at
the
> WatchGuard SOHO 6 user and was wondering if anyone would recommend this...
> looks like a solid piece of equipment.
>

Relevant Pages

  • Re: NIM clients and multibos
    ... and how many accounts does it take to make the problem visible? ... large perf hit. ... None APAR points to wtmp. ...
    (comp.unix.aix)
  • Re: How to configure Zone Alarm to allow FTP?
    ... Once you decide to open any service to the internet and allow unsolicited ... alternative which uses encryption to exchange user accounts and passwords. ... FTP server so extreme care must be taken in light of this issue. ... certain dynamic addresses the best you can do is filter for the specific ...
    (comp.security.firewalls)
  • Re: ssh bypassing OS procedures?
    ... > passwords every thirty days, the OS will lock the user account. ... > he can still ssh into the system via private key authentication. ... Why are you giving user accounts on your ftp server? ...
    (comp.security.ssh)
  • Re: ssh bypassing OS procedures?
    ... >> I have a ftp server setup so that if the users don't change their ... >> passwords every thirty days, the OS will lock the user account. ... >> he can still ssh into the system via private key authentication. ... > should *NEVER* have user accounts with the same passwords as the ftp ...
    (comp.security.ssh)
  • Re: People trying to hack my MS FTP server (but theyre not getting in)
    ... > same IP address to logon to my MS FTP server with accounts which do not ... > to prevent further attacks from them. ...
    (microsoft.public.inetserver.iis.ftp)