Re: Restrict FTP access to certain IP addresses

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/27/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 27 Nov 2002 09:45:08 -0500

"Fintan Gibney" <fintan.gibney@sitel.co.uk> wrote in message
news:19e5701c29613$5a07a270$8af82ecf@TK2MSFTNGXA03...
> I have set up an FTP site on my W2000 Professional
> machine. I would like to increase the security of this
> site by restricting the access to certain tcp/ip
> addresses (I have already done this to my W2000 Server
> machine on the same network), but when I go into the FTP
> site Properties, the ability to do this on the Directory
> Security tab is greyed out. Any advice would be
> appreciated.

I would recommend using a firewall to do this instead. My reason for this is
that you can have logging, alerting, the ability to block other ports in
addition to just FTP, and more granular control over which ports are
blocked. To me, good security means the bare minimum necessary permissions,
which would mean using a firewall to block everything except for FTP from
certain IP addresses, instead of allowing everything except for just
blocking the FTP port. Said differently, those other blocked IP addresses
would still be able to ping and port scan your FTP server on other ports
including possibly your Netbios ports.

There are free firewalls out there... even www.sygate.com, or a free linux
firewall on a boot CD with a GUI running on an old spare 486 PC can be a
good solution, depending. Maybe you've already got a firewall and I"m
preaching to the choir, but firewalls really aren't optional anymore.

This could also be done by using IPsec filters or TCP/IP filtering, but I
would advise against it since these methods do not give you logging,
alerting, and do not adequately understand Active and Passive FTP protocols,
so that you might have to leave TCP ports 1024 - 65535 open to get FTP to
work.

I don't have the IIS MMC in front of me, but I would think the port blocking
feature might not be on the directory security tab.

More free and not-free firewall options including IPsec filters and TCP/IP
filtering [which I'm against using]:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#harden

Relevant Pages

  • Re: FTP server behind a PF firewall (including NAT)
    ... Philip> have exactly the same problem. ... Philip> huge range of high ports, and I can't find any information ... IPFW is a real pain compared to most modern firewall software. ... address-translate) the FTP data transfers. ...
    (comp.unix.bsd.freebsd.misc)
  • [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce Vulnerability. ... PORT command referenced a destination that doesn't ...
    (Securiteam)
  • Re: Newbie question about ports.
    ... Can you do a CVSup to update your ports via http? ... Cvsup does not support http, but neither does it use ftp (see man cvsup, ... openable through your firewall. ...
    (freebsd-questions)
  • Re: Passive Mode issue
    ... in the windows firewall and the network firewall with the same results. ... and the ftp site is bound to a specific public IP. ... The server will timeout from all users trying passive mode. ... passive port range for IIS and opened those ports in the firewall, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Passive Mode issue
    ... Bernard Cheah ... windows firewall for ftp, so it does fail with the firewall enabled, this ... Normally the FTP site is bound to the public IP, ... firewall ports, but i think i have all those correct. ...
    (microsoft.public.inetserver.iis.ftp)