I'm trying to figure out how to make my ftp service pass the PCI
security compliance (we take credit cards, so need the compliance). I
have pfSense 1.2.2 running the ftp proxy to my internal box, which is
a FreeBSD 7.2 server running the stock ftpd.
A probe from the outside looks like this:
>telnet 66.250.193.115 21
USER anonymous
PASS word
PORT 66,250,193,115,21,178
and it responds
200 PORT command successful.
In fact, it responds successful to connect to any IP and any port.
If I telnet to port 21 from inside the lan to the same freebsd server
and issue a PORT command to any host other than the one from where I
am connecting I get:
500 Illegal PORT range rejected.
The FreeBSD ftpd's PORT command by default is limited to privileged
ports on the same host as is connected to it.
It seems that the PORT command is handled directly by the proxy (which
makes sense). Is there a way to restrict the proxy to this same
security restriction? I understand it violates the FTP protocol
technically, but in practice it doesn't break anything other than
abuse attempts.
Sort of disabling the ftp service altogether (which would be a hassle
for customers uploading data to us) what can I do to tighten the ftp
proxy?
Relevant section from ftpd man page:
-R With this option set, ftpd will revert to historical behavior
with regard to security checks on user operations and restric-
tions on PORT requests. Currently, ftpd will only honor PORT
commands directed to unprivileged ports on the remote user's host
(which violates the FTP protocol specification but closes some
security holes).
and from the security scanning company's description:
It is possible to force the FTP server to connect to third parties
hosts, by using the PORT command, aka FTP bounce.
The FTP bounce attack is used for establishing a connection to an
arbitrary machine by exploiting the PORT command. The basis for
successful attacks is in the RFC requirements. The RFC allows the
originating server to specify an arbitrary host and port to establish
a data connection.
This gives an attacker the ability to specify any host and port of
their choosing. If the target host is in a protected network, an
attacker can use FTP bounce to bypass firewall restrictions as well as
have the ability to discreetly perform port scans from the connected
host.
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
