I'm trying to figure out how to make my ftp service pass the PCI security compliance (we take credit cards, so need the compliance). I have pfSense 1.2.2 running the ftp proxy to my internal box, which is a FreeBSD 7.2 server running the stock ftpd.
A probe from the outside looks like this: >telnet 66.250.193.115 21 USER anonymous PASS word PORT 66,250,193,115,21,178 and it responds 200 PORT command successful. In fact, it responds successful to connect to any IP and any port. If I telnet to port 21 from inside the lan to the same freebsd server and issue a PORT command to any host other than the one from where I am connecting I get: 500 Illegal PORT range rejected. The FreeBSD ftpd's PORT command by default is limited to privileged ports on the same host as is connected to it. It seems that the PORT command is handled directly by the proxy (which makes sense). Is there a way to restrict the proxy to this same security restriction? I understand it violates the FTP protocol technically, but in practice it doesn't break anything other than abuse attempts. Sort of disabling the ftp service altogether (which would be a hassle for customers uploading data to us) what can I do to tighten the ftp proxy? Relevant section from ftpd man page: -R With this option set, ftpd will revert to historical behavior with regard to security checks on user operations and restric- tions on PORT requests. Currently, ftpd will only honor PORT commands directed to unprivileged ports on the remote user's host (which violates the FTP protocol specification but closes some security holes). and from the security scanning company's description: It is possible to force the FTP server to connect to third parties hosts, by using the PORT command, aka FTP bounce. The FTP bounce attack is used for establishing a connection to an arbitrary machine by exploiting the PORT command. The basis for successful attacks is in the RFC requirements. The RFC allows the originating server to specify an arbitrary host and port to establish a data connection. This gives an attacker the ability to specify any host and port of their choosing. If the target host is in a protected network, an attacker can use FTP bounce to bypass firewall restrictions as well as have the ability to discreetly perform port scans from the connected host. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org