Re: FTP security question...

[khayes () eastbay com]

Given there is a certain amount of risk involved whenever you permit any
anonymous access to any server or device on your network.

However, maintaining the FTP in a DMZ and making sure that local security
is set properly on the local host (FTPD) is a solid start.  Limiting the
number of personal accounts on the system, delete user accounts that no
longer need to have access , enforce regular password changes and most
importantly never put any sensitive information on the FTP.  Always assume
the information on the server is being viewed by someone who has no
business on your system.

If someone wants to do remote file transfers, make them use a VPN
connection or an SSH connection (during which they can use 'scp' to copy
the files between systems).




Ken Hayes
Network Administrator
Eastbay / Footlocker.com
Wausau, WI Offices
(715) 261-9573
khayes () eastbay com



                                                                                                                        
    
                                                                                                                        
    
                                                                                                                        
    
                                                                                                                        
    
                                       To:     <security-basics () lists securityfocus com>                             
       
                                       cc:                                                                              
    
              "Mike Cain"              Subject:  FTP security question...                                               
    
              <mikec () lpinsurance com>                                                                                
       
                                                                                                                        
    
              11/13/2002 09:08 AM                                                                                       
    
              Please respond to mikec                                                                                   
    
                                                                                                                        
    
                                                                                                                        
    




I just came to work at a new company, and I have been doing the standard
auditing and such to see where the company stands from a security point
of view. Nothing looks as if its been compromised in the past, which
should keep me from having to rebuild anything, but one thing I noticed
on my SSS scan of the outside interface on our proxy server, was that
Anonymous FTP is allowed. I know that's a no-no, but I looked closer,
and found that the FTP root was locked down. Meaning if I log in anon, I
cant mkdir, etc. What are the issues with that type of setup? Known
security risks? Thanks in advance.



PS yes, I am searching google as we speak with little to no effect..



Mike C

CCNA/CCNP/MCSE








- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -
The information in this e-mail, and any attachment therein, is confidential
and for use by the addressee only.  If you are not the intended recipient,
please return the e-mail to the sender and delete it from your computer.
Although the Company attempts to sweep e-mail and attachments for viruses,
it does not guarantee that either are virus-free and accepts no liability
for any damage sustained as a result of viruses.