Penetration Testing mailing list archives

Re: Mitigate FTP

From: "Sarah Wahl" <scwahl () gmail com>
Date: Thu, 16 Oct 2008 12:35:21 -0600

Hi All,
  Thank you so much for the replies!  The best part is that showing
all of the responses everyone sent has made some people in charge
change their minds and they will be able to use SSH. So Thanks!! I
guess the mitigation question is sort of moot now. As to some of the
questions you asked here is some more info and some of the company's
reasoning (not mine!) as to using FTP:

(These answer specific questions from Aditya)
(1) Right now Firewall allows only for 21 for that particular server in DMZ.
(2) We do not define our ACL as we have a huge customer list and we
cannot restrict them. The ACL will be too long.
(3) IIS FTP log visits shows the number of attempts made using which
IP and user login.


(1) Our customers are all over the world and transfer of information to our
customers is important, usually done using ftp. Though we are considering
switching to sftp but not sure if that will really help.
(2) All our end users/customers are not tech savvy, they would rather use
one step process to login to ftp or sftp. Using ssh will really deter them
from using it as time and business is critical and its takes few more steps
and there is a learning curve to it.
(3) Protocols like ftp is really governed by our customer request, our IT
team and security team needs to secure them.
(4) On our IPS and IDS we have reduced the security level slightly as our
clientele is huge. Due to which we use to have a lot of false positives. At
the same time looking at the logs I can easily make out that it's a brute
force as it is using username combinations, few example is listed below

23:12:48 201.2.102.194 [992]USER arthur 331 0
23:12:50 201.2.102.194 [992]PASS - 530 1326
23:12:50 201.2.102.194 [992]USER arthur 331 0
23:12:52 201.2.102.194 [992]PASS - 530 1326
23:12:52 201.2.102.194 [992]USER ashlee 331 0
23:12:53 201.2.102.194 [992]PASS - 530 1326
23:12:53 201.2.102.194 [992]USER ashlee 331 0
23:12:55 201.2.102.194 [992]PASS - 530 1326
23:12:55 201.2.102.194 [992]USER ashlee 331 0
23:12:57 201.2.102.194 [992]PASS - 530 1326
23:12:57 201.2.102.194 [992]USER ashley 331 0
23:12:58 201.2.102.194 [992]PASS - 530 1326
23:12:58 201.2.102.194 [992]USER ashley 331 0
23:13:00 201.2.102.194 [992]PASS - 530 1326
23:13:00 201.2.102.194 [992]USER ashley 331 0
23:13:01 201.2.102.194 [992]PASS - 530 1326
23:13:01 201.2.102.194 [992]USER asia 331 0
23:13:03 201.2.102.194 [992]PASS - 530 1326
23:13:03 201.2.102.194 [992]USER asia 331 0
23:13:05 201.2.102.194 [992]PASS - 530 1326
23:13:05 201.2.102.194 [992]USER asia 331 0
23:13:06 201.2.102.194 [992]PASS - 530 1326
23:13:06 201.2.102.194 [992]USER atlanta 331 0
23:13:08 201.2.102.194 [992]PASS - 530 1326
23:13:08 201.2.102.194 [992]USER atlanta 331 0
23:13:09 201.2.102.194 [992]PASS - 530 1326
23:13:09 201.2.102.194 [992]USER atlanta 331 0
23:13:11 201.2.102.194 [992]PASS - 530 1326
23:13:11 201.2.102.194 [992]USER audrey 331 0
23:13:12 201.2.102.194 [992]PASS - 530 1326
23:13:12 201.2.102.194 [992]USER audrey 331 0
23:13:14 201.2.102.194 [992]PASS - 530 1326
23:13:14 201.2.102.194 [992]USER audrey 331 0
23:13:16 201.2.102.194 [992]PASS - 530 1326
23:13:16 201.2.102.194 [992]USER august 331 0
23:13:17 201.2.102.194 [992]PASS - 530 1326
23:13:17 201.2.102.194 [992]USER august 331 0
23:13:19 201.2.102.194 [992]PASS - 530 1326
23:13:19 201.2.102.194 [992]USER august 331 0
23:13:21 201.2.102.194 [992]PASS - 530 1326
23:13:21 201.2.102.194 [992]USER austin 331 0
23:13:22 201.2.102.194 [992]PASS - 530 1326
23:13:22 201.2.102.194 [992]USER austin 331 0
23:13:24 201.2.102.194 [992]PASS - 530 1326
23:13:24 201.2.102.194 [992]USER austin 331 0
23:13:25 201.2.102.194 [992]PASS - 530 1326
23:13:25 201.2.102.194 [992]USER autumn 331 0
23:13:27 201.2.102.194 [992]PASS - 530 1326
23:13:27 201.2.102.194 [992]USER autumn 331 0
23:13:28 201.2.102.194 [992]PASS - 530 1326
23:13:28 201.2.102.194 [992]USER autumn 331 0
23:13:30 201.2.102.194 [992]PASS - 530 1326
23:13:30 201.2.102.194 [992]USER baby 331 0
23:13:32 201.2.102.194 [992]PASS - 530 1326
23:13:32 201.2.102.194 [992]USER baby 331 0
23:13:33 201.2.102.194 [992]PASS - 530 1326
23:13:33 201.2.102.194 [992]USER baby 331 0
23:13:35 201.2.102.194 [992]PASS - 530 1326
23:13:35 201.2.102.194 [992]USER backup 331 0
23:13:36 201.2.102.194 [992]PASS - 530 1326
23:13:36 201.2.102.194 [992]USER backup 331 0

Thank you all again!
Sarah

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Mitigate FTP Sarah Wahl (Oct 14)
- Re: Mitigate FTP exzactly (Oct 14)
- RE: Mitigate FTP Craig Wilson (Oct 14)
- Re: Mitigate FTP David Glosser (Oct 14)
  - Re: Mitigate FTP Taufiq Ali (Oct 15)
    - Re: Mitigate FTP Matt - MRS Security (Oct 15)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
  - RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
    - RE: Mitigate FTP Gary E. Miller (Oct 16)
    - RE: Mitigate FTP Pete.LeMay (Oct 17)
    - RE: Mitigate FTP Gary E. Miller (Oct 17)
    - RE: Mitigate FTP Pete.LeMay (Oct 17)
    - Re: Mitigate FTP Augusto Augusto (Oct 17)
- <Possible follow-ups>
- RE: Mitigate FTP christopher . riley (Oct 15)