Penetration Testing mailing list archives
RE: Mitigate FTP
From: "Thakrar, Saurabh" <saurabh.thakrar () roche com>
Date: Thu, 16 Oct 2008 16:23:45 -0400
Sarah, That's great!! to hear that you were able to turn it around and use ssh/sftp, In regards to the 4 points you have presented below: (1) Yes, using ssh/sftp will help; at the least, your customer's credentials/data will not travel in clear text. (2) For your customer base, I assume they are mostly Windows users; they could use winscp or similar. It is not much different from the once they have been using for FTP. Except it can use secure communication, including ssh/sftp. (3) Agreed - your IT security team will have to secure them. (4) IDS & IPS IDS - Since it is simply detecting over the span ports on the outside (internet) connection; I would say leave it strong as it is not blocking anything, simply monitoring... IPS - So that it inadvertently does not block your customers; your IT Security may be able to fine tune the threshold accordingly. I would take false positives to the IDS/IPS vendor. Hope this helps... Best Regards, Saurabh A. Thakrar Integration & Security Consultant - IT Products P Please consider the environment before printing this e-mail Confidentiality Note: This message is intended only for the use of the named recipient(s) and may contain confidential and/or proprietary information. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorized use of the information contained in this message is prohibited. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sarah Wahl Sent: Thursday, October 16, 2008 2:35 PM To: pen-test () securityfocus com Subject: Re: Mitigate FTP Hi All, Thank you so much for the replies! The best part is that showing all of the responses everyone sent has made some people in charge change their minds and they will be able to use SSH. So Thanks!! I guess the mitigation question is sort of moot now. As to some of the questions you asked here is some more info and some of the company's reasoning (not mine!) as to using FTP: (These answer specific questions from Aditya) (1) Right now Firewall allows only for 21 for that particular server in DMZ. (2) We do not define our ACL as we have a huge customer list and we cannot restrict them. The ACL will be too long. (3) IIS FTP log visits shows the number of attempts made using which IP and user login. (1) Our customers are all over the world and transfer of information to our customers is important, usually done using ftp. Though we are considering switching to sftp but not sure if that will really help. (2) All our end users/customers are not tech savvy, they would rather use one step process to login to ftp or sftp. Using ssh will really deter them from using it as time and business is critical and its takes few more steps and there is a learning curve to it. (3) Protocols like ftp is really governed by our customer request, our IT team and security team needs to secure them. (4) On our IPS and IDS we have reduced the security level slightly as our clientele is huge. Due to which we use to have a lot of false positives. At the same time looking at the logs I can easily make out that it's a brute force as it is using username combinations, few example is listed below 23:12:48 201.2.102.194 [992]USER arthur 331 0 23:12:50 201.2.102.194 [992]PASS - 530 1326 23:12:50 201.2.102.194 [992]USER arthur 331 0 23:12:52 201.2.102.194 [992]PASS - 530 1326 23:12:52 201.2.102.194 [992]USER ashlee 331 0 23:12:53 201.2.102.194 [992]PASS - 530 1326 23:12:53 201.2.102.194 [992]USER ashlee 331 0 23:12:55 201.2.102.194 [992]PASS - 530 1326 23:12:55 201.2.102.194 [992]USER ashlee 331 0 23:12:57 201.2.102.194 [992]PASS - 530 1326 23:12:57 201.2.102.194 [992]USER ashley 331 0 23:12:58 201.2.102.194 [992]PASS - 530 1326 23:12:58 201.2.102.194 [992]USER ashley 331 0 23:13:00 201.2.102.194 [992]PASS - 530 1326 23:13:00 201.2.102.194 [992]USER ashley 331 0 23:13:01 201.2.102.194 [992]PASS - 530 1326 23:13:01 201.2.102.194 [992]USER asia 331 0 23:13:03 201.2.102.194 [992]PASS - 530 1326 23:13:03 201.2.102.194 [992]USER asia 331 0 23:13:05 201.2.102.194 [992]PASS - 530 1326 23:13:05 201.2.102.194 [992]USER asia 331 0 23:13:06 201.2.102.194 [992]PASS - 530 1326 23:13:06 201.2.102.194 [992]USER atlanta 331 0 23:13:08 201.2.102.194 [992]PASS - 530 1326 23:13:08 201.2.102.194 [992]USER atlanta 331 0 23:13:09 201.2.102.194 [992]PASS - 530 1326 23:13:09 201.2.102.194 [992]USER atlanta 331 0 23:13:11 201.2.102.194 [992]PASS - 530 1326 23:13:11 201.2.102.194 [992]USER audrey 331 0 23:13:12 201.2.102.194 [992]PASS - 530 1326 23:13:12 201.2.102.194 [992]USER audrey 331 0 23:13:14 201.2.102.194 [992]PASS - 530 1326 23:13:14 201.2.102.194 [992]USER audrey 331 0 23:13:16 201.2.102.194 [992]PASS - 530 1326 23:13:16 201.2.102.194 [992]USER august 331 0 23:13:17 201.2.102.194 [992]PASS - 530 1326 23:13:17 201.2.102.194 [992]USER august 331 0 23:13:19 201.2.102.194 [992]PASS - 530 1326 23:13:19 201.2.102.194 [992]USER august 331 0 23:13:21 201.2.102.194 [992]PASS - 530 1326 23:13:21 201.2.102.194 [992]USER austin 331 0 23:13:22 201.2.102.194 [992]PASS - 530 1326 23:13:22 201.2.102.194 [992]USER austin 331 0 23:13:24 201.2.102.194 [992]PASS - 530 1326 23:13:24 201.2.102.194 [992]USER austin 331 0 23:13:25 201.2.102.194 [992]PASS - 530 1326 23:13:25 201.2.102.194 [992]USER autumn 331 0 23:13:27 201.2.102.194 [992]PASS - 530 1326 23:13:27 201.2.102.194 [992]USER autumn 331 0 23:13:28 201.2.102.194 [992]PASS - 530 1326 23:13:28 201.2.102.194 [992]USER autumn 331 0 23:13:30 201.2.102.194 [992]PASS - 530 1326 23:13:30 201.2.102.194 [992]USER baby 331 0 23:13:32 201.2.102.194 [992]PASS - 530 1326 23:13:32 201.2.102.194 [992]USER baby 331 0 23:13:33 201.2.102.194 [992]PASS - 530 1326 23:13:33 201.2.102.194 [992]USER baby 331 0 23:13:35 201.2.102.194 [992]PASS - 530 1326 23:13:35 201.2.102.194 [992]USER backup 331 0 23:13:36 201.2.102.194 [992]PASS - 530 1326 23:13:36 201.2.102.194 [992]USER backup 331 0 Thank you all again! Sarah ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Mitigate FTP Sarah Wahl (Oct 14)
- Re: Mitigate FTP exzactly (Oct 14)
- RE: Mitigate FTP Craig Wilson (Oct 14)
- Re: Mitigate FTP David Glosser (Oct 14)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- Re: Mitigate FTP Matt - MRS Security (Oct 15)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- RE: Mitigate FTP Gary E. Miller (Oct 16)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Gary E. Miller (Oct 17)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- Re: Mitigate FTP Augusto Augusto (Oct 17)
- <Possible follow-ups>
- RE: Mitigate FTP christopher . riley (Oct 15)