Penetration Testing mailing list archives

RE: Mitigate FTP

From: "Thakrar, Saurabh" <saurabh.thakrar () roche com>
Date: Thu, 16 Oct 2008 16:23:45 -0400

Sarah,

That's great!! to hear that you were able to turn it around and use
ssh/sftp,

In regards to the 4 points you have presented below:

(1)  Yes, using ssh/sftp will help; at the least, your customer's
credentials/data will not travel in clear text.
(2) For your customer base, I assume they are mostly Windows users; they
could use winscp or similar. It is not much different from the once they
have been using for FTP. Except it can use secure communication,
including ssh/sftp.
(3) Agreed - your IT security team will have to secure them.
(4) IDS & IPS
IDS - Since it is simply detecting over the span ports on the outside
(internet) connection; I would say leave it strong as it is not blocking
anything, simply monitoring...

IPS - So that it inadvertently does not block your customers; your IT
Security may be able to fine tune the threshold accordingly.

I would take false positives to the IDS/IPS vendor.

Hope this helps...

Best Regards,

Saurabh A. Thakrar
Integration & Security Consultant - IT Products

P Please consider the environment before printing this e-mail

Confidentiality Note: This message is intended only for the use of the
named recipient(s) and may contain confidential and/or proprietary
information. If you are not the intended recipient, please contact the
sender and delete this message. Any unauthorized use of the information
contained in this message is prohibited.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sarah Wahl
Sent: Thursday, October 16, 2008 2:35 PM
To: pen-test () securityfocus com
Subject: Re: Mitigate FTP

Hi All,
  Thank you so much for the replies!  The best part is that showing
all of the responses everyone sent has made some people in charge
change their minds and they will be able to use SSH. So Thanks!! I
guess the mitigation question is sort of moot now. As to some of the
questions you asked here is some more info and some of the company's
reasoning (not mine!) as to using FTP:

(These answer specific questions from Aditya)
(1) Right now Firewall allows only for 21 for that particular server in
DMZ.
(2) We do not define our ACL as we have a huge customer list and we
cannot restrict them. The ACL will be too long.
(3) IIS FTP log visits shows the number of attempts made using which
IP and user login.


(1) Our customers are all over the world and transfer of information to
our
customers is important, usually done using ftp. Though we are
considering
switching to sftp but not sure if that will really help.
(2) All our end users/customers are not tech savvy, they would rather
use
one step process to login to ftp or sftp. Using ssh will really deter
them
from using it as time and business is critical and its takes few more
steps
and there is a learning curve to it.
(3) Protocols like ftp is really governed by our customer request, our
IT
team and security team needs to secure them.
(4) On our IPS and IDS we have reduced the security level slightly as
our
clientele is huge. Due to which we use to have a lot of false positives.
At
the same time looking at the logs I can easily make out that it's a
brute
force as it is using username combinations, few example is listed below

23:12:48 201.2.102.194 [992]USER arthur 331 0
23:12:50 201.2.102.194 [992]PASS - 530 1326
23:12:50 201.2.102.194 [992]USER arthur 331 0
23:12:52 201.2.102.194 [992]PASS - 530 1326
23:12:52 201.2.102.194 [992]USER ashlee 331 0
23:12:53 201.2.102.194 [992]PASS - 530 1326
23:12:53 201.2.102.194 [992]USER ashlee 331 0
23:12:55 201.2.102.194 [992]PASS - 530 1326
23:12:55 201.2.102.194 [992]USER ashlee 331 0
23:12:57 201.2.102.194 [992]PASS - 530 1326
23:12:57 201.2.102.194 [992]USER ashley 331 0
23:12:58 201.2.102.194 [992]PASS - 530 1326
23:12:58 201.2.102.194 [992]USER ashley 331 0
23:13:00 201.2.102.194 [992]PASS - 530 1326
23:13:00 201.2.102.194 [992]USER ashley 331 0
23:13:01 201.2.102.194 [992]PASS - 530 1326
23:13:01 201.2.102.194 [992]USER asia 331 0
23:13:03 201.2.102.194 [992]PASS - 530 1326
23:13:03 201.2.102.194 [992]USER asia 331 0
23:13:05 201.2.102.194 [992]PASS - 530 1326
23:13:05 201.2.102.194 [992]USER asia 331 0
23:13:06 201.2.102.194 [992]PASS - 530 1326
23:13:06 201.2.102.194 [992]USER atlanta 331 0
23:13:08 201.2.102.194 [992]PASS - 530 1326
23:13:08 201.2.102.194 [992]USER atlanta 331 0
23:13:09 201.2.102.194 [992]PASS - 530 1326
23:13:09 201.2.102.194 [992]USER atlanta 331 0
23:13:11 201.2.102.194 [992]PASS - 530 1326
23:13:11 201.2.102.194 [992]USER audrey 331 0
23:13:12 201.2.102.194 [992]PASS - 530 1326
23:13:12 201.2.102.194 [992]USER audrey 331 0
23:13:14 201.2.102.194 [992]PASS - 530 1326
23:13:14 201.2.102.194 [992]USER audrey 331 0
23:13:16 201.2.102.194 [992]PASS - 530 1326
23:13:16 201.2.102.194 [992]USER august 331 0
23:13:17 201.2.102.194 [992]PASS - 530 1326
23:13:17 201.2.102.194 [992]USER august 331 0
23:13:19 201.2.102.194 [992]PASS - 530 1326
23:13:19 201.2.102.194 [992]USER august 331 0
23:13:21 201.2.102.194 [992]PASS - 530 1326
23:13:21 201.2.102.194 [992]USER austin 331 0
23:13:22 201.2.102.194 [992]PASS - 530 1326
23:13:22 201.2.102.194 [992]USER austin 331 0
23:13:24 201.2.102.194 [992]PASS - 530 1326
23:13:24 201.2.102.194 [992]USER austin 331 0
23:13:25 201.2.102.194 [992]PASS - 530 1326
23:13:25 201.2.102.194 [992]USER autumn 331 0
23:13:27 201.2.102.194 [992]PASS - 530 1326
23:13:27 201.2.102.194 [992]USER autumn 331 0
23:13:28 201.2.102.194 [992]PASS - 530 1326
23:13:28 201.2.102.194 [992]USER autumn 331 0
23:13:30 201.2.102.194 [992]PASS - 530 1326
23:13:30 201.2.102.194 [992]USER baby 331 0
23:13:32 201.2.102.194 [992]PASS - 530 1326
23:13:32 201.2.102.194 [992]USER baby 331 0
23:13:33 201.2.102.194 [992]PASS - 530 1326
23:13:33 201.2.102.194 [992]USER baby 331 0
23:13:35 201.2.102.194 [992]PASS - 530 1326
23:13:35 201.2.102.194 [992]USER backup 331 0
23:13:36 201.2.102.194 [992]PASS - 530 1326
23:13:36 201.2.102.194 [992]USER backup 331 0

Thank you all again!
Sarah

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Mitigate FTP Sarah Wahl (Oct 14)
- Re: Mitigate FTP exzactly (Oct 14)
- RE: Mitigate FTP Craig Wilson (Oct 14)
- Re: Mitigate FTP David Glosser (Oct 14)
  - Re: Mitigate FTP Taufiq Ali (Oct 15)
    - Re: Mitigate FTP Matt - MRS Security (Oct 15)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
  - RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
    - RE: Mitigate FTP Gary E. Miller (Oct 16)
    - RE: Mitigate FTP Pete.LeMay (Oct 17)
    - RE: Mitigate FTP Gary E. Miller (Oct 17)
    - RE: Mitigate FTP Pete.LeMay (Oct 17)
    - Re: Mitigate FTP Augusto Augusto (Oct 17)
- <Possible follow-ups>
- RE: Mitigate FTP christopher . riley (Oct 15)