When you are using a FTP server you can connect using either Active
or Passive connections. Each has advantages and disadvantages.
When you set up FTP, in this example using VSFTPD, you need to make
this connection decision. Active connections are safest for the server
but at times may not work for some clients. Passive connections may not
be the safest for the server but usually work well for the clients. In
addition, these factors must be taken into account with the firewall.
This is where connection tracking can be helpful.
Firewall: Enable Active FTP Connections
If you wanted to create an anonymous FTP server that anyone could get access to you could set up FTP access with this command:
ufw allow ftp
This shows you that ftp is allowed for everyone to your server. However, you can see it only opens port 21.
iptables -L -n
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
What has just been configured using UFW is an Active FTP connection
where the client must connect from a high port (over 1024) and connect
to the server on port 21. The data that is requested is returned on
port 20 to the client. This is the safest set up for the server.
However, the client may interpret the return connection from the server
on port 20 with the data as an intrusion attempt and reject the
connection, thus FTP fails.
Firewall: Enable Passive FTP Connections
You can see in the illustration that passive connections are different in that the server does not connect to the client with the data on port 20, rather, the client now connects to the server on high ports (over 1024). Thus the server must be enabled to allow these high ports, increasing securing risks.
You can see in the illustration that passive connections are different in that the server does not connect to the client with the data on port 20, rather, the client now connects to the server on high ports (over 1024). Thus the server must be enabled to allow these high ports, increasing securing risks.
Here is an example of the settings you can make for FTP in
/etc/vsftpd.conf. The purpose of limiting the passive connections is a
security limit. Remember, this allows the client to connect to the
server on these ports. Using VSFTPD, the sever tracks so that
connections are only allowed from the client on these ports.
pasv_min_port=30000
pasv_max_port=30999
pasv_max_port=30999
When running ftp in passive mode, these lines will limit the range of
ports that it will use for incoming passive requests from the client.
This will help make it easier to configure a firewall.
You will need to add these ports to your UFW firewall.
sudo ufw allow proto tcp from any to any port 30000:30999
If you are interested in a Ubuntu 9.10 Server Manuals in PDF format CLICK HERE.
Connection Tracking
One of the features of the UFW firewall is that it provides
connection tracking rules by default in /etc/default/ufw. This file
includes default policies which you can change. The IPT_MODULES allows
tracking of connections made with FTP for those high ports. This means
UFW inspects outbound FTP traffic and dynamically allows the return
traffic to the server.
/etc/default/ufw
IPV6=no
DEFAULT_INPUT_POLICY=”DROP”
DEFAULT_OUTPUT_POLICY=”ACCEPT”
DEFAULT_FORWARD_POLICY=”DROP”
DEFAULT_APPLICATION_POLICY=”SKIP”
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
DEFAULT_INPUT_POLICY=”DROP”
DEFAULT_OUTPUT_POLICY=”ACCEPT”
DEFAULT_FORWARD_POLICY=”DROP”
DEFAULT_APPLICATION_POLICY=”SKIP”
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES=”nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc”
0 comments:
Post a Comment