Article delegate-en/4896 of [1-5042] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4895@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: FTP port bounce prevention
04 Sep 2010 15:14:25 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project 
Hi Jake,

In message <_A4895@delegate-en.ML_> on 09/01/10(08:25:44)
you Jacob Lundberg <pdeiqbdyi-pvjs3to62c66.ml@delegate.org> wrote:
 |One of the ways people try to prevent ftp port bounce attacks and
 |probing is to require in the FTP server that the PORT command must
 |specify the same IP as the originator of the control channel.  Is this
 |possible with DeleGate?  From the documentation, it seems like DeleGate
 |only supports turning the PORT command off entirely.

Even if PORT is turned off, clients can establish active connections
by using EPRT as "EPRT |1|10.20.30.40|12345|" for example.

 |Either of these two things would work while still allowing PORT commands:
 |
 |1) An option to ignore the IP given in a PORT command and silently use
 |the same IP as the control channel.
 |
 |2) An option to reject the PORT command if the IP address is not the
 |same as the one in the control channel.
 |
 |Both of these options would be non-RFC-compliant behavior, but several
 |security audit standards are requiring something of this sort.

Thank you for your description of the problem.  Maybe I should follow
the following documents in CERT about "FTP Bounce."
  <URL:http://www.cert.org/advisories/CA-1997-27.html>
  <URL:http://www.cert.org/tech_tips/ftp_port_attacks.html>

From version 9.9.8-pre13, DeleGate acts as your 2) by default.   
It can behave as 1) with an option FTPCONF="bounce:cb"

  ---- Manual.htm#ftp-bounce ----
  bounce:{no|do|th|cb|rl}
    -- default: FTPCONF=bounce:no 
    controls how to manipulate FTP Bounce.
    no -- reject any FTP Bounce 
    do -- permit any FTP Bounce 
    th -- don't care FTP Bounce (backward compatible) 
    cb -- convert FTP Bounce to "EPRT |||port|" 
    rl -- reject FTP Bounce by REJECT="ftp-bounce:*:clientHost" 
  doepsv:sv
    use EPSV (instead of PASV) with FTP servers
  doeprt:sv
    use EPRT (instead of PORT) with FTP servers
  -------------------------------

Cheers,
Yutaka
--
  9 9   Yutaka Sato, CSDP <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V