i need your advice.
I'm running an FTP server and an HTTP web server.
I filtered all IP addreses except 21 and 80 and also using Blackice Firewall set on "parenoid".
Blackice only trusts and accepts 192.168.0.1-192.168.0.255 (LAN) and ports 21 and 80.

My FTP server is serv-u and abyss as the web server.

I'm allways logged on as a "user" with no write/delete/execute privleges on any of the hard drives.
The FTP users aren't allowed to write any files unless it's to a specific folder called "guest share." All other folders that FTP users can access are read only.
Also - i do not allow annonymous logins on the FTP.
Did all updates to 2000 server.

Am i missing something?
Does this seem secure enough?
thanks for the advice...
noam

Sounds ok but you really should consider using a firewall :D Black ice is crap.

Another step you could take is isolate your ftp and http servers in demilitarized zones (DMZ)

I would disagree about BlackICE but to each his/her own. I will say that BlackICE's app protection sucks badly ... ZA Pro is better for that. I would change the FTP port from 21 also as that is one of the most highly scanned ports. Try 6900, 4967 or even something in the higher ranges.

i'm very interested about DNZ. But i can't find any info on it. Can you give me a link pleasE?
thanks
noam

also - another question.... I tried port 6900 and other ones besids 21 also - and it doesn't work! Port 21 is the only port i can get ftp to work.
With all other ports such as 6900, it promps me for a password like usual and gets to the point where it lists the files and it just keeps looking and looking for the files....
On port 21, it just imidiatly lists the files....
Why is this?
thanks

Hi noamkrief

If a FTP server and client are behind firewalls they must use passive mode to talk to each other.

If you use port 21 all/most firewalls know that it is an FTP you are setting up and also set up the relative ports for Passive mode ports but if you use a different port they have no idea what you are trying to do and you must set up the extra ports manually.

I use a linux computer for my FTP server, (I wouldn't trust a MS server), but I will try to explain the server side settings by showing you my settings (altered for security, the first part, depicting where the files are, has been removed and the numbers have been altered) and the respective help files from my FTP server. The principal is the same for all FTP servers.

-S 61652 -P 100.100.10.20 -p 51200:51220 -U (this number is file permissions)

-S is the port number I chose to use and this port plus the port below must be allowed in your firewall(s), i.e. 61652 and 61651.

-P should be my true IP address (false in this case for security) and the help files of my FTP follow;

'-P <ip address>' : Force the specified IP address in reply to a
PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box
that doesn't properly handle stateful FTP masquerading, put the ip address
of that box here.

Please note; all/most routers fall into this category. Any comments I make about firewalls also refers to routers.

-p If two computers are behind firewalls they must use passive mode. When using passive mode it is necessary to open more ports for use, at least two ports per expected user. -p 51200:51220 would allow 10 users at any one time. Again these ports must be allowed by your firewall. The help files from my FTP server follow;

'-p <first port>:<last port>' : Use only ports in the range <first port>
to <last port> inclusive for passive-mode downloads. This is especially
useful if the server is behind a firewall without FTP connection tracking.
Use high ports (40000-50000 for instance), where no regular server should be listening.

As with most things, set up correctly there is no need to use the de-militarised zone (DMZ), which should only be used if there is no other way round it (very rare). Anything in the DMZ is vulnerable because it is not protected by the firewall.

All FTP servers will allow similar settings somewhere in their configuration.

heres somethig I found on google

http://www.simonzone.com/software/guarddog/manual2/tutorial-zones.html

Its for setting up a mail server in a dmz on a Linux box (youll need to scroll down a bit) but it should help you understand how they work.

On another note it wouldnt be a bad idea to use Linux as opposed to windows to run the servers on.

Originally posted by uk_trader
heres somethig I found on google............

On another note it wouldnt be a bad idea to use Linux as opposed to windows to run the servers on.

Hey UK, we finally agree on something :D ......Only kiding bud :)

To run a linux box does not require a state of the art computer, you can pick up an old thing cheaply which will do the trick.

If you network your linux box and your windows comp you can use part of your windows HD to store files for your FTP so your linux box doesn't require a big HD.

i'm really sorry but i don't use linux. I have 2000 advanced server running and i think i opened up all the right ports...

On blackice firewall, i opened up 6900 tcp and on the internet nic card, i didn't filter any of the ports.

When i open up port 21 and configure my ftp server to accept from port 21, it all works fine.
But when i open up port 6900 and configure my ftp server to accept on port 6900 it ALMOST works.
It accepts the password (i know this because when i put the wrong password it lets me know) and gets to the point where it lists the files...
here's the last few lines before it times out:

command: type a
response: 200 type set to a
command: LIST
response: 150 opening ASCII mode data connection for /bin/ls

and that's the last command untill it times out!
I already tried other ftp clients... all the way from WS FTP, to filezilla and even IE built in FTP option...
I even closed blackice and still no luck...

The only way it works is on port 21....
If i have it set on port 6900, the only way ftp works, is if the computer is ON MY HOME NETWORK..

plzhelp!!!
thank

As I tried to point out in my post you have these difficulties because you have not set your server up correctly. I had the same problems when I tried to set up my FTP in the first place........On a windows machine. You must set up the extra ports for passive connections.

All OSs know what port 21 is used for but they haven't a clue what port 2121, or whatever, is used for so they don't set up the necessary ports for passive use. If your client used active mode you may be able to connect.

What FTP server are you using? Are you using a router?

no router is being used.
I tried using serv-u ftp server and the built in 2000 server ftp program...

How could it be bad settings? i even tried disabling the blackice firewall, and unfiltered ALL ports! tcp, udp and ip...
thanks

It is your settings and the fact that your client is using pasv mode not active mode.

In the advanced settings of the local server add the pasv mode port settings....i.e 51200:51220 (see my -p settings above). You may also have to add your IP address (see my -P settings above) in the allow pasv mode transfers, use IP.....which you will find in the advanced domain settings

in either serv-u or the 2000 built in server, there is not option to add a passive port mode setting.

In Serve-U 4 there is, I installed it last night to find where the settings were. As I said in my last post you will find them in the advanced settings of the local server.

Its under server settings -> advanced -> PASV port range. You need to use the Serv-u admin program which sits in the system tray.

A basic example of a DMZ
Firewall>>>>> dmz with servers >>>>>>> firewall blocking everytrhing>>>>>>>>>Internal network

heres some more detailed info

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2717224,00.html


Some info on NAT and PAT

http://www.cugy.net/forum/showthread.php?postid=1358

i got it figured out... thanks for all your help. You were right... I need passive mode to user a port besids 21, and also, i on serv-u i need to set a range for the passive ports... I used 1000-1005 and allowed them in my firewall.. It all works now and EVEN WITH USING SSL!!!!!
thanks agin!
noam

noamkrief - Hi unless you are only expecting 2 or 3 users at anyone time I would suggest you use more ports. You will need two ports per expected user. I would also suggest that you change your port range and do not publish it........You don't want every hacker on the net to know that these ports are open.

demo, i got it alll working but i don't know what it all means...
I know i got the ftp port open. In my case i used a different port than 21... lets say i used 5000 for FTP....
Then i opened up the passive ports... lets say 1000-2000

What's the difference between the port 5000 and ports 1000 through 2000?
If i understand correctly, you are saying that each connection in the 1000-2000 ports uses two of these ports?
can you explain? thanks

Basically, and I mean basically :) each connection requires a port to send and a port to receive.

Port 20 and 21 (usually, but 4999 and 5000 in your scenario) are used for the initial connection and in active mode the computers discuss which ports to use to carry on their conversation, in passive mode the server says you are going to use two ports between this range (hence the reason for setting up a range to be used). Obviously the initial ports can not be used all the time otherwise no one else would be able to connect.

yeah, let me guess, 4999 is used from the server to the client right demo?
because when i set the server's fassive mode for 5000-5010, i also open up ports 5000-5010 in the firewall.
So my logic is, that the server MUST send on port 4999 and not receive because it CANT...
Am i starting to understand correctly?
Also - lets say my main ftp port (not for passive mode) is 3000 and the passive mode is 5000-5010, can someone hack into my ftp files through the passive ports that are open???

Also, a couple more questions for you Demo cause u r such an expert (ps - thanks for the help)

can i use SSL from IE6? because in the tools---> internet options, there are options for SSL and they are checked. Does that mean that SSL is beaing used? Well, i don't think it is, because i installed a program that finds the passwords as they go thorugh and the program detected them when i logged on with IE6.
As for now, I use an ftp client that uses SSL perfect - thanks to your help ofcourse.

one more thing Demo... Did you know that the folders used by FTP, have to have the security premissions set on "authenticated users"????
How does serv-u ftp knows to automatically log in the ftp clients into the authenticated users group???
thanks

It's probably better if I refer you to this site http://war.jgaa.com/ftp/?cmd=about I am sure they can explain things a little better than I can :)

Hello Demo,
What is Passive? Could you please elaborate?

Thanks

robbieD