Announcement

Collapse
No announcement yet.

FTP restrictions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • FTP restrictions

    Hi, folks

    I have set up an FTP server on our Win2k3 domain controller which has been working fine.

    I regularly check the FTP logs and add the IP addresses of failed connections to the deny list - these usually show the user has tried to connect 100's or 1000's of times to the server. Many of the connection attempts are recorded as follows:

    17:04:52 xx.xxx.xx.xxx [5]USER anonymous 331 0
    17:04:52 xx.xxx.xx.xxx [5]PASS [A-Z][email protected] 530 5

    [email protected] appears in most of the log files.

    Rather than add the different IPs to the deny list is there a way that I can configure the FTP server so that connections that use gpuser are automatically banned?

    All connections to the ftp server have to be authenticated. There is no danger of denying a user access by blocking gpuser.

    I've seen references to ftphosts and ftpuser but think these relate to non-Windows OS's. Is this correct?

    If anyone has any thoughts about this or knows of any useful links please post.

    Thanks
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: FTP restrictions

    Me also searching for the same. I can block all MSSQL instantly. Please see this script by Jason Partley. This would be helpful to you if you can modify it according to your requirement.

    My understanding is to monitor the log file actively in background, and based on the FTP return code[530 -- not able to login], add IP to IPSec.
    Mohan Mathew[VU3MMU]
    MCITP [AD]

    Comment


    • #3
      Re: FTP restrictions

      Thanks for answering.

      I've no idea how to use that. Also, I have turned off IPSec on the servers because we don't use it.

      Thank you, anyway.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: FTP restrictions

        Disable anonymous Auth?
        MCSE 2003; MCTS Vista; Sec+; CCNA
        Attitude Makes The Difference!
        in other words you got to WANT to do it..

        Comment


        • #5
          Re: FTP restrictions

          Also rename the Administrator account as this tends to get hammered a bit. Don't have an Admin account either.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: FTP restrictions

            Thanks.

            Originally this was turned off, but I had turned it on temporarily. I have now turned it off. However, as I recall, the connection attempts have been happening from the start.

            Access to the FTP server is controlled on a per user basis. Staff can access the server using their domain credentials. Guest access is controlled by using a couple of accounts only, and the password is changed for each user. FTP usage is very low.

            Is there no way that I can use a filter so that gpuser is blocked? If not, then I'll just keep adding the IP's
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: FTP restrictions

              Thanks, Biggles


              The FTP server is on the domain controller. I know that renaming the administrator account is a good thing, but it's something that I would find pretty daunting.

              When we can afford an additional server I'll move FTP onto that and rename the administrator account.

              Presumably, renaming the admin account on the DC would require hours of work changing the access rights on the folders, scheduled tasks, backups etc. The administrator account has full rights to every share on the system.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: FTP restrictions

                Renaming the account itself is easy.

                Access rights won't change, as NTFS permissions are based on the account's SID.

                When you do look into doing this, I would recommend moving scheduled tasks to a dedicated service account.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: FTP restrictions

                  Thanks!

                  I'll make that my next project. I've read about the workings of kerberos etc, but did not realise that an account could be renamed without affecting the present security settings across the domain.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: FTP restrictions

                    An account's username is just there as a friendlier identifier for us to work with. Now that divorce is the fashionable thing to do (our sales admin has been married and divorced three times...) imagine how much of a pain it would be to have to change permissions etc every time someone got drunk in Vegas
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: FTP restrictions

                      IPSec is very useful and Handy. I have enabled it on all servers. We can deny all and enable only required IPs.
                      Last edited by mohanmathew; 5th September 2009, 05:13.
                      Mohan Mathew[VU3MMU]
                      MCITP [AD]

                      Comment


                      • #12
                        Re: FTP restrictions

                        Originally posted by mohanmathew View Post
                        IPSec is very useful and Handy. I have enabled it on all servers. We can deny all and enable only required IPs.
                        Thanks for your reply. This would not work for us as our clients occassionally need access to the FTP server as do our staff. Our staff certainly do not have static IP addresses and some of our clients are small businesses without the luxury of a static IP address.
                        A recent poll suggests that 6 out of 7 dwarfs are not happy

                        Comment


                        • #13
                          Re: FTP restrictions

                          You can design it accordingly.
                          Mohan Mathew[VU3MMU]
                          MCITP [AD]

                          Comment

                          Working...
                          X