[285] in linux-security and linux-alert archive
More on the FTP bounce attack
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Jul 12 18:53:41 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 13 Jul 1995 00:02:58 +0200 (MET DST)
-----BEGIN PGP SIGNED MESSAGE-----
Here's some more info on the ftp bounce attack. As the author does not
describe the more malevolent abuses of the FTP protocol explicitly,
I will not go into details either. The problem is, this type of
attack can be used to talk to other network services as well, like
rlogind.
For the moment, your foremost line of defense is to make sure your ftpd
sets file permissions on upload so that they can't be retrieved. With
wu-ftpd, you can do this by adding a line like this to your /etc/ftpaccess:
upload /var/ftp /incoming yes ftp ftpadmin 0600 nodirs
If you run an ftpd other than wu-ftpd that does allow retrieval of
files from incoming, you either have to hack your daemon to do so, or
obtain the tcp-wrappers patch mentioned below. (NB: I was not able to
log into avian.org).
Alternatively, here's a small patch to tcpd from tcp-wrappers-7.2. It's
sort of a hack, though.
- ---
- --- tcpd.c.orig Wed Dec 28 17:42:47 1994
+++ tcpd.c Wed Jul 12 23:56:31 1995
@@ -108,6 +108,15 @@
#endif
/*
+ * Deny access from ports below IPPORT_RESERVED/2.
+ */
+ if (ntohs(request.client->sin->sin_port) < IPPORT_RESERVED/2) {
+ syslog(deny_severity, "connect from illegal port %d",
+ ntohs(request.client->sin->sin_port));
+ refuse(&request);
+ }
+
+ /*
* Check whether this host can access the service in argv[0]. The
* access-control code invokes optional shell commands as specified in
* the access-control tables.
- ---
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBMARGK+FnVHXv40etAQEyzgQAuC5a1zNrCBvmkf44kUOGXODWFzb69rD2
l0LYSpSQ90GAPmfvdVTt0DkruvoGkyPgCLiDs7SUbrZloitsA4TwNAy9sOBHwFHt
OzThx7o+NpZtqz4tb7qrj8mr7/aEvV8g2B/ovpccTIkT3geaSZRD/fi4vjp8Sglo
lxnJNg3c6h4=
=4Q3h
-----END PGP SIGNATURE-----
