FTP server & security

[gal]

I've had a Filezilla server running on Winxp for quite a while with no anonymous login. From time to time i see a lot of connections coming in from one IP. No u/p is submitted, the threads just hang there until they time out. Is this someone trying to crack the server?

I don't care about the content on the ftp root being read by strangers, but the rest of the drive is private. Is it possible for an intruder to get access to the whole disk?

Oh yeah, one more. I've read that plain ftp is unsecure since the communication isn't encrypted. How difficult is it to actually snap up passwords for people outside this lan?

Thanks

[Silvy]

With regards to password "snapping" (commonly referred to as "sniffing"):

Anyone with access to the datapackets that travel between the FTP client and FTP server can read the username and password. Because, indeed, these are sent as plain text (meaning human-readable form) across the net.

Now who has access to these packets?
By necessity every hop between server and client. Most connections go through several machines, and each of these machines is able to read the username/password. It is however not common that these machines would bother.
In addition: on a unswitched network (networks connected by hubs, not switches) everyone on the LAN 'sees' all packets, including your FTP packets. So the local networks of both client and server can see the username/passwords. I suspect that most password sniffing is done on these networks.
There are tools available that can automatically sniff the network for such username/password combinations for e-mail, telnet, ftp and probably many more. With such a tool, gathering passwords is very easy.

The only way around sniffers is using secure FTP. I don't know if filezilla supports it, and I think client support is lacking as well. I haven't spent much time on this.

[cyrnel]

Scp. Based on ssh and quite secure. Open source, with free win versions. (The client works with scp or sftp.) http://winscp.sourceforge.net/

[bendsley]

I second cyrnel's recommendation on WinSCP. I use it to move stuff back and forth between my machine and my linux servers. Easy to use and you can choose between the Norton Commander interface (better) or the Explorer interface (sucks).

If you're looking for vulnerabilites in the FTP server software you're using, you might look at securityfocus or google to see what vulnerabilites are out there for the program. If you want more help, private message me and we'll see what we can work out, as network security is my forte.

[killeena]

The only bummer about scp and sftp is that transfer speeds are slower compared to regular ftp.

[a-j]

Quote:

Originally Posted by killeena

The only bummer about scp and sftp is that transfer speeds are slower compared to regular ftp.

It really depends on the application. I've seen some horrendous win32 applications that cannot even manage 10kbps, on our work LAN. I don't know what there problem is (poor TCP management, slow encryption/decryption implementations, etc).

Using *NIX we consistently get ~10mbps, which should really be fast enough, except when doing intra-LAN work. I have a feeling the network connection would be the likely bottleneck.

[gal]

Winscp is a good client but I'm looking for a server.. I'm using the server to share bigger-than-mail files with friends and colleagues, and ftp is easy enough for anyone to use. Well actually, the guys running IE can't access login-ftp so they have to download an ftp client anyway. I guess I could run an sftp client and point them to Winscp. I haven't found a good sftp client though. I've tried F-secure, but that one requires a local Windows account for every sftp/ssh account.

Thanks for making yourself available bendsley. I'll get back to you if I have any specific questions.

[skaven]

Those connections from a single IP are probably either a virus-infected PC randomly hitting your server and trying to infect it, or possibly somebody probing your FTP server to see if it's vulnerable. Seems logical for a script to make several connection attempts, each one using a different exploit, then if none get through, move to the next IP.

As long as your FTP client is up-to-date and doesn't have any known vulnerabilities, and you're up-to-date on your windows updates, you should be OK.

I wouldn't worry too much about password sniffing...the only time I've ever even heard of this working is at offices using old hub-based network equipment. You shouldn't have anything to worry about, unless you've got some really nosy sysadmins at your ISP...

[Boo Radley]

If you're going to stick with standard ftp move to a non standard port, not a big jump in security.. but it leaves ports 21 locked up and makes it look like no one's at home to a simple script.

If your really worried about security just move the server to a machine where it isn't an issue I've never really heard of anyone having thier entire drive compromized through ftp.. but then again.. i've never really listened either.