FTP Security

Similar Messages

• Diff between FTP & Secured FTP

  Hi,
    What is the diff between FTP & Secured FTP.
  Thanks
  Koteswa Rao

  Rao,
  The File Adapter does not support SFTP (File Transfer over SSH). It supports FTPS.
  U may view this here at point 28 in SAP Note: 821267
  Just an add-on, if u want to view the difference between FTPS (that XI supports) and SFTP, please refer this link
  http://www.enterprisedt.com/forums/viewtopic.php?p=136&sid=28d66491b43c6bf90448deea4936bc15
  . SAP is looking into this. Please see this thread on this discussion:
  SFTP supports in SAP Netweaver 2004s
  ---Satish

• FTP Security - Repeated Login Attempts

  Over the past 2 weeks or so, i've seen about a bazillion of these types of entries in the system log of one of our ftp servers:
  Aug 21 03:39:22 ns ftpd[4099]: ACL Check failed for Administrator
  Aug 21 03:39:22 ns ftpd[4099]: ACL Check failed for Administrator
  Aug 21 03:39:22 ns ftpd[4099]: ACL Check failed for Administrator
  Aug 21 03:39:23 ns ftpd[4099]: repeated login failures from atlantis @ 83.143.18.134 [83.143.18.134]
  Obviously, someone is trying to gain access (unsuccessfully - thank goodness) to the system. The repeated login attempts last anywhere from 5 - 30 minutes, always with the username Administrator. The IP addresses are from all over the world - Europe, Asia, and the US. Why we have a bullseye on us all of a sudden is unknown. This server has been running for close to three years now, and I've never seen attempts with this frequency.
  The Administrator user doesn't have ftp access on this system, so I'm not too worried about these break - in attempts. (Or should I be?)
  My formal question is this - is there anything that can be done with the out of the box ftp server to deter these attempts, or at least block attempts by IP address temporarily after several failed logins?
  What approach have others used? Is it time to start looking at another ftp server software package that has more security settings?
  Any help / input would be appreciated.
  I miss my Apple IIc   Mac OS X (10.4.6)  

  Thanks for the feedback Camelot. I'll post my replies under the quoted text below.
  If you're running a public server you're going to get
  hits you don't want. Fact of life.
  Script kiddies around the world are going to try
  whatever username and password they can think of to
  log into your server.
  Having a different FTP server isn't going to change
  that - any other server is just as vulnerable to
  brute-force attacks as the built-in server. How do
  you think a different server is going to react any
  differently?
  I don't know - that's why I asked.
  I've only used the bundled ftp server with OS X server. I was wondering if there was a ftp software package that temporarily blocked IPs after 'n' number of invalid login attempts or something like that. And thought I'd see if anyone had any experience in this department.
  Your only safeguards are some combination of:
  1) use your firewall to restrict access to the server
  to known/trusted IP addresses
  Unfortunately, a few of our users use dynamic IPs. Which is a bummer.
  2) use a VPN to connect to the server, then connect
  to the internal address
  We've used this method successfully before. We might go back to it...
  It was a 'pain' for some of our remote users and I finally gave into the nagging to do away with it because I spent way too much time providing phone support for remote users. I know, I know, it's just laziness on my part.
  3) use a different protocol that supports public key
  authentication (and turn off password
  authentication), e.g. SFTP.
  I've looked into SFTP for the OS X ftp server on these boards and most discussions don't seem to resolve into a definitive solution for implementing SFTP on the OS X server. Anyone get this working properly? I'd love to set it up to support SFTP only and disable password authentication.
  I'm leaving the original question open - I'd like to know if there is ftp software that works well on OS X server that would temporarily block an IP after 'n' invalid attempts, or has something similar.
  Or for someone to tell me I'm just being paranoid - and that the current setup should be OK.

• FTP security vulnerability or what ?

  I have tested the FTP settings on my DL2100 and allowed access for only 2 users X and Y. I have disabled Anonymous user on the FTP folder.When i looked at my logs, i saw that Anonymous has been logging in and out a few times a day.  I said that impossbile since this user is  not allowed.I logged on to the FTP with Anonymous myself, to my surprise and see only the ROOT folder, but indeed no FTP shares. I couldn't navigate anywhere with this user, BUT is this the way WD intended to secure FTP connections ? Shouldn't  the connection for Anonymous be denied from the beggining ?

  adicrst wrote:
  Reply from WD Support Thank you for contacting Western Digital Customer Service and Support. My name is X.
  I am sorry to read that you have an issue with the FTP. Our apologies for the inconvenience that this may have caused you.
  Concerning the question you have about the Anonymous in FTP, I can inform you that when you created shares w which are accessible through FTP and you selected for the Anonymous as None, it is counted always for the share which Anonymous is not allowed to access and not for the root directory. That is why you can see the root directory, but not the specific shares.
  I hope that I provided you the information you need and that you are satisfied with the answer.
  If you have any further questions, please reply to this email and we will be happy to assist you further. So in other words we should just live with this security vulnerability, even if everyone has a solid confirmation that your FTP is available on the internet and everyone can log just for the fun of it with Anonymous user.What if i allow only 1 FTP connection and a hacker is holding it busy with  Anonymous session ? Like the support guy state, when you enable FTP on a folder, remember to select, when I state select mean click the down arrow and select "Anonymous None" then click save.  That is how I know it will save the setting.  If you don't select, the device will think you want to set your FTP server for everyone to log in "including annonymous."

• FieldPoint Real-Time ftp security

  I am using FP RT as a datalogger, so I want multiple computers have access to the files through FTP. Nevertheless, I don't want any machine can delete the files, the labview application does itself. How can I configure the FP security so any machine can retrive the text files, but cannot delete them?
  Santiago Orellana V.
  HighLights - National Instruments Ecuador

  hl-ni,
  As of now there is no way to allow read-only access to the FTP server. However, you can lock the FTP server through Measurement & Automation Explorer, which will only allow access by someone who has the password you set.
  Ames
  Applications Engineering
  National Instruments

• Advanced FTP Security Configuration Issues

  I've run anonymous FTP servers in the past, and more recently have begun supporting an FTP server (ProFTPd) whose users are jailed to their home directories.
  I have now received a request to create several FTP accounts that are:
  1) Jailed to their own home directories
  2) Only able to upload to an "upload" directory
  3) Only able to download from a "download" directory
  And
  4) Create a user account that can manage all the files in the aforementioned jails
  Now, I can do this quite easily on a MS Windows system, but I really don't want to build a whole new server just for these few users.
  It seems to me that traditional UNIX security doesn't seem to be granular enough to support this request. If this is not correct, could someone help me with the security structure required?
  Or perhaps RBAC can help me here?
  Also, based on a previous post, I am looking into "setfacl".
  Thanks in advance,
  M. McCabe

  Solaris 9 and 10 include ftpconfig(1M) which does all that fiddly copying for you. You just need to create the accounts and home dirs. See "System admin guide: Network services" Chapter 28 and/or Sun doc #216460 "How do I configure ftp anonymous, guest and "chroot" user access in Solaris[TM]? ".
  "The ftpconfig script is used to copy all necessary system files to the home directory. When the
  guest user and the guest's home directory already exist, the ftpconfig script updates the area
  with the current system files."

• Does BO3.1 support FTPS (secured ftp)

  Hi,
  There is a requirent to schedule a crystal report file to FTPS server in BO 3.1.
  Does BO 3.1 support FTPS?
  Is it supported BO4.0 or 4.1?
  Regds,
  Samson

  Hello,
  as Valdrin pointed out is it not supported as per default.
  Der was a Workaround available in XI Rel.2. You can try if you get it running under XI 3.x/BI 4.x.
  http://service.sap.com/sap/support/notes/1782625
  Regards
  -Seb.

• Network Security IIS 7.5 FTP & Managed Firewall

  Hello
  The scenario is that we have an IIS 7.5 Windows 2008 R2 box ("IIS Box"), and on that box we want to configure a single FTP site.
  The FTP site will use the Basic Security option (no Anonymous access)
  The IIS Box sits behind a wholly-independent managed firewall appliance from a leading vendor. We trust the managed firewall and its configuration, and as such, Windows Firewall is completely disabled on the IIS Box. The managed firewall is configured to
  NAT 1-1 from private to public IP addresses.
  Ideally, I would have liked to have configured a policy on the managed firewall to allow all traffic through based on a specific source IP address, since the FTP clients to access the FTP site are well-known to us and we are not giving access to very many
  clients. Unfortunately this is not an option because the clients who are requesting access do not have static IP addresses.
  We also believe that establishing a Site-to-Site VPN and running the FTP within that, is not an option.
  What we are considering having to do, therefore, is to configure the managed firewall to allow FTP protocol through, regardless of the source IP address associated with the connection. i.e. Everyone can establish the connection, and we rely upon the Basic
  FTP security mechanism built in to IIS to protect us.
  I do not think this is ideal but it should be only a short term arrangement and we will ensure that the Physical Directory that can be accessed through the service leaves a reasonably narrow scope in terms of potential attack / abuse
  The question I have before I proceed with this, concerns the need for Passive FTP Data Channel ports.
  Clearly, to make this work, I will have to specify within the IIS settings, which ports to use. Let's say for example that I go for ports 10000-11000.
  Q1. My understanding is that I need to configure the managed firewall to permit INBOUND connections to the IIS box targeting ports 10000-11000, 20, and 21. Is that right?
  Q2. If I do, I then have a situation where my firewall is going to allow all connections through on those ports, and since this firewall is NOT application-aware, it won't care whether they are being used for FTP or anything else. It will simply let ALL
  connections through. At this point, what are the ramifications in terms of how IIS will respond? For example, is IIS FTP smart enough to realise that it should only permit connections that it has already arranged over the Control link (20/21)?
  Q3. If I specify in IIS admin that I want to use 10000-11000 for FTP - is IIS clever enough to PREVENT those ports being used by any other apps on the same IIS box? My concern here is, given that the managed firewall will definitely be letting ANYTHING through,
  what potentially happens if some other app or code starts listening on port 10500?
  I understand that whatever dynamic port range is configured on the server would generally be used for Outbound connections any way (source ports) but Still - I just would like any thoughts on the security ramifications of the configuration I am proposing.
  I don't feel Entirely comfortable yet, that I am not opening up an point of vulnerability.
  I am really looking for technical thoughts on the networking side of this, rather than (for example) general advice about "make sure you have Windows Updates installed" etc.
  thanks

  Hi Robert,
  I suggest you use the passive operational mode to achieve your goal.
  In which mode, the client initiates the data channel connection, then the server responds with the TCP port number to which the client should connect to establish the data channel. We can
  restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers.
  How to Configure Windows Firewall for a Passive Mode FTP Server
  http://technet.microsoft.com/en-us/library/dd421710(v=WS.10).aspx
  Best Regards,
  Amy

• Securing FTP with TLS

  Hi,
  I am developing a secure FTP client.
  Is there any free API available in the market which I can be reuseable in my application?
  If not please provide me some link so that I can develope such API using JSSE API.
  FYI-I am following the Internet Draft, �Securing FTP with TLS� by Ford-Hutchinson,a specification for realizing RFC2228, �FTP Security Extension� using TLS.
  Thanks.

  hi friend,
  i'm also looking for free secure ftp api's for Java...
  if u know any, do let me know....

• How to use a key file in the FTP Task using and SSL connection

  In the past I have used this code to set the FTP pass word in an FTP component task in SSIS.
  Does anyone know how to use a Key file in an SSL connection to download a file from an FTP site?  If not can you tell me where I can get the C# code examples to learn how to create a script task or if there is another way in SSIS to download large files
  from an SSL FTP site?  Thank you for any help offered.
  public void Main()
  ConnectionManager FTPConn;
  FTPConn = Dts.Connections["FTPServer"];
  FTPConn.Properties["ServerPassword"].SetValue(FTPConn, Dts.Variables["FTPPassword"].Value);
  Dts.TaskResult = (int)ScriptResults.Success;
  Antonio

  You can use SFTP for this.
  This is a way of implementing SFTP in SSIS using standard tasks 
  http://visakhm.blogspot.in/2012/12/implementing-dynamic-secure-ftp-process.html
  also see
  http://blog.goanywheremft.com/2011/10/20/sftp-ftps-secure-ftp-transfers/
  Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

• How do you set up ftp services with outside of network access?

  What are the steps to set up a password protected directory for our clients to ftp files to?
  I've turned on ftp services and created a testftp directory, with access to everyome, but can't access the files. It never asks me for a password.
  We have AT&T dsl service. The connection goes to a Linksys router and on to multiple switches. Each of our users have assigned static ip's.
  Thanks for the help,
  Chas

  The Mac OS X Server Security manual has a discussion of setting up ftp and the share points and related. Here's the [Tiger Security|http://images.apple.com/server/macosx/docs/TigerServer_Security_Config021507.pdf] manual, and here's [Leopard|http://images.apple.com/server/macosx/docs/LeopardServer_Security_Configv10.5.pdf].
  If you'd prefer a description here rather than the manuals, what follows are the basics.
  I'm here assuming you have a firewall between the Internet and your server; a firewall attached to the DSL modem. If you have an external static IP and an internal private (192.168.0.0/16, 10.0.0.0/8, etc) via NAT, you'll need a firewall with reasonable port-mapping capabilities. If you're static and public throughout, you need only poke holes; you probably don't need the port-mapping stuff. (Or you could have a direct connection to your Mac OS X box; I don't usually configure things that way.)
  First, open your firewall and allow access via the ftp ports (port 20 outbound and port 21 inbound, typically) and open up the ephemeral port range.
  Then create a user and directory via whichever service you are using -- Workgroup Manager, Open Directory or otherwise. Within Workgroup Manager, you can set up share points; basically locations that the ftp daemon is permitted to touch.
  Then wander into Server Admin and enable the ftp server.
  Now if I wanted to do this without exposing my cleartext username and cleartext password over every hotel and coffee shop LAN I might use (and I'm not kidding; "ftp security" is an oxymoron), I'd create a username and its directory per your usual means, use Server Admin to configure and launch sftp daemon, and open up port 22 at the firewall. In my experience, sftp is easier to administer, and operates with ssh and with PKE authentication, and it doesn't post your password to Craigslist -- and beyond discussions of the (lack of) security, ftp tends to be somewhat fragile; it really gets into trouble traversing firewalls.
  Given my experience with ftp over the years, here is [why I don't want to use ftp|http://64.223.189.234/node/530] -- sftp is just so much easier to deal with, and to secure.

• Passive FTP Port Range -- Server 10.3.x Panther

  I know that the port range for Passive FTP is >1024, but I want to define that to a smaller group of unused ports so that I can specify that those ports are open in the Firewall.
  Can, how, and where do I define this port range??

  I just opened from 13658-65534 and this seems to be fine (although not been running very long). I took the view that opening a stack of ports was not really any worse than just opening a quarter as much. Arguably, it's no worse than just opening one.
  However, we only use it from time to time and FTP services is off unless specifically required. If I was going to run it for serious use I think I would put it on a dedicated server and put it in a DMZ.
  Reading up on FTP security is on my To-Do list...
  -david
  [EDIT] The server is also well locked down for SSH.

• Authentication in ALSB while proxying FTP, MQ

  We are using ALSB for first time to proxy external messages we receive from our business partners over different protocols e.g.FTP, MQ, SOAP over HTTP. Thus we would have Proxy services configured receiving messages, one for each transport protocol, all of which place the raw message on JMS queue after the messages are authenticated and checked for data integrity.
  ALSB/WLS provides good support for authenticating SOAP over HTTP via WS-Security. However, when we receive messages over FTP or MQ, we are not very sure how do we authenticate the message sender? We can assume that the messages would contain some credentails like username/password or X509 certificate using which we will have to manually authenticate the sender.
  Any guidance on what API to use and if we would have to write any custom Identity Assertion, Authentication Provider etc for the same.
  As per my understanding, we would have to make a Javacallout from our proxy, which could make a call to weblogic.security.Authentication.login(simpleCallbackHandler) which would authenticate the user with username/password or call weblogic.security.Authantication.assertIdentity(X509Certificate) if message contains a certificate.
  Does this seem like a reasonable plan or am I missing something here?security

  For FTP security you should use the new SFTP transport available in ALSB 2.6 RP1 that leverages SSH as communication protocol.
  For MQ transport SSL is provided out of the box.
  Gregory Haardt
  ALSB Prg. Manager
  [email protected]

• Web Based Configuration possible security flaw

  My coworkers and I found something quite interesting today...despite having configured FTP security settings (which have been confirmed to be set up and funcitoning. I can't open an FTP session to our remote target without specifying an admin user name and password) if you open the NI web based configuration tool in a browser, you can FTP to and from the target using the remote file browser without being logged in at all! Has anyone else experienced this??
  CLA, LabVIEW Versions 2010-2013
  Solved!
  Go to Solution.

  Apparently, these permissions are separate from FTP, but you can set these particular permissions on the Security configuration page of the web based configuration utility.
  CLA, LabVIEW Versions 2010-2013

• Ftp ; the best practice

  Hi All,
  I have a question about FTPing the files/folders etc from a "source" UNIX/LINUX box to the "target" box. I know that you can use FTP, Secure FTP, may be some java package, there is on thing like "RSYNC" ....and others in the market.
  But i wanted to know what is the greatest and best practice to achieve an "automated" ftp process.
  "Automated" means, somebody who has very little experience with UNIX world, would log in to the source box, go to say /home/myid and just type ./ftptotarget.sh
  ....something to that extent. And underneath, there would be a process (my be an ANT script, java program, rsyc or etc) that would do it's work and 100% guranteed the files have been targeted with all permissions and etc.
  I do not know if i have asked my question properly, but if you have any questions, i would explain better.
  Thanks, sangita

  Thanks for your information. Actually, I wanted to "copy" files from UNIX source box to UNIX target box.
  Let me be more specific now. We are using weblogic.Deployer wrapped in a ANT scripts. This is deploy .ear /.war files from source to target boxes. We have a common source box, we call it a staging area. All the developers in the world would put the .ear / .war application files to this staging box. Our group in US, would deploy the application to their respective target boxess. Now, some of the application also does have "other" files or folders that are not been packaged into an .ear/.war files, because either they are not java files or something else.
  But, we still have to target these "extra" files from the staging to target boxes. Currently, we manually FTP it. But we wanted to give the complete "deployment" authority to people who have less unix experience. They can not do FTP. Moreover, we do not want use FTP too. What is the easiest and the best approach ?
  Thanks, sangita