TechSpot

Adding Security to your Microsoft FTP publishing service

By Phantasm66
Oct 22, 2002
  1. OK, don't know if any of you use this, but I run an FTP server on my home machine, basically just using the in-built software which is included with Windows 2000, XP, etc... both on workstation and server versions.

    Anyway, I use this to upload and download files to and from work. I have also made virtual directories for certain friends so that they can download files I make available for them such as up-to-date TV episodes I get from IRC, and so forth.

    But there is a problem: My username and password are sent in unencrypted ASCII when I authenticate, and anyone in the path between my machine and the machine I am connecting from (i.e. anyone of the hosts you see listed when you do a traceroute) can see this information if they use some kind of network packet analyser software like Network monitor.

    This is potentially bad news but not so bad, since there's probably only certain fairly safe stuff between myself (NTL user) and the client machines (mostly in the university where I work) but I still don't like the idea of it.

    And there is another problem: ANYONE ELSE out there on the Internet can connect, or at least try to, leaving my FTP server open to some form of BRUTE FORCE attack from outsiders.... OBVIOUSLY I HAVE DISABLED ANONYMOUS CONNECTIONS but that doesn't stop some machines out there trying to connect anyway or try to guess what accounts DO have access....

    NOW, I could use some more encrypted and safe means of connection, such as open SSH ( www.openssh.com ) but let's assume for the moment that I want to stick with FTP....

    Well, what I discovered that you could do is grant or deny connections based on IP address, and that this could also apply to a range of addresses as well. Here is where its hiding:

    [​IMG]


    I had to firstly add my own IP address as a single host, and then added ranges of addresses because I wanted to be able to connect from any machine on certain networks at work. So for those, instead of entering the IP address of the host, I entered the broadcast address and subnet mask of the network. This is pretty simple to work out if you know a little about subnetting and can do a few binary calculations.

    I've airbrushed this information away as I'm not too keen to broadcast this information, but its simple to get from your work or at home by looking at your tcp/ip settings with the ipconfig /all command in a command prompt.

    I would add that I had to restart the FTP publishing service for this to take effect....

    And, obviously, if you want a friend to be able to connect to your FTP server you will have to get their IP address and add it to the list of allowed connections.

    Now there's no more hacker war ftp accesses from machines all over the net trying to hack into me to upload warez onto my machine or something.....

    Good luck trying it, post back if you have any questions.
     
  2. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    I have never seen a built in FTP server in XP.....What is it called? I have always used RaidenFTPD or Serv-U.....

    How well does it work? I know from my current connection that Serv-U is slow, but Raiden is very fast. How is this in comparison?
     
  3. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    I haven't really benchmarked others in comparison, but you install the one in XP with the following:

    Add remove programs - add remove windows components - internet information services - click details - select ftp server, next, next, etc, etc....

    Its fairly simplistic in terms of what you can do, but most folks will not want some of the more advanced features of other FTP clients (such as the ability of users to accumulate points in return for uploads, which they may exchange for downloads, etc). The tools for configuration of the built in FTP server are very useful and simple, and one should have no problem setting up a server, a root, virtual directories, etc.... post back with any questions.

    If your existing FTP server is worth a damn, it will allow you to only have folks on the campus and others that you specify to be able to connection.

    The last thing you want is someone to hack your FTP server and start uploading kiddie porns, warez, etc....
     
  4. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    This is true, because it happened to me once. Now I am very very protective of my computer and my connection. I run multiple firewalls and when I do have an FTP running for my friends I restrict IP's there too.

    I agree that most of the clients are overwhelmed with mostly useless info that the average person would never use, but it is alright.

    I might try and use this sometime P66. Thanks for the info, I never knew it was there.
     
  5. PHATMAN5050

    PHATMAN5050 TS Rookie Posts: 645

    I never knew either but that's what im going to install the second i get home. Also, i need to learn how to allow only certain ip addresses. I have a DLink Wireless Router now so if anyone knows how to do it on a wireless router post here. Thanks!
     
  6. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    I'm not familiar with your router but the Microsoft FTP server can exclude IPs in much the same way that it can grant them....
     
  7. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    Now access attempts that did not get through are logged in event viewer....

    Even just tonight, 3 folks have attempted to connect to my machine's ftp. Hehehe, hard luck suckers....

    One from belguim. One from France. Once from Taiwan. All over the world, people are trying to crack into your machine all the time as soon as you get 24/7 broadband...

    I'll be back with more security enhancing tips as soon as I get them....
     
  8. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    Where exactly is this server located? I just installed it, but can't find that IIS thing anywhere. I haven't looked yet, but thought it would be easier if you just gave me a few words of where to go.
     
  9. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    You install it from add/remove programs, windows components, internet information services....

    You configure it via Internet Services Manager in administrative tools.

    To set up directories for users (virtual directories), then right click and select new virtual directory. Make the user an account on your machine first. Give their virtual dir the same name as their account. Its best to create the dir on an NTFS partition so that you can set permissions on it. Just play with it, its easy to use and you will get the hang on it soon....
     
  10. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    IIS hackable???

    Back when I was bigger into different activities on my computer I was told by a buddy that IIS is a bad thing to have installed on your computer. It leaves you pretty vulnerable to hacking attacks. That is one reason, I now remember, I uninstalled IIS. I was wondering if anyone else heard of this, or knows what I am talking about.
     
  11. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    yes its hackable... but then ALL computer systems are hackable unless they have no access to anything....

    you can't like hack into the fbi's computer system over the internet because, quite simply, its not connected to the internet.

    but anyway, i digress...

    yes its hackable, so yes you should keep your system up to date with patches, fixes, following security guides, etc. But the same is true of any system.

    Just because something is Microsoft does not make it easy to hack and just because something is not Microsoft does not make it unbreakable. There's ways into everything but if you follow some fairly simple info and keep your wits about you and stay informed then hopefully this will never happen to you.

    This DID happen to me, but I was unlucky and did not take enough precautions.

    When I check event viewer now, I find that about 5 people try to hack my ftp every day. There's nothing you can do to stop them trying, but you can take precautions so that its much much harder for them to do so...
     
     
  12. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    Phantasm I KNOW that everything is hackable. I was under the impression that this was a little easier than other things, that's all.

    And after all I have been through I am very secure with my computer now adays, I was just wondering about this IIS portion of it. Because I dont' have it installed due to things I learned in the past about it.

    I'll look into it a little more, but I was just wondering.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.