selectively blocking ftps connections at windows firewall

Ajukan pertanyaan

04 Mei 2012 14:32

0
Hi: I'm trying to block ftp/ftps connections to a server2008r2 standard computer using Windows Firewall, but still allow connections from a specific remote IP

I created a rule using the GUI:
- Protocols and Ports
- - Protocol Type: TCP
- - Local port: 20,21,22,990,991
- - remote port: All Ports
- Scope
- - Local IP: [my IP]
- - Remote IP: 0.0.0.0-123.123.123.123
- - Remote IP: 123.123.123.125-255.255.255.255
- - [trying to allow connections from 123.123.123.124, but block everything else]
- Advanced
- - Domain/Private/Public selected
- - Interface Types: all selected
- - Block edge traversal
If I test ftp connections from a remote computer, they are dropped, but not before the connection is logged by the ftp service. Even with the settings above, I'll still see this in the ftp log:

2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelOpened - - 0 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -
2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx - - 451 87 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -
2012-05-02 14:20:27 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelClosed - - 1292 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -

Is there any way to block these connections completely at the firewall? Or do I need to configure the firewall differently? I basically want to disallow ftp/ftps connections completely, except for a few specific remote IPs.
- Balas
- Kutip

Semua Balasan

07 Mei 2012 4:48

Moderator

0
Hi,

Thanks for your post.

Have you tried to using a Windows predefined FTP rules? Please try to setup a new Inbound Rules by the following steps.

1. Create a new rule.

2. Chose the Predefined, and select the FTP Server, click next.

3. Select all the three rules: FTP Server Passive; FTP Server Secure; FTP Server

4. Then, choose to Block the connection.

5. At each rules properties, configure the Scope and Advanced settings.

Best Regards,

Aiden
Aiden Cao

TechNet Community Support
- Ditandai sebagai Jawaban oleh jmbarnes 07 Mei 2012 21:22
- Tanda sebagai Jawaban dihapus oleh jmbarnes 07 Mei 2012 21:24
- Balas
- Kutip
07 Mei 2012 21:22

0
Hi Aiden: That seems to have worked...but I'm still seeing the connections in the FTP log, so I'm not sure if the firewall is really dropping them or not?

2012-05-07 18:18:07 123.123.123.124 - 50.63.xxx.xxx 21 ControlChannelOpened - - 0 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:07 123.123.123.124 - 50.63.xxx.xxx 21 - - 451 87 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:28 123.123.123.124 - 50.63.xxx.xxx 21 ControlChannelClosed - - 1292 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:33 123.123.123.124 - 50.63.xxx.xxx 21 ControlChannelOpened - - 0 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
2012-05-07 18:18:33 123.123.123.124 - 50.63.xxx.xxx 21 - - 451 87 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
2012-05-07 18:18:54 123.123.123.124 - 50.63.xxx.xxx 21 ControlChannelClosed - - 1292 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
- Diedit oleh jmbarnes 07 Mei 2012 21:26
- Balas
- Kutip
08 Mei 2012 1:36

Moderator

0

Hi,

Have you set the exception for the 123.123.123.124? Can FTP to the server from the remote client in the blocked IP range? The log shows on the connection is from the 123.123.123.124 which may allow by your scope settings.

Best Regards,

Aiden
Aiden Cao

TechNet Community Support
- Balas
- Kutip
08 Mei 2012 13:22

0
Hi Aiden: I tried to set it up the same way as in my original post. I have the rule set to "block", and I have two ranges specified for the remote IP:
- - Remote IP: 0.0.0.0-123.123.123.123
- - Remote IP: 123.123.123.125-255.255.255.255
So I would think the only connections that would get through would be from 123.123.123.124?
- Balas
- Kutip
10 Mei 2012 1:46

Moderator

0

Hi,

How are things going? Can this setting achieve your goals? Please note that if the client cannot prompt the logon session (asking user name and password) when connect to FTP server, there will no log generated in the FTP logs. If you have any update or concern, please feel free to let us know.

Best Regards,

Aiden
Aiden Cao

TechNet Community Support
- Balas
- Kutip
14 Mei 2012 17:52

0

Hi Aiden: This does not appear to be working. The connection is still getting to the FTP service, where it's dropped, but not before the FTP server answers. Here's the detail of the vulnerability I'm trying to block. This is a known vulnerability in FTP Service 7-7.5, which is why I'm trying to block the FTP connections at the firewall.

Synopsis :

The remote FTP server allows plaintext command injection while
negotiating an encrypted communications channel.

Description :

The remote FTP server contains a software flaw in its AUTH TLS
implementation that could allow a remote, unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase.

Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.

See also :

http://tools.ietf.org/html/rfc4217
http://www.securityfocus.com/archive/1/516901/30/0/threaded

Solution :

Contact the vendor to see if an update is available.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 3.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Plugin output :

McAfee sent the following two commands in a single packet :

AUTH TLS\\r\
FEAT\\r\

And the server sent the following two responses :

234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS
TLS-C
SSL
TLS-P

PBSZ
PROT C
P

CCC
HOST
SIZE
MDTM
REST STREAM
211 END

CVE : CVE-2011-1575
BID : 46767
Other references : OSVDB:71855, CERT:555316, IAVA:2011-A-0054
- Balas
- Kutip

selectively blocking ftps connections at windows firewall

Semua Balasan

Produk

Sumber Daya

Solusi

Pembaruan

Evaluasi

Situs Terkait

Pelatihan

Sertifikasi

Sumber daya lainnya

Dukungan produk

Dukungan lainnya