04 Mei 2012 14:32
Hi: I'm trying to block ftp/ftps connections to a server2008r2 standard computer using Windows Firewall, but still allow connections from a specific remote IP
I created a rule using the GUI:
- Protocols and Ports
- - Protocol Type: TCP
- - Local port: 20,21,22,990,991
- - remote port: All Ports
- - Local IP: [my IP]
- - Remote IP: 0.0.0.0-22.214.171.124
- - Remote IP: 126.96.36.199-255.255.255.255
- - [trying to allow connections from 188.8.131.52, but block everything else]
- - Domain/Private/Public selected
- - Interface Types: all selected
- - Block edge traversal
If I test ftp connections from a remote computer, they are dropped, but not before the connection is logged by the ftp service. Even with the settings above, I'll still see this in the ftp log:
2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelOpened - - 0 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -
2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx - - 451 87 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -
2012-05-02 14:20:27 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelClosed - - 1292 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 -
Is there any way to block these connections completely at the firewall? Or do I need to configure the firewall differently? I basically want to disallow ftp/ftps connections completely, except for a few specific remote IPs.
07 Mei 2012 4:48Moderator
Thanks for your post.
Have you tried to using a Windows predefined FTP rules? Please try to setup a new Inbound Rules by the following steps.
1. Create a new rule.
2. Chose the Predefined, and select the FTP Server, click next.
3. Select all the three rules: FTP Server Passive; FTP Server Secure; FTP Server
4. Then, choose to Block the connection.
5. At each rules properties, configure the Scope and Advanced settings.
TechNet Community Support
07 Mei 2012 21:22
Hi Aiden: That seems to have worked...but I'm still seeing the connections in the FTP log, so I'm not sure if the firewall is really dropping them or not?
2012-05-07 18:18:07 184.108.40.206 - 50.63.xxx.xxx 21 ControlChannelOpened - - 0 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:07 220.127.116.11 - 50.63.xxx.xxx 21 - - 451 87 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:28 18.104.22.168 - 50.63.xxx.xxx 21 ControlChannelClosed - - 1292 0 ce9aedc2-016d-448b-892f-4e84d6ca39cc -
2012-05-07 18:18:33 22.214.171.124 - 50.63.xxx.xxx 21 ControlChannelOpened - - 0 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
2012-05-07 18:18:33 126.96.36.199 - 50.63.xxx.xxx 21 - - 451 87 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
2012-05-07 18:18:54 188.8.131.52 - 50.63.xxx.xxx 21 ControlChannelClosed - - 1292 0 9a9cbb58-5c13-4fbe-b594-10a619c718b8 -
- Diedit oleh jmbarnes 07 Mei 2012 21:26
08 Mei 2012 1:36Moderator
08 Mei 2012 13:22
Hi Aiden: I tried to set it up the same way as in my original post. I have the rule set to "block", and I have two ranges specified for the remote IP:
So I would think the only connections that would get through would be from 184.108.40.206?
10 Mei 2012 1:46Moderator
How are things going? Can this setting achieve your goals? Please note that if the client cannot prompt the logon session (asking user name and password) when connect to FTP server, there will no log generated in the FTP logs. If you have any update or concern, please feel free to let us know.
TechNet Community Support
14 Mei 2012 17:52
Hi Aiden: This does not appear to be working. The connection is still getting to the FTP service, where it's dropped, but not before the FTP server answers. Here's the detail of the vulnerability I'm trying to block. This is a known vulnerability in FTP Service 7-7.5, which is why I'm trying to block the FTP connections at the firewall.
The remote FTP server allows plaintext command injection while
negotiating an encrypted communications channel.
The remote FTP server contains a software flaw in its AUTH TLS
implementation that could allow a remote, unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase.
Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.
See also :
Contact the vendor to see if an update is available.
Risk factor :
Medium / CVSS Base Score : 4.0
CVSS Temporal Score : 3.3
Public Exploit Available : true
Plugin output :
McAfee sent the following two commands in a single packet :
And the server sent the following two responses :
234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
CVE : CVE-2011-1575
BID : 46767
Other references : OSVDB:71855, CERT:555316, IAVA:2011-A-0054