• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Restrict access to FTP server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Restrict access to FTP server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Restrict access to FTP server - 28.Sep.2006 3:10:38 AM   
davidp

 

Posts: 9
Joined: 30.Oct.2002
From: Whyalla
Status: offline
 
I have published an FTP server using ISA Server 2004 SP2. It is a private FTP server that does not allow anonymous access and is protected by NTFS permissions.

For the last couple of months, various users have been attempting to access the server via bute force - presumably to use for illegal file sharing.

I have in place a password policy that locks out accounts after three wrong attempts, and regularly the administrator account on that server gets locked out through these access attempts. I also enforce strong passwords in our domain, and it is extremely unlikely that the password would ever be guessed in the near future given that they only have three attempts at a time, but it does concern me that this is a possibility.

What I want to achieve is to actually restrict access to the FTP server at the firewall to certain select accounts, so these brute force attempts can't even be attempted unless someone managed to guess an account name (or tries an automated attack on the accounts as well as the passwords). The trouble is that there seems no way to restrict access to certain users via the server publishing rules.

What I did try was to create a deny access rule for the FTP server protocol from the external network to the internal network and then excluded the few accounts I wanted to have access. I then placed this rule above the FTP server publishing rule. Unfortunately, when I look at the ISA logs for the FTP protocol, I note that the rule isn't even used - it is simply skipped and the publishing rule is invoked which lets everyone through.

Am I missing something? Is this the right direction to take, or is there no way of controlling FTP access by user at the firewall?

If anyone could give me some hints I'd appreciate it.

Thanks

David








Post #: 1
RE: Restrict access to FTP server - 28.Sep.2006 8:09:13 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi David,

ISA can *not* do pre-authentication for non-web based protocols, only protocol level checks can be done. So, it's not possible what you ask for on ISA!

quote:

I have in place a password policy that locks out accounts after three wrong attempts, and regularly the administrator account on that server gets locked out through these access attempts. I also enforce strong passwords in our domain, and it is extremely unlikely that the password would ever be guessed in the near future given that they only have three attempts at a time, but it does concern me that this is a possibility.  

Some thoughts:
- if you enable account lockout, you open yourself for DOS account attacks.
- remember that passwords are sent in the clear by FTP.
- ...

HTH,
Stefaan

(in reply to davidp)
Post #: 2
RE: Restrict access to FTP server - 29.Sep.2006 9:58:06 AM   
davidp

 

Posts: 9
Joined: 30.Oct.2002
From: Whyalla
Status: offline
 
Bugger!

Thanks Stefaan.

(in reply to spouseele)
Post #: 3
RE: Restrict access to FTP server - 11.Oct.2006 8:28:47 AM   
pangalacticgb

 

Posts: 4
Joined: 3.Oct.2006
Status: offline
I had the same problem with script kiddies filling up my logfiles with repeated brute force attempts. Knowing the constraint of FTP as is, I had to give it some thought, but what I came up with works great:

Publish your FTP server on another port.

Yes, it creates new challenges as your users need to know to configure their client appropriately, otherwise it'll keep the legitimate traffic out, but it works like a charm for the script kiddies. If they want to get in so badly that they'll start trying the entire range of ports you have other problems, and besides, before that ever happens I've found that most ISPs worldwide are very receptive and responsive - maybe they won't beat the SK's to a bloody pulp, much though you and I may want them to, they certainly will kill accounts in a hurry.

Pat.

(in reply to spouseele)
Post #: 4
RE: Restrict access to FTP server - 11.Oct.2006 9:32:45 AM   
davidp

 

Posts: 9
Joined: 30.Oct.2002
From: Whyalla
Status: offline
Thanks Pat.

It did cross my mind, and I may well do so. It's sad however when you need to put yourself and others out by deviating from a standard because of the inconsiderate actions of others.

Cheers

David

(in reply to pangalacticgb)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Restrict access to FTP server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts