RE: [cobalt-security] Is this coincidence or what - FTP Scans

[Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>]

MikeM wrote:
> I moved my ftp services to a different port than 21.  Now I 
> get no ftp scans at all.
> 
> If you have a relatively closed community of users, this is a 
> good solution.

...and here's an exercise for interested (and careful) parties:

Using an SSL-enabled webserver, write a bunch of PHP (or whatever scripting
language you are most comfortable with) pages which do the following:

(a) prompt for a login name and password. When validated, continue to (b)
(b) make a note of which IP address the caller is coming from.
(c) open a hole in an IPChains ruleset to allow FTP connection through from
that IP address for a period.
(d) after a timeout period, or when the end-user hits 'close' on the page,
close the hole in the ruleset.

I've used similar systems before myself. Whilst cumbersome it makes FTP (or
other services, see below) very difficult for people to exploit or connect
to. And because it's managed over an SSL connection, it's never cached (or
shouldn't be) so it gets restricted to you personally.

Obviously if you are sharing a single IP address via a NAT or masqueraded
network, it can mean for the period of the opening the FTP server is visible
to all the other people behind the same IP address, but it will cut down on
scans. It can also be extended to any number of other services - the admin
server or MySQL, for example.

Note: I'm not offering to set this up for anyone!
Also note: be careful not to chop your own legs off if you do start playing
with IPChains. A cron entry every fifteen minutes to flush the chains is
always a good bet whilst developing.

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC