[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] How to stop FTP-scans (proposal for hotfix)

Subject: [cobalt-security] How to stop FTP-scans (proposal for hotfix)
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Tue, 20 Nov 2001 01:22:58 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi all,

with the recent discussion about FTP-scans I decided to do something about 
the matter. Here is a little script which puts an idea into practice which I 
have been mulling over for a while. Finally I got around to give it a try:

Requirements: 

1) RaQ3 or RaQ4 with POP-before-SMTP patch from Cobalt installed

2) POP-before-SMTP must be active (i.e.: poprelayd must be running) 

3) IPchains is installed (knowledge of IPchains required)

4) Basic Linux skills required. 

5) Proper attitude in regards to "screw the warranty" required ;o)


General purpose of this undertaking:
=============================

If a user wants to access your server by FTP, then he has to check his email 
account first. We will use the same authentication mechanism for FTP that we 
use for SMTP through the POP-before-SMTP package.

Anyone trying to connect to the FTP server without having checked his email 
first will not be able to connect to FTP at all.


How to:
======

Create the following script in /usr/local/sbin and name it something you can 
remember. Like ftprelay.pl

--------------- Begin of File: /usr/local/sbin/ftprelay.pl ---------------
#!/usr/bin/perl

#
#  Configuration settings from poprelayd. No need to change them!
#

$logfile = "/var/log/maillog";          # POP3 daemon log.
$pidfile = "/var/run/poprelayd.pid";    # Where we put our PID.
$dbfile = "/etc/mail/popip.db";         # Sendmail map to update.
$dbtype = "DB_HASH";

#
#  Modules
#

use Getopt::Std;
use Fcntl;
use DB_File;
use POSIX;

# You may need to uncomment this if your fcntl.ph doesn't export it.
sub O_EXLOCK { 0x20 };

#
#  Variables
#

undef $pid;                             # Process ID.
undef %db;                              # Hash into database file.
undef $lffd;                            # $logfile file descriptor.
undef $lfino;                           # Inode of $logfile when we opened it.
undef $lfbuf;                           # Buffer for data from $lffd.
undef @addrs;                           # List of IP addresses to add.
undef $lasttimeout;                     # Last time we did a timeout.

# Print address list.
$countopts++;
tie(%db, "DB_File", $dbfile, O_RDONLY, 0, $$dbtype) ||\
        die "Can't open $dbfile";
foreach $key (sort(keys(%db))) {
system "/sbin/ipchains -A input -i eth0 -s $key -d 0/0 21 -p tcp -j ACCEPT";
}
system "/sbin/ipchains -A input -i eth0 -s 0/0 -d 0/0 21 -p tcp -j DENY";
untie %db;
closedb;

--------------- End of File: /usr/local/sbin/ftprelay.pl ---------------


Put a "chmod 700" on the script and then put a chown "root:root" on it.

Next create a small shell script which contains your firewall rules. That is, 
if you do not already have a firewall ruleset.

If you already have a firewall script running, then you can simply call the 
perlscript from within your firewall script by using the example below as 
guideline:


A very, very rudimentary firewall ruleset could look like this:

--------------- Begin of File: /usr/local/sbin/firewall.sh ---------------
#!/bin/sh

# Flush existing ruleset:
/sbin/ipchains -F

# Suppress IP Spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $i
  done
fi

# Syn Flood protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $i
done

# Execute Perlscript ftprelay.pl
perl /usr/local/sbin/ftprelay.pl

--------------- End of File: /usr/local/sbin/firewall.sh ---------------

Also put a "chmod 700" on the script and then put a chown "root:root" on it 
for good measure.


Now create the a cronjob for user root which will run this script every 15 
minutes:

Type (as user "root") "crontab -e" and add the following line:

0,15,30,45 * * * * /usr/local/sbin/firewall.sh >/dev/null

Exit the editor by pressing ":wq!"


What the PERL-Script will do:
=======================

The Perl-Script opens the POPrelayD database and fetches all IP addresses 
from that database. It will then create IPchain rules for those listed IP 
addresses so that they can access the FTP port.

At the end it will put an ipchains DENY rule to block port 21 for all other 
IP addresses.


What the Firewall-Shellscript will do:
============================

If executed it will remove all existing firewall rules. It'll then add a 
little more protection to your TCP/IP stack and will finally call the 
Perl-script, which generates our FTP rules.

To call this a comprehensive Firewall is not true, as it is just a 
rudimentary (working) example of the FTP protection. You will need further 
ipchains rules customized to your specific needs to protect other services. 
However, it might give you ideas of how to do so.


Comments welcome.


P.S.: Yeah, you guessed it: The perlscript is in fact a trimmed down and 
adapted copy of the original poprelayd script which is part of the 
POP-before-SMPT patch from Cobalt.


-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6081-946240
 Eppsteiner Weg 9 ___  D-61267 Neu-Anspach ___ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM

Prev by Date: Re: [cobalt-security] newbie... installing neomail
Next by Date: [cobalt-security] Port Scans - what they use
Previous by thread: Re: [cobalt-security] neomail on RAQ02
Next by thread: [cobalt-security] Port Scans - what they use

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index