AW: [suse-security] ftp-data equiv in suse?
hi, /etc/services is just a description of serviceses and its ports. Dosent worted for much more. You have to know how FTP-Traffic is gonna be handled. If you don`t use passive-FTP, first your Client connect to an other host calling port 21. After this the strange host try to open a connection to your Client at port 20. So your IP-Chains rule have to allow strange hosts to open up connections to your Clientport 20. Seems that FTP just handled by an IP-Filter is a little bit unsecure......... greets
I noticed that SuSE doesnt have ftp-data (port 20) in /etc/services All help for the FTP/IPCHAINS download problem on newsgroups refers to ftp-data
Does anyone know the SuSE equiv for ftp-data? I added it to my /etc/services and that didnt work.
Hello I can browse with the imap client the whole directory tree (with its owners permission). Is there any possibility to forbid this browsing (configure the imapd)? Have any one the similar effect? Please help. thanks and yours sincerely dominic
On Wed, 25 Aug 1999, Michael Hamm wrote:
hi, /etc/services is just a description of serviceses and its ports. Dosent worted for much more.
Well, at least it has to be correct. Many programs use getservbyname() which will fail if /etc/services is messed up.
You have to know how FTP-Traffic is gonna be handled.
If you don`t use passive-FTP, first your Client connect to an other host calling port 21. After this the strange host try to open a connection to your Client at port 20.
Well, almost. First thing to consider is you have two connections: control and data, and the latter only when needed. The control connection goes from an ephemeral (i.e. > 1024) port to port 21 on the server. The control connection is bidirectional. For a data connection the default is that the server (!) does the connect to the client (which has to listen) in the following way: the server uses local port 20 and connects to the port on the client where the control connection came from. Port 20 is used (and not 21) so that at least one end of the connection differs (this is according to the socket definition, which does not allow for two identical pairs). The desired behavior (in terms of the "Internet Hosts Requirements" RFC) is to use either PASV (in which case the server opens a listening port and announces it in the reply to the PASV command) or to use a PORT command on the client side (which is done by virtually every FTP client nowadays). In this case the server will connect to the given port.
So your IP-Chains rule have to allow strange hosts to open up connections to your Clientport 20.
No, not really. Port 20 is used only on the server side.
Seems that FTP just handled by an IP-Filter is a little bit unsecure.........
Not unsecure in itself. But because of the nature of the protocol you will be better off with some additional precautions, like an application proxy or the like.
greets
I noticed that SuSE doesnt have ftp-data (port 20) in /etc/services All help for the FTP/IPCHAINS download problem on newsgroups refers to ftp-data
Does anyone know the SuSE equiv for ftp-data? I added it to my /etc/services and that didnt work.
SuSE distributions do nothing special in terms of FTP. You can always rely on the RFC, in this case it is RFC 959.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Volker -- Volker Wiegand Phone: +49 (0) 6196 / 50951-24 SuSE Rhein/Main AG Fax: +49 (0) 6196 / 40 96 07 Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76 D-65760 Eschborn E-Mail: Volker.Wiegand@suse.de ++ Only users lose drugs. Or was it the other way round? ++
participants (3)
-
Dominic Santi
-
Michael Hamm
-
Volker Wiegand