12:06 AM - fixed pasv mode ftp
i finally fixed passive mode ftp. I haven't been able to use it since i installed the firewall on the server. Turns out that there is a valid range of ports that pasv uses. Shitty ftp servers use all of them above 1024, but only 49152-65534 can be used according to the registration with IANA.
I added a rule to allow this traffic. I am not sure if i need to tighten it or not.. we shall see. I decided to allow inbound and outbound on those ports. Nothing runs that high anyway unless someone were able to compromise the box and start a process on one of those ports. It really sucks that i have to leave them open. Theoretically though if someone could run an app as root they could do the same thing on the ftp data ports cause its usually not bound unless in use.
Of course, unpriveledged users can run stuff on ports above 1024.
Most server programs on my box don't run as root anyway. For example, apache, mysql, and bind do NOT run as root. They give up privledges and run as unique users. I don't pull a fred and run everything as nobody... that would be foolish. If i get time soon, i'm going to chroot most of that stuff anyway. Sendmail, imap, and ftp i can't do anything about (unless i changed products). I could chroot the ftp space, but then apache would still need to access it. Maybe i could do a double chroot??? ftp inside of apache? ftp is more likely to get hit anyway. I'll think that over. I need to change the filesystem layout for all the web crap soon anyway.. i could make it a lot more secure than it is... its just a lot more work when i deploy.
Rob used to leave everybody permissions in NT. Now that was funny. He was just too lazy to figure out what files needed. Hell authenicated users would have been slightly safer.. but that was a 2k thing I think. Maybe that permissions upgrade thing for NT4 did it to? its been to long.
location: Home