Opened 14 years ago

Last modified 14 years ago

#900 closed Bug report

Security Defect on IP filter.

Reported by: twoseven Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc: twoseven, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

When *.*.*.* is typed into the IP filters (any of them) to
block all IP addresses (turn the server off effectively),
the server sends a response when a connection attempt
is made.

Currently it sends the welcome message.

This allows anyone sniffing for an FTP server to confirm
there is indeed a server there. It should NOT send a
response - ie. it should be in stealth mode.

The result is that the server may then suffer a Denial of
Service attack on that port.

This causes a secondary error in that the FTP server
tries to send the welcome message back to every
connection attempt (which should not be allowed) and
promptly kills the server.

Not only that but us poor sods who have to pay for our
data usage (or have traffic limits) then promptly get a
large bill.

Change History (5)

comment:1 Changed 14 years ago by Tim Kosse

In order to get the remote IP address, FileZilla does have
to accept the connection first, so stealth ports for
filtered addresses are not possible.
Please use a proper firewall if you want stealth ports for
some IP ranges.

comment:2 Changed 14 years ago by twoseven


Please understand the problem before you just close it.

The software is sending the welcome message and logon
request AFTER THE INTERFACE HAS BEEN DISABLED.

It shouldnt be.

Thats basic security 101.

Please dont just do the oh it requires too much effort so i'll
close the defect thing. Actually sort the issue out.

comment:3 Changed 14 years ago by Tim Kosse

First of all, stealthed ports cannot be achived with normal
socket functions, you need a firewall for it. Normal ports
either are open or closed, but not stealthed.

If I connect from a disallowed IP, I get a "550 No
connections allowed from your IP" reply (and not the welcome
message). The remote address can only be checked after
accepting the connection, so since the remote side already
knows that the port is open, I can at least be nice and
provide an error message. Other option is to just close the
socket. Sending a message and just closing the socket, both
send out packets and await confirmation, there's not much
difference as the default connection closure is graceful.
Windows handles the connection closure in the background,
the resources will be released by FileZilla Server the same
moment as the ip check has been done.

It's the task of a properly setup firewall / intrusion
detection system to filter out malicious activity.

comment:4 Changed 14 years ago by twoseven

Then i'd suggest that a new feature is required. If you
examine Cerebus server, you can disable listening on each
interface (NIC) thats installed in the server (eg. MS small
business server). Absolutely no response is sent back to
any clients.

I'm not sure your fixation with firewall stealthing - thats
nothing to do with an FTP server sending responses when it
shouldnt.

I'm not sure if you run many networks but its much easier for
an individual to turn off a FTP server on an interface than it is
to close down a firewall every 5 minutes. (to go back to
cerebus server, its one click vs reconfiguring the firewall and
risking messing up other stuff). Many people [in business]
are not able to access their firewalls.

I'm sure members performing some lateral thinking will come
up with the ideal solution. :)

comment:5 Changed 14 years ago by Tim Kosse

Sorry, but the ip filter has nothing to do with interface
bindings. And you were the one that talked about stealth in
your original posting.

Note: See TracTickets for help on using tickets.