Passive and Non-passive FTP Data Port
(since 5.6.450.7)
By default, the Wildcat! FTP Server will only accept a minimum Non-Passive data port of 1024 per the RFC 2277 FTP security guidelines. This will prevent "proxy FTP Bounce Attacks
" where a malicious ftp client attempts to penetrate your local machine via the FTP server PORT command which tells the FTP server which port to use to transfer data.
You do not need to do anything to secure this hole with this new version.
However, you now have registry control over the minimum and maximum port values for both PASSIVE and NON-PASSIVE mode:
HKEY_LOCAL_MACHINE/Software/SSI/Wildcat/wcFTP
|
(if you don't have a wcFTP key, create one)
Non-passive or PORT command:
DWORD
|
default value
|
NonPassiveMinDataPort
|
1024
|
NonPassiveMaxDataPort
|
65355
|
Passive or PASV command:
DWORD
|
default value
|
PassiveMinDataPort
|
1024
|
PassiveMaxDataPort
|
65355
|
NOTE:
VERY IMPORTANT! If you use these registry DWORD values, make sure you define them as DECIMAL values, not as HEXDECIMAL
. ALSO, in general you do not need to define Passive port values since the server will control the port values.
The main point of this new security feature is to control the FTP client's ability to use a non-passive PORT command to tell the server which PORT to use to open a connection to something
other than a FTP data transfer request.
© 2003 Hector Santos, http://www.santronics.com
|