Securing FTP Communications Ports

File Transfer Protocol (FTP) is an old protocol. It was first drafted in April 1971, well before web servers were even dreamed of. In fact, FTP is one of the most popular means to connect to web servers. It's easy to use and simple to set up. FTP is also a least-favorite communications protocol among security experts.

Many of the readers of this book most likely weren't born yet when the FTP standard was drafted. And yet, many users depend on this protocol daily.

The challenge with FTP is that everything is transmitted in clear text, meaning that anyone listening on the wire could easily gain your username and password. A Trojan horse on a PC could easily gain this information.

As this chapter was written, one of the more popular FTP server software packages was discovered to have a nasty bug. The bug report from ProFTPD (http://bugs.proftpd.org/show_bug.cgi?id=3521 November 7, 2010) stated the following:

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability.”

Further, the bug advisory also stated the following:

“The flaw exists within the ProFTPD server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability ...

Get CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.