Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

FXP

File eXchange Protocol - Wikipedia, the free encyclopedia

Enabling FXP support, however, can make a server vulnerable to an exploit known as FTP bounce. As a result of this, FTP server software often has FXP disabled by default.

Some FTP Servers such as glFTPd, RaidenFTPd, and wzdftpd support negotiation of a secure data channel between two servers using either of the FTP protocol extension commands; CPSV or SSCN. This normally works by the client issuing CPSV in lieu of the PASV command - or by sending SSCN prior to PASV transfers -, which instructs the server to create either a SSL or TLS connection. However, both methods - CPSV and SSCN - are susceptible to Man-in-the-Middle attacks, since the two FTP servers do not verify each other's SSL certificates. SSCN was first introduced by RaidenFTPd and SmartFTP in 2003 and has been widely adopted now.

Site-to-Site Transfers

Because site-to-site transfers are considered a security risk, many servers do not support them or optionally decline to do so. The following table displays supporting servers.

You can configure the ProFTPD 1.2.3 Orc3 server, the wu-ftpd 2.6.0 server and the MS IIS 5.0 server to allow FXP.

Old News ;-)

Site-to-Site Transfers

Separate CONTROL and DATA connections allows transmitting data not only between client and server; it allows a client to control two FTP servers at once and transfer data between them by issuing a PASV command on one server and then a matching PORT command on the other. Thus, one server connects to the other instead of to a client. This behavior is not a hack; it is part of the official FTP specs. Today, it is widely known as FXP. The chart below shows servers that support FXP.

To perform a site-to-site transfer

1. Connect to each site (source and destination).
2. On the main menu, click Window > Tile.
3. Drag the file from one Remote Pane to another. The Queue pane displays a double arrow (<->), to indicate a site-to-site transfer.

To display more than one remote site at a time

1. Connect to two or more sites.
2. On the main menu, click Window > Cascade or Tile.
3. To return to the default, tabbed view, click Maximize in the upper right of any remote pane.

If you are transferring between sites with SSH2 or SSL connections, transfers between them are not secure unless both servers support SSCN. Because site-to-site transfers are considered a security risk, many servers do not support them or optionally decline to do so. The following table displays supporting servers. BLUE servers must be present for successful site-to-site transfer. RED servers make site-to-site transfers impossible. BLACK servers can perform site-to-site transfers if a BLUE server is on the other side. A site-to-site transfer with at least one RED server or two BLACK servers will fail.

 

  

You can configure the ProFTPD 1.2.3 Orc3 server, the wu-ftpd 2.6.0 server and the MS IIS 5.0 server to allow FXP.

fxp transfers

Setting FXP on FTP servers. V.T.G.M.B.X

Setting up servers for FXP

To configure wu-ftpd to allow FXP

Requirements: wu-ftpd 2.6.0

/etc/ftpaccess

First, you need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.

The line is of the form:
class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]

Then you add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)

These lines are of the form:
port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}

Example

class newclass real,guest,anonymous *.mydomain.net
*.more.client.addresses.com
class all real,guest,anonymous *

port-allow newclass 0.0.0.0/0
pasv-allow newclass 0.0.0.0/0

This basically adds a new class (creatively called "newclass") - note that it appears BEFORE the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".

Setting up an FTP server on SUSE Linux 9.1 Professional - Antionline Forums - Maximum Security for a Connected World

Setting up PureFTPd on SUSE Linux 9.1 Professional

Wriiten by : Gore

Introduction:

SUSE Linux makes it fairly easy to have a stable and fast FTP server. This should work on just about any version of SUSE, as I've had it on 9.1 and 8.2 Professional, and the only reason I'm saying 9.1 is because that is what I'm currently using as my FTP server for my LAN.


I've been using Linux for a year and a half now, and I've learned a lot. I've never read a manual for setting up a server of any kind on SUSE Linux, but it seems fairly easy too me as I've done it now quite a few times, and the reason I didn't need a manual, was because I just read the configuration file, and went from there.

As I type this, I'm transferring 7 GB of data from this box, over too my newly installed XP Home SP2 box so I can burn the information to CD fast.

FTP servers:

FTP servers can come in very handy. My LAN has 5 machines, and I don't always have money to buy CD - Rs to do back ups, and on one of my machines, my laptop, I don't have a CD-R drive on it, so I have to rely on FTP to do back ups. Which is fine, because my LAN is pretty fast, and I have a lot of disk space around.

One thing I don't like and won't do, is an anonymous FTP server. I want the person using it to have to log in. I don't want anyone to be able to use it without a user name and password from my Linux box. So to use my FTP server, you have to log in with an account that I give, and it must be a valid account on my machine, and you can only upload and download to your home directory.

This adds a bit more security to the process, but this isn't a security tutorial, it's a tutorial to get you started.


So how do you set up FTP? Well, first ready my tutorial on installing SUSE Linux, either 8.1, 8.2 or 9.1 Professional, and if you want Windows too stay on the disk, read my tutorial on Dual booting SUSE and XP.

After you have everything in that tutorial done, read the Basics of securing SUSE Linux tutorial to make sure the box is locked down at least with a basic security setting that I show you how too set up there.



Next, make sure you installed Pure FTPd from the SUSE installation media, which you can do by opening up YAST2, and clicking on "Install/Remove Software". If you didn't install it, just simply check the box next too it, and click on Accept, and make sure you have either the CDs handy, or the DVD.

After it's installed, or if you already had it installed, which saves you time, open a Terminal, like Eterm, and if you aren't Root, type su and give the root password, and then type cd /etc and you will be put in the etc directory to configure the file for PureFTPd.


Now that you're in Etc, type ls and hit enter to get a list of the file names. If you did this all correctly, you'll see smoething called pure-ftpd.conf and if you don't, cd into the pure-ftpd directory and see if it is there. If you find it there but not in etc, then simply copy it with:

cp pure-ftpd.conf /etc

And hit enter.

Now go back into etc and type:

vim pure-ftpd.conf

Hit Enter and you'll be able to edit the file. Now what you want too edit too make an FTP server like mine, is this:

############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# options.

# Cage in every user in his home directory

ChrootEveryone yes



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID 100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no

# Maximum number of simultaneous users

MaxClientsNumber 10

# Fork in background

Daemonize yes



# Maximum number of sim clients with the same IP address

MaxClientsPerIP 3



# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog no


# Allow dot-files
AllowDotFiles yes


# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes



# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no



# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous yes



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp



# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy



# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf


# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

# PureDB /etc/pure-ftpd/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 2000 8



# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no



# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4



# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP 192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10



# Upload/download ratio for all users.
# This directive superscedes the previous one.

# UserRatio 1 10



# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.

AntiWarez yes



# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth 8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth 8



# File creation mask. &lt;umask for files&gt;:&lt;umask for dirs&gt; .
# 177:077 if you feel paranoid.

Umask 177:077



# Minimum UID for an authenticated user to log in.

MinUID 100



# Allow FXP transfers for authenticated users only.

AllowUserFXP yes


# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no



# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite yes



# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no



# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename yes



# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload yes



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1



# If you want to add the PID to every logged line, uncomment the following
# line.

#LogPID yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.

# AltLog clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes



# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes



# Automatically create home directories if they are missing

#CreateHomeDir yes



# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.

#CallUploadScript yes



# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.

MaxDiskUsage 99



# Set to 'yes' if you don't want your users to rename files.

NoRename yes



# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes



# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : &lt;max sessions per user&gt;:&lt;max anonymous sessions&gt;
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20



# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.

# NoTruncate yes



# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS 1



# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only yes



# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only yes







Now, if you want, you can copy that and make it your configuration file, as it is mine. Doing this as your configuration file will make it so everyone has to log in and can ONLY upload and download to their home directories. This is perfect for a LAN setting where you want to make back ups, or if you only want people you know to be able to use it, just make sure you have STRONG passwords. VERY strong passwords.

Try and remember that this will open a port on your machine, so it does make it more attacker friendly in a way, but if you keep your machine updated, and have good passwords, you shouldn't have to worry much. If you want you could change the dot files to "No" if you don't want to look at things like that over FTP.

Now, when you get done, save this file. If you're using Vim hit Esc and then :wq Enter. After you press enter it's saved, and ready to go. If you used a wussy editor, well, save it. After you're done, you're not ready yet though. Read the top in the comments where it says to type that out to make this the configuration file for the FTP server.

/usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf


Type it all out, and press Enter. Of course, on Linux, you should change the last one Which confused me for a day.

/usr/sbin/pure-config.pl /etc/pure-ftpd.conf

Try this one, and it will work. Now, if you want to have the box run FTP everytime it starts up, or you just don't want to keep typing that, simply go into YAST2 and edit the run level editors "Options" and tell it to start the FTP service.

SUSE FireWall2 needs too be told to allow FTP as well. So just open the firewall settings and allow port 21. This will work fine. I believe I covered that all in my last tutorial. The one I'm working on besides this one will teach you to edit system files with YAST2


If you want, you can now try out your FTP server. From Windows just open the command line and type ftp and your machines IP address and it will ask for a username and password.

And if you're on a Linux machine, same thing =)

__________________
Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits We Are 138
Cannibal Holocaust
SuSE Linux
Slackware Linux