Wednesday, March 21, 2007

FTP PORT command

Where I work, we maintain a popular FTP site that serves up Terabytes of weather and climate research datasets. Obviously, this particular server is a Tier 1 service for IT, so I pay close attention to security issues with this machine.

Since it's running an FTP daemon, any number of FTP exploits or abuses are attempted on it, one in particular (an oldie but goodie) is the "FTP PORT Bounce attack". My IDS triggers on this with regularity, and on occasion I double check to make sure that the server isn't vulnerable to it.

Understanding the attack first requires understanding what the FTP PORT command does. In the FTP world, the PORT command isn't as common as it was previously since most sites have migrated away from "active" FTP to "passive" FTP. The PORT command was a standard part of an active FTP session, and while we encourage passive FTP, we still see active sessions being used legitimately. During an Active FTP session, when data is being sent over the data channel (not the command channel), the server initiates the connection to the client on the port number specified. The PORT command's syntax is:

PORT X1,X2,X3,X4,P1,P2

where X1, X2, X3, X4 are the IP address and P1, P2 are translated into a port number by multiplying P1 by 256 and then adding the resulting number to P2. So, for example, a packet capture that contains the following:

PORT 172,16,4,128,16,155

is trying to setup an active FTP session to on port 4251 ((16*256) + 155).

There are a number of ways that this can be abused. Earlier versions of FTP server software didn't check the IP address supplied to make sure that it matched the IP address that it was sent from. This allowed the following to be accomplished:

- port scanning
An attacker can use a vulnerable FTP server to do port scanning for them. By specifying the IP address of the victim and stepping through the port numbers that the attacker is curious about, the FTP server can be used to port scan a victim with the added advantage of the scan appearing to come from the FTP server, not the attacker.

- bypass firewalls
Because the connection is initiated by the FTP server and not the attacker, packet filter devices maybe configured to allow traffic to traverse the firewall if the connection comes from a "trusted host" such as the FTP server.


Labels: , ,

Friday, March 09, 2007

OT: A car guy that hates buying cars

I'm a bit of a sports car nut, much to the chagrin of my beautiful, wonderful, loving wife (hi honey!). Cars, to her, are expensive, horrible investments that are scary necessities of life, and fast cars are the worst of the bunch. Ok, so she might be right, but she's missing one key element. The right car on the right road can be SO much fun.

We are looking to replace our boring, underpowered, really reliable Honda Civic. Since we live in Colorado, we both agreed that our next car has to have all-wheel drive, manual and be a 4 door sedan. 4-door sedans are a dime a dozen, but all-wheel drive is more "exclusive". That's where I stepped in and ruined it all. I want something that I ENJOY driving, a 4-door all-wheel drive sports sedan. Well, that knocked the potential contenders down quite a bit. Since I was allowed my requirement, to be fair, my wife was now given the opportunity to add hers, if she had one. She responds with "It has to be more luxurious than the Civic. It has to have leather interior, heated seats ... you know, luxury." Oh hell, we are SCREWED.

So, what we're left with (that we have any chance of affording) falls into either a family sedan or upscale sedan category, depending on who you talk to. The contenders are:
Audi A4 2.0T Quattro
BMW 328xi
Lexus IS250
Mercedes-Benz C-Class
Subaru Legacy 2.5GT Limited
Subaru WRX STi Limited
Volkswagen Passat
Volvo S60 R

The Lexus, Volkswagen, and the Volvo don't have the combination of performance and handling that I require, and the MazdaSpeed6 and MB C-Class are notably less reliable than average. The WRX STi is a brute, so much so that it would probably give my wife a heart attack, and not to mention, the Limited version is quite difficult to find, leaving:

Audi A4 2.0T Quattro
BMW 328xi
Subaru Legacy 2.5GT Limited

The Subaru is the bang-for-buck winner, hands down, and has a lot of aftermarket upgrade appeal. The BMW is a true drivers car, with a silky smooth inline-6, great handling and feel, but ouch, you pay for it. The A4's new 2.0T engine has solved some of the issues with the turbo lag of the original 1.8T, but it's still the weakest of the bunch.

Where's that winning lottery ticket when I need it?



Thursday, March 01, 2007

Re: Security Mentoring

Richard Bejtlich of TaoSecurity posted a response to this post, all of which got me thinking about how I got where I am today in my career, and how I expect to continue "forward".

To sum it up, I know I am where I am today because of two things:

- I continue to learn about my job (currently IT Security)
- Listening to people further along in their careers than I

Longer version:

#1: Life-long learning.
It's a cliche, I know, but it's a cliche because it's true. I spend many hours reading documentation, white papers, email discussion lists, etc. about the topics that pertain to my career and interests. I do my best to "teach myself" about new (or old) things that I feel I need and want to learn, and a very important part of this learning is breaking things, and learning how to fix them (all hail Google). I know there is a taboo about making mistakes, but honestly I'm a better employee because I make mistakes and learn from them, not because I avoid them by avoiding work. Regardless, continuing to stay "in learning mode" has been, by far, the most important and beneficial thing I have done to advance my career. Bar none.

#2: Pay attention to those around you, and the steps they took in their career paths.
People generally like to talk about themselves and their accomplishments, it's in our nature (why do you think I'm writing this? ;) ). In most situations, you are going to have someone you work for (read, "the boss" but it could also be anyone you consider a mentor), and in some situations you will have someone less senior working with you or possibly directly for you. Assuming you haven't reached what you consider is the pinnacle of your career (and only you can decide that), the position that you work for would be a next logical step in your career. Ask your boss about their career path to get a sense of what steps that person took to get there, but just as important, what steps they didn't take. Listen to what he or she says, but also listen to what they don't say. You can glean interesting, and potentially valuable, information from them. Not all bosses are equal, though, so learn to pick out the good bits from the bad.

"Deep thoughts, by Rich Fifarek"


3Ware disk copying

I use a number of systems with 3Ware IDE RAID cards. Recently, we had a drive start giving us fits on one of the 3Ware cards. I'm not entirely convinced that the problem was the drive (I'm starting to think it was the power supply or long shot, motherboard), but in the process I discovered that if the drive is still readable, you can do a "dd" from the drive in the array to a new drive, and once complete, the 3Ware card will recognize the new drive as if it were the old drive. Since this was a 1TB RAID0 array, that was a nice option to have rather than rebuild the array from scratch and lose the data on there. Granted, it's RAID0 so the data wasn't critical, but it was nice to get it back nonetheless.

To do this, boot a live Linux CD distro, like Knoppix with the old drive plugged in as the Primary IDE Master and the new drive plugged in as the Secondary IDE Master, run the following:

dd if=/dev/hda of=/dev/hdc

as root. This process will take hours typically, so be patient. If you'd like to track it's progress, suspend the dd process (ctrl-Z), and then tell it resume running in the background (type bg, and then hit enter). Run the command "pidof dd" to get the PID of the dd process. To monitor the process of the disk copy, run "kill -USR1 [PID]", where [PID] is the number returned by "pidof dd".

Once complete, place the new drive in the 3Ware system, and it should show up as part of the original array.


Labels: ,