Running a 4100 as FTP Server

[axiomatic]

Hello all.


I apologise if this has been covered before. I've had a search through the forum for likely terms, with no luck, so here goes...


I'm currently running an FTP server that contains all my music for when I'm at work / friends houses. The server is running off my main Windows XP box, and I'm using Filezilla's server. It all works very well, but I'm wanting to start storing my music on my SNAP server. I've been given an old 4100 from work, as two of the drives had died a death. After replacing the two failed drives with 160GB Maxtor jobs (though I can only access 125GB even after upgrading to SnapOS 3.4.805 (UK), ah well) I started to look at the FTP component.

What I'd like to know is, how good / secure is the FTP server in the SNAPs? I mean, for example, I woke up today and had two IPs attemtping to guess the Admin password for my Filezilla FTP - no big deal, I just banned there addresses - but, it made me stop and think for a second - are there known issues with the FTP server that I'm going to suffer from, since I can't get a newer version of the SnapOS to go on there? Is there an FTP access log somewhere that will show attempts at accessing the server? And are there any configuration options for banning IP addresses from with the SNAP configuration settings? So far, I've not been able to find any.

Finally, is there any way to change the FTP server on the SNAP so as to get more control, if the SNAP doesn't offer it natively?


Thanks for any help / information anyone can give me!

Axiomat.

[blue68f100]

Any time you expode your self to the www you are subject to attacks. If you watch the first thing they test is default passwords then Brut force, dictionary attackes.

All ports 1024 and lower are always hammered. You have a couple of options. First move the def port to something between 1024 and 65535. And only you know the port. A few will find it, there is no way around it. The 4100 supports JVM, so you could do a secure login. Your password should be made up of ALL Printable char and the max lenght. Something like this GCd%W9G2"$+Nr@gmkS;A8;bB& and yes it's not likely you could remember it.

Some of the routers with comercial firewalls can detect and block some of these attacks. The snap it self has none of that, execpt user access control. So make sure you remove or add a pw to Guest.

The 4100 does not support hd >137gig. No LBA48bit support.

Systems are only secure as the Password. If you pw is in a brut force dictionary your already broken. Depending on your ISP uplink speed you could use a VPN router to gain access through a 3DES auth tunnel. This is the way I connect to my system when away from home. This way the common ports are not exposed.

I use to have a site that gave the proabiliy of brute force attack. Most all of mine with a sample rate of 100k/sec would take > 23 yrs.

[axiomatic]

Thanks for the quick reply.



"The 4100 does not support hd >137gig. No LBA48bit support."

So this is a hardware limitation, and nothing I do to the BIOS or OS will change that? Hmm, bugger. Shall have to upgrade the default 70GB's then.

"The 4100 supports JVM, so you could do a secure login."

Is there anywhere on this forum, or on the web, that you could suggest I start looking at implementing Java? I believe you can use JVM to change the FTP server can't you?


In all honesty, the passwords I use (8-16 chars, mixture of upper/lower/numerical) have never really given me much to worry about. I know they're nowhere near as secure as the example you give don't get me wrong *grins* but when it comes to wanting to be able to access it, or give a friend access for uploading some files, it's going to be a bit of a logistical nightmare to start having passwords like that. I'm more worried about known security flaws in the FTP server itself - but I imagine I'm just being paranoid. After all, it's hardly running Windows is it? *laughs* So I've just gotta get a balance between useable and secure, I suppose.

I think I will take your advice of moving my external access point to somewhere else, tho, as you're right that portscanners will generally only pay attention to the known-commons unless they find something that makes them want to investigate further. Shall setup port-forwarding on it, assuming my router behaves!

[axiomatic]

Oh, one other thing - is there an FTP access log somewhere on the SNAP?

[blue68f100]

To use JVM you are required to have a min of 128 meg of ram "debug memory" will tell you how much is installed. 256 is prefered. I do not think it will install with out suficient ram. The JVM installs just like the 805.sup. Just select the JVM.sup to install from the web updater. Should have been included in the 805 update set.

Once install and started, you will have a menu option for JVM. You can now make all logins/connections secure, ftps (def port 22) or https.

I've have used the ftp part on my 2200 and it works fine. I now access my 2200 through a VPN Client to router connection. This way the only port open is the VPN port, not in the 1-1024 group. But I have a 2mbps uplink speed.

[blue68f100]

Ref to security flaws in OS.

The snap is bassed off of FreeBSD, I do not know what kernel. The OS is locked down pretty well, being a closed system.

Have NOT heard of any breaches, if thats comforting.

We had a users a week ago that was hacked using a Old Guardian OS v 2.4? He was looking for an OS upgrade which we don't have.

We have only started see these guardian OS units with in the last 6 - 12 mo. But a lot of activity this month.

[axiomatic]

OK... *looks embarrassed*

With typical "didn't expect that to happen!" foresight, I've just locked myself out of my SNAP web interface *laughs*

I entered the command to turn on the JVM's SSL, and now I can't connect to the web interface no matter how I try... ooops! What's the default port / connection settings, please? Have tried on https, and tried port 443 (OK so they're the same thing)... any suggestions? Or, if that fails, is there a way to turn it OFF without using the web interface, or reset the JVM settings?

[axiomatic]

Right, ignore that now - I just reset it to factory defaults, no biggy as I've not done much really. So I'm back up and running. Is there a manual for using the JVM or SSL anywhere?


Whilst I remember, thanks for your help with this btw. It's nice to have an expert on the other end of the 'net when you're a total newbie at something!

[blue68f100]

I wish I had one for the Guardian OS