Monday 14 October 2013

How-to: Block anonymous FTP uploads on a FortiGate

Recently I've had a customer ask how they can block FTP PUT's on their FTP server for all anonymous (unauthenticated) users, but allow FTP GET's for any user (ie: only let authenticated users upload files, but let anyone download them).

They control this access via the FTP server's account credentials, but wanted to see if the FortiGate could add another level of protection (incase their FTP server got hacked).

This was accomplished by creating some custom IPS signatures.

The steps required for this are:

  1. Create the three custom IPS signatures
  2. Create a IPS sensor with the three signatures
  3. Create a FTP policy that contains the IPS sensor

1.  Create the three custom IPS signatures
 
Goto Security Policies>Intrusion Protection>IPS Signatures and click ‘Create New’

Create three custom signatures using the below signatures:

Name: FTP_unauth_login
Signature: F-SBID( --protocol tcp; --flow from_client; --dst_port 21; --pattern "PASS|20 0d 0a|"; --context packet; --within 7,context; --no_case; --data_size =7; --tag set,Tag.FTP.unauthenticated.user;)

Name: FTP_unauth_PUT
Signature: F-SBID( --protocol tcp; --flow from_client; --dst_port 21; --pattern "STOR|20|"; --context packet; --within 5,context; --no_case; --tag test,Tag.FTP.unauthenticated.user;)

Name: FTP_unauth_STOR
Signature: F-SBID( --protocol tcp; --flow from_client; --dst_port 21; --pattern "PUT|20|"; --context packet; --within 4,context; --no_case; --tag test,Tag.FTP.unauthenticated.user;)



2. Create a IPS sensor with the three signatures
 
Goto Security Profiles>Intrusion Protection>IPS Sensors and click on the ‘+’ button to add a new IPS sensor.


Give the new sensor a name (like ftp-block-unauthenticated).


Apply, and then click on ‘Create New’ to add the three signatures we’ve configured previously.



For the first signature (FTP_unauth_login), we’ll need to give it an action of ‘Monitor All’. To do this click on the ‘Specify Signatures’ button, then select FTP_unauth_login, then click on the ‘Monitor All’ button, then click Ok to commit.


After this, click Create New to add the other two signatures, this time ensure the action is ‘Block All’



Once you're finished, the IPS sensor should like something like this (note that the order is important, :



3. Create a FTP policy that contains the IPS sensor
 
Lastly create a policy that controls the FTP traffic to your FTP server, ensure that service is set to FTP, and that IPS is set to the custom IPS policy we created.




That should be it! You should now be able to test out logging in via anonymous with no password and uploading a file. 

As an example below, I’ve logged into our FTP server with an anonymous user and tried to upload fwf60c.log. The terminal hangs after 200 Port command successful as the packets get dropped (so nothing gets uploaded).

allan@mothership ~ $ ftp 172.16.99.103
Connected to 172.16.99.103.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (172.16.99.103:allan): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> bin
200 Type set to I
ftp> put fwf60c.log
local: fwf60c.log remote: fwf60c.log
200 Port command successful


I now try this again, logging in with an authenticated user "topsecret". As we can see the upload of the file fwf60c.log transfers correctly:

allan@mothership ~ $ ftp 172.16.99.103
Connected to 172.16.99.103.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (172.16.99.103:allan): topsecret
331 Password required for topsecret
Password:
230 Logged on
Remote system type is UNIX.
ftp> bin
200 Type set to I
ftp> put fwf60c.log
local: fwf60c.log remote: fwf60c.log
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer OK
2710 bytes sent in 0.00 secs (37806.9 kB/s)
ftp>


Lastly we can see these IPS signatures being hit by going to Security Profiles>Monitor>Intrustion Monitor, as per below:



1 comment:

Anonymous said...

Hi Allan - starting out info is so very hard to find on custom IPS sigs. We are trying to develop one to protect websites from brute force admin logins, but dont have it quite correct i expect.. Would you be interested in assisting?