Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PIX and PASV ftp

from [Charalambos Klitiropoulos] Network Security [Permanent Link]
Subject: Re: PIX and PASV ftp
Date: Wed, 20 Jul 2005 01:21:41 +0300 
Hello,

a PIX firewall will drop an FTP session if the PORT command mentions an IP 
address that is different from the address that initiated the FTP session. 
Here is an explanation from Cisco's web site:

 406002 

Error Message    %PIX-4-406002: FTP port command different address: 
*IP_address*(*IP_address*) to *IP_address* on interface *interface_name
*

Explanation A client issued an FTP port command and supplied an address 
other than the address used in the connection. This error message is 
indicative of an attempt to avert the site's security policy. For example, 
one might attempt to hijack an FTP session by changing the packet on the 
way, and putting different source information instead of the correct source 
information. The PIX Firewall drops the packet, terminates the connection, 
and logs the event. In the error message displayed, the IP address in 
parentheses is the address from the *PORT* command. 

Recommended Action None required.
 

Can you check if the client has multiple IP addresses? Another possible 
reason is that it's IP address might be translated by a system that does not 
handle properly FTP PORT commands.
 

On 7/19/05, Bill Stout <bill.stout@greenborder.com> wrote:


I'm having some difficulty in getting the PIX to allow PASV connections
through. I have a vsftpd server on a DMZ with a private IP and running
IPTables with modules ip_nat_ftp and ip_conntrack_ftp loaded, though
same errors occur with IPTables stopped. The vsftpd server has a
pasv_address of the public IP, and pasv_enable is YES.

The error from IE browser is "An error occurred opening that folder on
the FTP Server. Make sure you have permission to access that folder."

Ethereal on the client follows the TCP stream like this:
220 Welcome message nnnn
USER xxxxx
331 Please specify the password.
PASS xxxxx
230 Login successful. Have fun.
SYST
215 UNIX Type: L8
FEAT
500 Unknown command.
TYPE I
200 Switching to Binary mode.
REST 0
350 Restart position accepted (0).
PWD
257 "/home/xxxx"
PASV
<then a bunch of TCP Retransmission requests for PASV>

The server log shows it responds to the PASV command with:
<Time/date> <pid> <username> FTP command: Client "nnn.nnn.nnn.nnn",
"PASV"
<Time/date> <pid> <username> FTP response: Client "nnnnnn", "227
Entering Passive Mode (nnn,nnn,nnn,nnn,190,130)"
But the client never gets that message.

The pix logs this:
"%PIX-4-406002: FTP port command different address: from
<outsideIP:port> to <insideIP:port>".
"%PIX-6-302014: Teardown TCP connection nnn for outside:<outsideIP:port>
to dmz:<insideIP:port> duration 00:00:01 bytes 350 Deny".
"PIX-6-106015: Deny TCP (no connection) from <outsideIP:port> to
<insideIP:port>".

Non-PASV works fine.

I'm worn out Googling this. Has anyone experienced this before?

Thanks,
Bill Stout
www.greenborder.com <http://www.greenborder.com>
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Minimal secure iptables firewall, Martin Mačok
Next by Date:  Re: CISCO PIX 501, André Vieira
Previous by Thread:  PIX and PASV ftp, Bill Stout
Next by Thread:  RE: PIX and PASV ftp, Bill Stout
Indexes:  [Date] [Thread] [Top] [All Lists]