Network Working Group                                          M. Allman
Request for Comments: 2577                  NASA Glenn/Sterling Software
Category: Informational                                     S. Ostermann
                                                         Ohio University
                                                                May 1999
        
Network Working Group                                          M. Allman
Request for Comments: 2577                  NASA Glenn/Sterling Software
Category: Informational                                     S. Ostermann
                                                         Ohio University
                                                                May 1999
        

FTP Security Considerations

FTP安全注意事项

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

Abstract

摘要

The specification for the File Transfer Protocol (FTP) contains a number of mechanisms that can be used to compromise network security. The FTP specification allows a client to instruct a server to transfer files to a third machine. This third-party mechanism, known as proxy FTP, causes a well known security problem. The FTP specification also allows an unlimited number of attempts at entering a user's password. This allows brute force "password guessing" attacks. This document provides suggestions for system administrators and those implementing FTP servers that will decrease the security problems associated with FTP.

文件传输协议(FTP)规范包含许多可用于危害网络安全的机制。FTP规范允许客户端指示服务器将文件传输到第三台计算机。这种称为代理FTP的第三方机制会导致众所周知的安全问题。FTP规范还允许无限次尝试输入用户密码。这允许暴力“密码猜测”攻击。本文档为系统管理员和那些实现FTP服务器的人提供建议,这些建议将减少与FTP相关的安全问题。

1 Introduction

1导言

The File Transfer Protocol specification (FTP) [PR85] provides a mechanism that allows a client to establish an FTP control connection and transfer a file between two FTP servers. This "proxy FTP" mechanism can be used to decrease the amount of traffic on the network; the client instructs one server to transfer a file to another server, rather than transferring the file from the first server to the client and then from the client to the second server. This is particularly useful when the client connects to the network using a slow link (e.g., a modem). While useful, proxy FTP provides a security problem known as a "bounce attack" [CERT97:27]. In addition to the bounce attack, FTP servers can be used by attackers to guess passwords using brute force.

文件传输协议规范(FTP)[PR85]提供了一种机制,允许客户端建立FTP控制连接并在两个FTP服务器之间传输文件。这种“代理FTP”机制可用于减少网络上的流量;客户机指示一台服务器将文件传输到另一台服务器,而不是将文件从第一台服务器传输到客户机,然后从客户机传输到第二台服务器。当客户端使用慢速链路(例如调制解调器)连接到网络时,这尤其有用。虽然很有用,但代理FTP提供了一个称为“反弹攻击”的安全问题[CERT97:27]。除了跳出攻击外,攻击者还可以使用FTP服务器使用蛮力猜测密码。

This document does not contain a discussion of FTP when used in conjunction with strong security protocols, such as IP Security. These security concerns should be documented, however they are out of the scope of this document.

当与IP安全等强安全协议结合使用时,本文档不包含有关FTP的讨论。这些安全问题应记录在案,但不在本文件范围内。

This paper provides information for FTP server implementers and system administrators, as follows. Section 2 describes the FTP "bounce attack". Section 3 provides suggestions for minimizing the bounce attack. Section 4 provides suggestions for servers which limit access based on network address. Section 5 provides recommendations for limiting brute force "password guessing" by clients. Next, section 6 provides a brief discussion of mechanisms to improve privacy. Section 7 provides a mechanism to prevent user identity guessing. Section 8 discusses the practice of port stealing. Finally, section 9 provides an overview of other FTP security issues related to software bugs rather than protocol issues.

本文为FTP服务器实现者和系统管理员提供如下信息。第2节介绍FTP“反弹攻击”。第3节提供了最小化反弹攻击的建议。第4节为基于网络地址限制访问的服务器提供了建议。第5节提供了限制客户端暴力“密码猜测”的建议。接下来,第6节简要讨论了改善隐私的机制。第7节提供了一种防止猜测用户身份的机制。第8节讨论盗窃港口的做法。最后,第9节概述了与软件错误相关的其他FTP安全问题,而不是协议问题。

2 The Bounce Attack

2弹跳攻击

The version of FTP specified in the standard [PR85] provides a method for attacking well known network servers, while making the perpetrators difficult to track down. The attack involves sending an FTP "PORT" command to an FTP server containing the network address and the port number of the machine and service being attacked. At this point, the original client can instruct the FTP server to send a file to the service being attacked. Such a file would contain commands relevant to the service being attacked (SMTP, NNTP, etc.). Instructing a third party to connect to the service, rather than connecting directly, makes tracking down the perpetrator difficult and can circumvent network-address-based access restrictions.

标准[PR85]中规定的FTP版本提供了一种攻击知名网络服务器的方法,同时使犯罪者难以追查。攻击包括向FTP服务器发送FTP“端口”命令,其中包含被攻击机器和服务的网络地址和端口号。此时,原始客户端可以指示FTP服务器向被攻击的服务发送文件。这样的文件将包含与被攻击的服务相关的命令(SMTP、NNTP等)。指示第三方连接到服务,而不是直接连接,使得追踪犯罪者变得困难,并且可以绕过基于网络地址的访问限制。

As an example, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to a third machine's SMTP port. Finally, the client instructs the server to transfer the uploaded file containing SMTP commands to the third machine. This may allow the client to forge mail on the third machine without making a direct connection. This makes it difficult to track attackers.

例如,客户端将包含SMTP命令的文件上载到FTP服务器。然后,使用适当的端口命令,客户端指示服务器打开到第三台计算机SMTP端口的连接。最后,客户端指示服务器将包含SMTP命令的上载文件传输到第三台计算机。这可能允许客户端在第三台机器上伪造邮件,而无需直接连接。这使得追踪攻击者变得困难。

3 Protecting Against the Bounce Attack

3防止反弹攻击

The original FTP specification [PR85] assumes that data connections will be made using the Transmission Control Protocol (TCP) [Pos81]. TCP port numbers in the range 0 - 1023 are reserved for well known services such as mail, network news and FTP control connections [RP94]. The FTP specification makes no restrictions on the TCP port number used for the data connection. Therefore, using proxy FTP,

原始FTP规范[PR85]假设数据连接将使用传输控制协议(TCP)[Pos81]进行。0-1023范围内的TCP端口号保留用于众所周知的服务,如邮件、网络新闻和FTP控制连接[RP94]。FTP规范对用于数据连接的TCP端口号没有限制。因此,使用代理FTP,

clients have the ability to tell the server to attack a well known service on any machine.

客户端能够告诉服务器攻击任何机器上的已知服务。

To avoid such bounce attacks, it is suggested that servers not open data connections to TCP ports less than 1024. If a server receives a PORT command containing a TCP port number less than 1024, the suggested response is 504 (defined as "Command not implemented for that parameter" by [PR85]). Note that this still leaves non-well known servers (those running on ports greater than 1023) vulnerable to bounce attacks.

为避免此类反弹攻击,建议服务器不要打开到小于1024个TCP端口的数据连接。如果服务器接收到包含TCP端口号小于1024的端口命令,建议的响应为504(由[PR85]定义为“该参数未执行的命令”)。请注意,这仍然会使非知名服务器(在大于1023的端口上运行的服务器)容易受到反弹攻击。

Several proposals (e.g., [AOM98] and [Pis94]) provide a mechanism that would allow data connections to be made using a transport protocol other than TCP. Similar precautions should be taken to protect well known services when using these protocols.

一些建议(例如,[AOM98]和[Pis94])提供了一种机制,允许使用TCP以外的传输协议进行数据连接。在使用这些协议时,应采取类似的预防措施来保护众所周知的服务。

Also note that the bounce attack generally requires that a perpetrator be able to upload a file to an FTP server and later download it to the service being attacked. Using proper file protections will prevent this behavior. However, attackers can also attack services by sending random data from a remote FTP server which may cause problems for some services.

还请注意,反弹攻击通常要求攻击者能够将文件上载到FTP服务器,然后将其下载到被攻击的服务。使用适当的文件保护将防止这种行为。但是,攻击者也可以通过从远程FTP服务器发送随机数据来攻击服务,这可能会导致某些服务出现问题。

Disabling the PORT command is also an option for protecting against the bounce attack. Most file transfers can be made using only the PASV command [Bel94]. The disadvantage of disabling the PORT command is that one loses the ability to use proxy FTP, but proxy FTP may not be necessary in a particular environment.

禁用端口命令也是防止反弹攻击的一个选项。大多数文件传输只能使用PASV命令[Bel94]进行。禁用PORT命令的缺点是无法使用代理FTP,但在特定环境中可能不需要代理FTP。

4 Restricted Access

4限制进入

For some FTP servers, it is desirable to restrict access based on network address. For example, a server might want to restrict access to certain files from certain places (e.g., a certain file should not be transferred out of an organization). In such a situation, the server should confirm that the network address of the remote hosts on both the control connection and the data connection are within the organization before sending a restricted file. By checking both connections, a server is protected against the case when the control connection is established with a trusted host and the data connection is not. Likewise, the client should verify the IP address of the remote host after accepting a connection on a port opened in listen mode to verify that the connection was made by the expected server.

对于某些FTP服务器,需要根据网络地址限制访问。例如,服务器可能希望限制从特定位置对特定文件的访问(例如,不应将特定文件传输出组织)。在这种情况下,服务器应在发送受限文件之前确认控制连接和数据连接上的远程主机的网络地址在组织内。通过检查这两个连接,可以防止服务器与受信任的主机建立控制连接而未建立数据连接。同样,客户端在接受以侦听模式打开的端口上的连接后,应验证远程主机的IP地址,以验证该连接是否由预期的服务器建立。

Note that restricting access based on network address leaves the FTP server vulnerable to "spoof" attacks. In a spoof attack, for example, an attacking machine could assume the host address of another machine inside an organization and download files that are

请注意,基于网络地址限制访问会使FTP服务器容易受到“欺骗”攻击。例如,在欺骗攻击中,一台攻击机器可能会假定组织内另一台机器的主机地址,并下载被攻击的文件

not accessible from outside the organization. Whenever possible, secure authentication mechanisms should be used, such as those outlined in [HL97].

无法从组织外部访问。只要可能,应使用安全认证机制,如[HL97]中概述的机制。

5 Protecting Passwords

5保护密码

To minimize the risk of brute force password guessing through the FTP server, it is suggested that servers limit the number of attempts that can be made at sending a correct password. After a small number of attempts (3-5), the server should close the control connection with the client. Before closing the control connection the server must send a return code of 421 ("Service not available, closing control connection." [PR85]) to the client. In addition, it is suggested that the server impose a 5 second delay before replying to an invalid "PASS" command to diminish the efficiency of a brute force attack. If available, mechanisms already provided by the target operating system should be used to implement the above suggestions.

为了最大限度地降低通过FTP服务器猜测强力密码的风险,建议服务器限制发送正确密码的尝试次数。在进行少量尝试(3-5次)后,服务器应关闭与客户端的控制连接。在关闭控制连接之前,服务器必须向客户端发送返回代码421(“服务不可用,关闭控制连接。”[PR85])。此外,建议服务器在响应无效的“PASS”命令之前延迟5秒,以降低暴力攻击的效率。如果可用,应该使用目标操作系统已经提供的机制来实现上述建议。

An intruder can subvert the above mechanisms by establishing multiple, parallel control connections to a server. To combat the use of multiple concurrent connections, the server could either limit the total number of control connections possible or attempt to detect suspicious activity across sessions and refuse further connections from the site. However, both of these mechanisms open the door to "denial of service" attacks, in which an attacker purposely initiates the attack to disable access by a valid user.

入侵者可以通过建立到服务器的多个并行控制连接来破坏上述机制。为了防止使用多个并发连接,服务器可以限制可能的控制连接总数,或者尝试检测会话中的可疑活动,并拒绝来自站点的进一步连接。但是,这两种机制都为“拒绝服务”攻击打开了大门,在这种攻击中,攻击者故意发起攻击以禁用有效用户的访问。

Standard FTP [PR85] sends passwords in clear text using the "PASS" command. It is suggested that FTP clients and servers use alternate authentication mechanisms that are not subject to eavesdropping (such as the mechanisms being developed by the IETF Common Authentication Technology Working Group [HL97]).

标准FTP[PR85]使用“通过”命令以明文形式发送密码。建议FTP客户端和服务器使用不受窃听影响的替代认证机制(如IETF公共认证技术工作组[HL97]开发的机制)。

6 Privacy

6隐私

All data and control information (including passwords) is sent across the network in unencrypted form by standard FTP [PR85]. To guarantee the privacy of the information FTP transmits, a strong encryption scheme should be used whenever possible. One such mechanism is defined in [HL97].

所有数据和控制信息(包括密码)都通过标准FTP以未加密的形式通过网络发送[PR85]。为了保证FTP传输的信息的隐私,应尽可能使用强加密方案。[HL97]中定义了一种此类机制。

7 Protecting Usernames

7保护用户名

Standard FTP [PR85] specifies a 530 response to the USER command when the username is rejected. If the username is valid and a password is required FTP returns a 331 response instead. In order to prevent a malicious client from determining valid usernames on a server, it is suggested that a server always return 331 to the USER command and

标准FTP[PR85]指定拒绝用户名时对用户命令的530响应。如果用户名有效且需要密码,FTP将返回331响应。为了防止恶意客户端确定服务器上的有效用户名,建议服务器始终向用户命令返回331,并

then reject the combination of username and password for an invalid username.

然后拒绝无效用户名的用户名和密码组合。

8 Port Stealing

8端口盗窃

Many operating systems assign dynamic port numbers in increasing order. By making a legitimate transfer, an attacker can observe the current port number allocated by the server and "guess" the next one that will be used. The attacker can make a connection to this port, thus denying another legitimate client the ability to make a transfer. Alternatively, the attacker can steal a file meant for a legitimate user. In addition, an attacker can insert a forged file into a data stream thought to come from an authenticated client. This problem can be mitigated by making FTP clients and servers use random local port numbers for data connections, either by requesting random ports from the operating system or using system dependent mechanisms.

许多操作系统以递增的顺序分配动态端口号。通过进行合法传输,攻击者可以观察服务器分配的当前端口号,并“猜测”下一个将使用的端口号。攻击者可以连接到此端口,从而使另一合法客户端无法进行传输。或者,攻击者可以窃取为合法用户准备的文件。此外,攻击者还可以将伪造文件插入到被认为来自经过身份验证的客户端的数据流中。通过让FTP客户端和服务器使用随机本地端口号进行数据连接,或者从操作系统请求随机端口,或者使用依赖于系统的机制,可以缓解此问题。

9 Software-Base Security Problems

9基于软件的安全问题

The emphasis in this document is on protocol-related security issues. There are a number of documented FTP security-related problems that are due to poor implementation as well. Although the details of these types of problems are beyond the scope of this document, it should be pointed out that the following FTP features has been abused in the past and should be treated with great care by future implementers:

本文档的重点是与协议相关的安全问题。也有许多记录在案的FTP安全相关问题是由于实施不善造成的。尽管这些类型问题的详细信息超出了本文档的范围,但应该指出的是,以下FTP功能在过去曾被滥用,未来的实施者应谨慎对待:

Anonymous FTP

匿名FTP

Anonymous FTP refers to the ability of a client to connect to an FTP server with minimal authentication and gain access to public files. Security problems arise when such a user can read all files on the system or can create files. [CERT92:09] [CERT93:06]

匿名FTP指的是客户端通过最少的身份验证连接到FTP服务器并访问公共文件的能力。当这样的用户可以读取系统上的所有文件或创建文件时,就会出现安全问题。[证书92:09][证书93:06]

Remote Command Execution

远程命令执行

An optional FTP extension, "SITE EXEC", allows clients to execute arbitrary commands on the server. This feature should obviously be implemented with great care. There are several documented cases of the FTP "SITE EXEC" command being used to subvert server security [CERT94:08] [CERT95:16]

可选的FTP扩展名“SITE EXEC”允许客户端在服务器上执行任意命令。显然,应该非常小心地实现此功能。有几个记录在案的FTP“SITE EXEC”命令被用来破坏服务器安全[CERT94:08][CERT95:16]

Debug Code

调试代码

Several previous security compromises related to FTP can be attributed to software that was installed with debugging features enabled [CERT88:01].

以前与FTP相关的几个安全问题可归因于在启用调试功能的情况下安装的软件[CERT88:01]。

This document recommends that implementors of FTP servers with these capabilities review all of the CERT advisories for attacks on these or similar mechanisms before releasing their software.

本文档建议具有这些功能的FTP服务器的实施者在发布其软件之前,检查所有CERT警告,以防对这些或类似机制的攻击。

10 Conclusion

10结论

Using the above suggestions can decrease the security problems associated with FTP servers without eliminating functionality.

使用上述建议可以在不消除功能的情况下减少与FTP服务器相关的安全问题。

11 Security Considerations

11安全考虑

Security issues are discussed throughout this memo.

本备忘录中讨论了安全问题。

Acknowledgments

致谢

We would like to thank Alex Belits, Jim Bound, William Curtin, Robert Elz, Paul Hethmon, Alun Jones and Stephen Tihor for their helpful comments on this paper. Also, we thank the FTPEXT WG members who gave many useful suggestions at the Memphis IETF meeting.

我们要感谢Alex Belits、Jim Bound、William Curtin、Robert Elz、Paul Hethmon、Alun Jones和Stephen Tihor对本文的有益评论。此外,我们感谢FTPEXT工作组成员,他们在孟菲斯IETF会议上提出了许多有用的建议。

References

工具书类

[AOM98] Allman, M., Ostermann, S. and C. Metz, "FTP Extensions for IPv6 and NATs", RFC 2428, September 1998.

[AOM98]Allman,M.,Ostermann,S.和C.Metz,“IPv6和NAT的FTP扩展”,RFC 24281998年9月。

[Bel94] Bellovin. S., "Firewall-Friendly FTP", RFC 1579, February 1994.

贝洛文。美国,“防火墙友好FTP”,RFC 15791994年2月。

   [CERT88:01] CERT Advisory CA-88:01. ftpd Vulnerability. December,
               1988 ftp://info.cert.org/pub/cert_advisories/
        
   [CERT88:01] CERT Advisory CA-88:01. ftpd Vulnerability. December,
               1988 ftp://info.cert.org/pub/cert_advisories/
        
   [CERT92:09] CERT Advisory CA-92:09. AIX Anonymous FTP Vulnerability.
               April 27, 1992. ftp://info.cert.org/pub/cert_advisories/
        
   [CERT92:09] CERT Advisory CA-92:09. AIX Anonymous FTP Vulnerability.
               April 27, 1992. ftp://info.cert.org/pub/cert_advisories/
        
   [CERT93:06] CERT Advisory CA-93:06. Wuarchive ftpd Vulnerability.
               September 19,1997
               ftp://info.cert.org/pub/cert_advisories/
        
   [CERT93:06] CERT Advisory CA-93:06. Wuarchive ftpd Vulnerability.
               September 19,1997
               ftp://info.cert.org/pub/cert_advisories/
        
   [CERT94:08] CERT Advisory CA-94:08. ftpd Vulnerabilities. September
               23, 1997.  ftp://info.cert.org/pub/cert_advisories/
        
   [CERT94:08] CERT Advisory CA-94:08. ftpd Vulnerabilities. September
               23, 1997.  ftp://info.cert.org/pub/cert_advisories/
        
   [CERT95:16] CERT Advisory CA-95:16. wu-ftpd Misconfiguration
               Vulnerability.  September 23, 1997
               ftp://info.cert.org/pub/cert_advisories/
        
   [CERT95:16] CERT Advisory CA-95:16. wu-ftpd Misconfiguration
               Vulnerability.  September 23, 1997
               ftp://info.cert.org/pub/cert_advisories/
        
   [CERT97:27] CERT Advisory CA-97.27. FTP Bounce.  January 8, 1998.
               ftp://info.cert.org/pub/cert_advisories/
        
   [CERT97:27] CERT Advisory CA-97.27. FTP Bounce.  January 8, 1998.
               ftp://info.cert.org/pub/cert_advisories/
        

[HL97] Horowitz, M. and S. Lunt, "FTP Security Extensions", RFC 2228, October 1997.

[HL97]Horowitz,M.和S.Lunt,“FTP安全扩展”,RFC2228,1997年10月。

[Pis94] Piscitello, D., "FTP Operation Over Big Address Records (FOOBAR), RFC 1639, June 1994.

[Pis94]Piscitello,D.,“大地址记录上的FTP操作(FOOBAR),RFC163994年6月。

[Pos81] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981.

[Pos81]Postel,J.,“传输控制协议”,标准7,RFC 793,1981年9月。

[PR85] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)", STD 9, RFC 959, October 1985.

[PR85]Postel,J.和J.Reynolds,“文件传输协议(FTP)”,标准9,RFC 959,1985年10月。

   [RP94]      Reynolds, J. and J. Postel, "Assigned Numbers", STD 2,
               RFC 1700, October 1994.  See also:
               http://www.iana.org/numbers.html
        
   [RP94]      Reynolds, J. and J. Postel, "Assigned Numbers", STD 2,
               RFC 1700, October 1994.  See also:
               http://www.iana.org/numbers.html
        

Authors' Addresses

作者地址

Mark Allman NASA Glenn Research Center/Sterling Software 21000 Brookpark Rd. MS 54-2 Cleveland, OH 44135

马克·奥尔曼美国宇航局格伦研究中心/斯特林软件公司俄亥俄州克利夫兰布鲁克公园路21000号,邮编:44135

   EMail: mallman@grc.nasa.gov
        
   EMail: mallman@grc.nasa.gov
        

Shawn Ostermann School of Electrical Engineering and Computer Science Ohio University 416 Morton Hall Athens, OH 45701

俄亥俄大学肖恩·奥斯特曼电气工程与计算机科学学院,俄亥俄州雅典莫顿大厅416号,邮编:45701

   EMail: ostermann@cs.ohiou.edu
        
   EMail: ostermann@cs.ohiou.edu
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。