[zorp-hu] Bad PASV params
SZALAY Attila
zorp-hu@lists.balabit.hu
Tue, 27 Apr 2004 09:50:57 +0200
Hi!
On 2004 Apr 27, Gabor E. Tusnady wrote:
> Apr 27 07:46:38 fal i2o_ftp[30776]: core.session(5): (z/io_ftp): Starting service; name='io_ftp'
> Apr 27 07:46:38 fal i2o_ftp[30947]: core.debug(6): (z/io_ftp:2/ftp): Established connection; protocol='1', remote='AF_INET(out.ftp.server.ip:21)', local='AF_INET(tuz.fal.ip:53108)', dest='AF_INET(out.ftp.server.ip:21)'
> Apr 27 07:46:45 fal i2o_ftp[30947]: core.dump(7): (z/io_ftp:2/ftp/server): Reading channel; fd='18', count='27'
> Apr 27 07:46:45 fal i2o_ftp[30947]: core.dump(9): (z/io_ftp:2/ftp/server): data line: 32 32 37 20 3D 31 33 30 2C 32 33 37 2C 32 35 2C 227 =130,237,25,
> Apr 27 07:46:45 fal i2o_ftp[30947]: core.dump(9): (z/io_ftp:2/ftp/server): data line: 32 30 2C 32 32 32 2C 38 32 0D 0A 20,222,82..
> Apr 27 07:46:45 fal i2o_ftp[30947]: ftp.debug(8): (z/io_ftp:2/ftp): Reading from server side;
> Apr 27 07:46:45 fal i2o_ftp[30947]: ftp.reply(6): (z/io_ftp:2/ftp): Response arrived; rsp='227', rsp_prm='=130,237,25,20,222,82'
> Apr 27 07:46:45 fal i2o_ftp[30947]: ftp.violation(2): (z/io_ftp:2/ftp): Bad PASV params;
Szoval jol tippeltem, a zarojelek maradnak le.
> Apr 27 07:46:45 fal i2o_ftp[30947]: ftp.policy(3): (z/io_ftp:2/ftp): Possibly bounce attack; connect='FALSE', side='server', remote='AF_INET(130.237.25.19:56915)'
Ez pedig annyit jelent, hogy a szerver nem a sajat ip cimerol csatlakozik
vissza.
Vagyis out.ftp.server.ip != 130.237.25.19
(Ha jol tippelek 130.237.25.20 :) )
A masodik az egyszerubb, csak annyit kell tenni, hogy az Ftp proxy-ba
belerakod a kov. fuggvenyt:
def bounceCheck(self, remote, side, connect):
if side == 1 and remote.ip_s == '130.237.25.19' and self.session.server_address.ip_s == '130.237.25.20'):
return TRUE
AbstractFtpProxy.bounceCheck(self, remote, side, connect)
--
Szalay Attila BalaBit IT Biztonságtechnikai Kft.
tel:(36-1)-371-05-40 1116 Bp. Csurgoi ut 20/b
fax:(36-1)-208-08-75 http://www.balabit.hu/