8.7 FTP Services Countermeasures

  • Don't provide anonymous FTP access, especially anonymous writable FTP access. Most serious overflows in FTP services require a degree of access to the server, in order to overflow nested functions within the program.

  • Ensure aggressive firewalling both into and out of your public FTP servers. Most publicly available exploits use connect-back or bindshell shellcode, which allow attackers to compromise your server if it isn't fully protected at network level. If possible, avoid running other public network services (for example, web or mail services) on the same machine as an FTP server.

  • If you offer public FTP access, ensure that your firewall is patched with the latest vendor service pack or security hot fixes; this will defuse any circumvention attacks.