access ftp ??

[poiu]

Hi,
On my 500gP y find a security hole : port 21 open and accept connections, i connect on ftp protocol without problem.
I follow up Wengi howto, and on a scan from wan, port 21 is open.
Y try set ftp off or lan only from web interface, port 21 still open ..
Then i install vsftpd, with post-boot :

#!/bin/sh
dropbear -p 22 -j -k
# Start a ftp server. If vsftpd is available use that,
# otherwise use stupid-ftpd (which is called that for a reason).
[ -x /opt/sbin/vsftpd ] && \
/opt/sbin/vsftpd /opt/etc/vsftpd.conf || \
/usr/sbin/stupid-ftpd -f /opt/etc/stupid-ftpd.conf -p /tmp/var/run/stupid-ftpd.pid

vsftpd start but port 21 is there open ..
The web interface firewall is on or off nothing change (besides post-firewall settings from howto).
Is there any reason to this ?
Installation is clean, only transmission on 65534, ssh on 22, nothing else.
The rules in web interfaces firewall is DMZ on .2 from lan, and a virtual forward from 22 wan on 22 lan (.1) in order to ssh from outside.
If is a real hole, not a miss configuration (uups), how can be closed ?

[Mektub]

hi, poiu

I had the same problem with stupid-ftp.

I installed proftpd (ipkg install proftpd).

proftpd installs as default running from xinetd (of course you have to
have xinetd installed).

A README says that the installation default only allows connections from
the local network, but in my case that wasn't the case.

I had to add the line:

only_from = 192.168.1.0

to:

/opt/etc/xinetd.d/proftpd

So, this is a workaround, since port 21 is still open, but xinet will block connections from it.

I disabled stupid-ftp.

Hope it helps,

Mektub

[poiu]

Tnx for answer Mektub.
In my case is no xinetd installed, is a "default" install using Wengi's howto, without samba2, just using samba from web interface.
This is a workaround, nobody listen to that open port, but i want a closed port there.
Yesterday i do a full scan from 1 to 20.000 ports (then i get borred), to find only the 21 and 22 (22 is open by me) open, this looks almost perfect, but 21 is a hunted by robots port, so is a problem .
In my setup is no stupid-ftpd, is vsftpd active ..

[Serpent]

poiu, post the output of this commands:
#iptables -L -n -v
#ps

[poiu]

[admin@router root]$ ps
PID TTY TIME CMD
19626 pts/0 00:00:00 sh
19631 pts/0 00:00:00 ps

[admin@router root]$ iptables -L -n -v
Chain INPUT (policy DROP 1376 packets, 431K bytes)
pkts bytes target prot opt in out source destination
1491 89340 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:65534 flags:0x16/0x02
61 6531 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
7249K 6193M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
16433 986K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
3340 2347K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1492 473K SECURITY all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy ACCEPT 12778 packets, 1333K bytes)
pkts bytes target prot opt in out source destination
9 535 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
282K 146M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
223K 11M SECURITY all -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
160K 8243K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 8153K packets, 5512M bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (2 references)
pkts bytes target prot opt in out source destination
153K 7501K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
473 18920 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
8014 1154K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
2 184 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
63326 3163K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

[wpte]

or just use the newer firmware that has a different ftp server, works perfectly, and it's verry secure

[Serpent]

[admin@router root]$ ps
PID TTY TIME CMD
19626 pts/0 00:00:00 sh
19631 pts/0 00:00:00 ps

Hmm, you have procps installed!
Then do a "ps axf".

[poiu]

This is ps axf output:
PID TTY STAT TIME COMMAND
1 ? S 0:01 /sbin/init
2 ? S 0:00 [keventd]
3 ? RN 4:15 [ksoftirqd_CPU0]
4 ? S 0:25 [kswapd]
5 ? S 0:00 [bdflush]
6 ? S 0:00 [kupdated]
7 ? S 0:01 [mtdblockd]
64 ? S 0:06 httpd vlan1
66 ? Ss 0:01 nas /tmp/nas.lan.conf /tmp/nas.lan.pid lan
71 ? S 0:00 klogd
72 ? S 0:02 [dnsmasq]
73 ? S 0:00 [khubd]
86 ? S 5:11 [usb-storage-0]
87 ? S 0:00 [scsi_eh_0]
134 ? Ss 0:02 watchdog
136 ? Ss 0:00 \_ ntp
145 ? S 0:02 dropbear -p 22 -j -k
21614 ? Ss 0:01 \_ dropbear -p 22 -j -k
21615 pts/0 Ss 0:00 \_ -sh
21618 pts/0 R+ 0:00 \_ ps axf
162 ? S 0:00 [kjournald]
163 ? S 0:17 [kjournald]
166 ? Ss 0:00 /usr/sbin/vsftpd
168 ? Ss 0:00 /usr/sbin/nmbd -D
170 ? Ss 0:00 /usr/sbin/smbd -D
195 ? S 0:02 /sbin/syslogd -m 0 -O /opt/var/log/syslog.log -S -l 7 -s 0
202 ? Ss 0:00 /opt/sbin/cron
210 ? S 0:00 /usr/sbin/busybox_httpd -c /opt/etc/httpd.conf -p 8008 -h /opt/share/www
251 ? SNs 0:12 transmissiond -p 65534 -w 300 -u 20 -d 100 -i /opt/var/run/transmis.....
254 ? SN 0:00 \_ transmissiond -p 65534 -w 300 -u 20 -d 100 -i /opt/var/run/transmis........
255 ? SN 243:29 \_ transmissiond -p 65534 -w 300 -u 20 -d 100 -i /opt/var/run/transmis.....

LE: About new firmware i cant find it, and i just full reinstall like 1 week ago ..

[Serpent]

I don't know what to say, I have the same strange problem!!!
When port 22 is open in firewall

Code:

iptables -I INPUT 3 -i ppp0 -s My.IP.From.Work -d 192.168.0.254 -p tcp --dport 22 -j ACCEPT

then port 21 is also open and connections are accepted:

Code:

 $ telnet xxx.xxx.xxx.xxx 22
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx
Escape character is '^]'.
SSH-2.0-dropbear_0.50

Code:

$ telnet xxx.xxx.xxx.xxx 21
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx
Escape character is '^]'.
Connection closed by foreign host.

And this is happening even with:

Code:

iptables -I INPUT 4 -i ppp0 -p tcp --dport 21 -j DROP

Luckily xinetd and vsftpd have:

Code:

only_from = 192.168.0.0/24

[poiu]

Y try allready to play with post-firewall open and close ports there, post-firewall is working but port 21 is still open.
Problem seem to be in "hidden" firewall rules, from default firmware.
Again about new firmware, where i can find it ?

[Serpent]

Yes, like in original FW from ASUS!
http://oleg.wl500g.info/
But you already have 1.9.2.7-10!!!
wpte:"or just use the newer firmware that has a different ftp server, works perfectly, and it's verry secure"
wpte is thinking at this, I believe:
1.9.2.7-9 (2008-03-14) FTP: switched to vsftpd, reworked web-iface.

[poiu]

Another discovery : from firefox i cant access http://oleg.wl500g.info/ ,i get "Firefox can't find the file at /." so i beleave site is down that's way i ask from where i can get the new firmware, but in ieplorer link work ....lol.
After a full clear in firefox link work again )
And yes firmware is 1.9.2.7-10.

[Tamadite]

Have you tried without "passive mode" on the client?

[Serpent]

We are talking about port 21, which remains open even with explicit firewall rule!!!
Who said anything about FTP servers and clients?!?