Ensure that the uploaded FTP server is protected from attacks

In the age of network technology, SOHO (Small OfficeHome Office) or Tele-office (Tele-Office) has been gradually accepted by some companies and individuals as a new way of working and living.

With the help of the ubiquitous network, many people stay in their own space to work. This is a more free and environmentally friendly life. SOHO allows employees to avoid heavy traffic during commuting, on the other hand, it also reduces the company's expensive office rental expenses and gives employees more free space to stimulate their creativity, therefore, many large enterprise organizations have begun to allow and encourage employees to become "sohohs ". sohoans upload or download files on the company's FTP server over the network, and communicate with colleagues, leaders, and business partners via QQ and Email, what security issues should I pay attention to when I use IE to search for various materials on the Internet? The company's FTP server serves as a bridge to communicate with employees. How can administrators ensure their security?

The company's FTP server, as an employee uploads and downloads files, must be connected to the Internet and must have a public IP address to facilitate normal access. It is this fixed IP address that makes it easy for hackers to wander around the network all day long. They are always looking for attack targets, even if such attacks and damages are of no benefit to them, however, these people are still happy to show off how many machines they attack as a standard to show off their hacker skills. What types of attacks may the FTP server face?

1. Possible FTP server attacks

Although Windows operating system servers are easy to operate and easy to configure, Microsoft operating system vulnerabilities are emerging. If Windows is used as the operating system, administrators will never be idle, keep an eye on whether Microsoft has released any new patches, released any new vulnerabilities, and installed patches in the shortest time to detect vulnerabilities. There are also a lot of hacker tools for Windows on the Internet, people with a little knowledge about computers can operate on these servers. To ensure the security of these servers, administrators are no longer willing to use Windows systems, but Unix servers. Unix operating systems are much more complex than Windows operating systems. They can at least block those who only use Windows systems, and their security is much higher. It is relatively difficult to attack unix servers, but this does not mean that there is no attack. For such servers, they may be attacked by the following two types.

1. DoS Attacks

Denial of Service (DoS) is a network attack that uses a reasonable amount of Service resources to prevent legal users from receiving Service responses. A Typical DoS attack is resource depletion and resource overload. Therefore, when a reasonable request to a resource exceeds the resource's payment capability, legal visitors cannot enjoy reasonable services.

When a DoS attack occurs, a large number of service requests are sent to the service daemon process of the same server, which will overload the service. These requests are sent in various ways, and many of them are intentional. In the time-sharing mechanism, the computer needs to process these requests in the flood, so busy that many new requests will be discarded if it cannot process conventional tasks. If the target is a TCP-based service, these requests will be resent, further increasing the network burden.

2. Weak Password Vulnerability attacks

Because Unix operating systems have very few vulnerabilities and are not easy to exploit, many hackers have to make up their minds on accounts and passwords to intrude into the system. The user's ID is easily obtained through some existing scanners, so the password becomes the first and only defensive line. However, for convenience, some administrators use easy-to-guess passwords for some accounts on some servers, and even some accounts do not have passwords at all, which is undoubtedly a false cover for hackers. In addition, many systems have built-in or default accounts and do not change passwords. These give hackers a lot of opportunities. attackers usually look for these accounts. The attacker can access the target computer as long as he or she can determine an account name and password.

2. Preventing denial-of-service attacks

1. Reinforce the Operating System

Reinforce the operating system, that is, to configure operating system parameters to enhance system stability, re-compile or set some parameters in the operating system kernel such as BSD, and improve the system's anti-attack capability. For example, SYN Flood, a typical type of DoS attacks, uses the TCP/IP protocol vulnerability to send a large number of forged TCP connection requests, causing the network to be unable to connect to user services or paralyze the operating system. This attack involves some system parameters: the number of links to the data packets that can be waited and the length of time for the data packets that have timed out. You can change the number of links of data packets from the default value 128 or 512 to 2048 or greater, increasing the length of the data packet queue processed each time to mitigate and digest attacks of more data packets. In addition, you can also set a short timeout period to ensure normal data packet connection and shield illegal attack packets. However, the attack protection capabilities of these methods are usually very limited.

2. Add a firewall

We can add a firewall between the company's network server and the external network to prevent unpredictable and potentially destructive intrusions. The firewall uses a group of software or hardware that forms a firewall "wall tile" to separate the external network from the internal network, which can protect the internal network from unauthorized access from the external network, therefore, using the firewall to prevent DoS attacks can effectively protect internal servers. We can place the FTP server in the DMZ area of the firewall so that it can accept access from the Internet and be protected by the firewall. For SYN Flood, firewalls usually have three protection methods: SYN gateway, passive SYN gateway, and SYN relay.

(1) SYN Gateway

When the firewall receives the SYN packet from the client, it forwards it directly to the server. After the firewall receives the SYN/ACK packet from the server, it forwards the SYN/ACK packet to the client, on the other hand, an ACK packet is sent back to the server in the name of the client to complete the TCP three-way handshake, and the server enters the connection status from the semi-connection status. When the real ACK package arrives on the client, data is forwarded to the server; otherwise, the package is discarded. Because the server can withstand a much higher connection status than the semi-connection status, this method can effectively reduce attacks on the server.

(2) passive SYN Gateway

Set the SYN request timeout parameter of the firewall so that it is far earlier than the timeout period of the server. The firewall is responsible for forwarding the SYN packets sent from the client to the server, the SYN/ACK packets sent from the server to the client, and the ACK packets sent from the client to the server. In this way, if the client does not send an ACK packet when the firewall timer expires, the firewall sends an RST packet to the server so that the server deletes the semi-connection from the queue. Because the firewall timeout parameter is much smaller than the server timeout period, this can effectively prevent SYN Flood attacks.

(3) SYN Relay

After receiving the SYN packet from the client, the firewall records the status information instead of forwarding it to the server. Then, it actively sends the SYN/ACK packet back to the client. If it receives the ACK packet from the client, it indicates that the access is normal, the firewall sends a SYN packet to the server and completes three handshakes.

In this way, the firewall acts as a proxy to achieve the connection between the client and the server, you can completely filter out the unavailability of the connection to the server.

When selecting a firewall, each enterprise must choose based on the above protection methods and determine the performance of the selected Firewall Based on the business volume of the enterprise. The better the performance, of course, the higher the price, and the firewall performance and resource occupation are related, the higher the performance, the more resources occupied, the higher the proportion of bandwidth occupied. In addition, if enterprises do not want to invest too much in security products, they will require the firewall to have both intrusion detection, VPN and other functions, and even anti-virus functions.