Serv-u Security Configuration full version _ftp server

First, serv-u security risks and utilization.
Second, serv-u installation and security settings detailed.
Third, serv-u related mode and firewall settings.
Four, about the Serv-u banner and the login message setting.
　　
Serv-u is a very classic FTP server software, has been used by most administrators and virtual hosts, its simple installation and configuration, as well as the powerful management function has been praised by the administrator. But with the increasing number of users, more and more hosts are being invaded by Serv-u software.
　　
The purpose of this paper is to put forward some feasible methods to completely eliminate the security hidden trouble caused by serv-u.
　　
1, the installation of serv-u:
　　
A lot of articles about Serv-u installation on the Web are mentioned to be installed on a complex path, and personally think that this is not very necessary, and can be in accordance with your favorite example: D:\soft\Serv-u directory. However, it is not recommended to install in the system disk directory, nor is it recommended to install in the C:\Program files directory, because of the permissions of this directory (detailed permissions are issued after a special discussion). It is recommended that you do not need to install, use the green version directly or copy the directory of the Serv-u installed on other machines directly. There are two ways to serv-u user profiles, one of which is stored in the registry, One is stored in the Servudaemon.ini file, recommended to use in the. ini file inside the way, this way to facilitate ser-u software upgrades, but also easy to reload the system after the FTP user recovery, in the right to set up relatively convenient. Another version of the choice must choose more than 6.3 version, now the latest is 6.4.0.6, recommended use, here we assume the Serv-u software in the D:\soft\Serv-U directory.
　　
2, permission settings:
Run for serv-u individual user rights. New account in Computer Management FTP, set up users can not change the password, the password is not used, and set a complex password, change the FTP user is subordinate to the Guests group (the default is the Users group), of course, can also be set to not belong to any group.
Start Serv-u (by using the default system privileges), select Local server, start automatically, set Serv-u as system service, so that the server will automatically start every time the reboot serv-u, where we mainly use it can be configured in the service to serv-u individual users.
The permission to set the D:\soft\Serv-U directory is to retain only the permissions of the Administrators,ftp two users, which are fully controlled and replaced with all subdirectories.
Find a service in Computer Management, locate the Serv-u FTP server, right-click the attribute, change the login status from the Local System account to this account in the Login tab, select FTP from the account, and enter the password you have set. After the confirmation will be prompted after the service restart, and then right-click, restart, if the startup success, your serv-u under the low authority to run.
　　
　　
　　
Upload directory permission settings: Because Serv-u is run with FTP this account, so upload the directory to give FTP users full access rights, such as we can set D, E, f Disk permissions for administrators and FTP Full control of the permissions, System permissions are not added, and if Serv-u runs with the default permissions, the system permission must be added to the directory for FTP operations.
　　
　　
3. Safety Hazard and utilization
　　
Serv-u in this machine has a default listening port, the default monitoring 127.0.0.1:43958, in order to connect this management port, the default management account is Localadministrator, the default password is "#l @ $ak #.lk;0@p", the password is fixed. So almost all of the Trojan attacks against Serv-u is to use this to add serv-u users, such as the addition of a point to C-Disk Super Administrator users, scary enough.
Here we use a commonly used ASP Trojan to illustrate the example: (Serv-u power of the Super version)
　　
　　
　　
　　
　　
After the claim can be directly executed to add the Administrator account, and a hidden administrator account (of course, this account is relatively low-level hidden) if successful, use this account remote login to create a cloned administrator account, and then delete this. If the administrator does not even serv-u security is very good, for the hidden high cloning of the account may not be able to find, so serv-u security can not be ignored.
　　
For example, a friend of mine like to use SQLDebugger, support_xxx, such as such an account to clone the Administrator account, to view the attributes can not see out, it is easy to escape the eyes of the administrator.
　　
How to completely solve this security risk, the easiest way is to give serv-u a local management password, that is, all add delete modify Serv-u user and change the settings of the operation, need to go through local password authentication.
　　
　　
Maybe some administrators think that the server password he knows, other people do not go, not to mention increased serv-u account, so do not set the password, that this is completely superfluous, this is wrong.
　　
Here is another way to solve the problem, combined with the above settings of the local management password can make our serv-u more secure. is to modify the Serv-u default management account and password, where we use the ULTRAEDIT-32 software.
　　
　　
　　
With UltraEdit-32 open ServUAdmin.exe find Localadministrator, and #l@ $ak #.lk;0@p, the two strings are modified to a string of equal length to save, note must be equal length.
　　
　　
Of course, this is not enough, but also to open the ServUDaemon.exe, the operation of the same, but the modified string must be modified with the same ServuAdmin.exe, otherwise serv-u can not be user management.
　　
　　
After setting up serv-u Local management password and modify Serv-u file These two steps drastic reform, and then try just the Trojan, although also can prompt to execute the command successfully, but the actual server but no change, but not.
　　
Briefly summarize the safety essentials described above:
　　
1, try to use the latest version of the Serv-u, if the English can also be recommended directly in English version, if you want to use Chinese, be sure to test in other machines, to confirm the Chinese package without rogue plug-ins after the use of the official server.
　　
2, set serv-u run in the ordinary user rights, so even through the Trojan implementation of net localgroup Administrators Xxx/add can not be implemented successfully.
　　
3, set serv-u directory permissions, only to administrators and run Serv-u user permissions, the other do not give, especially everyone permissions (on the server to use Everyone permissions to be very cautious, There are a lot of articles on the Internet, regardless of the 3,721 plus everyone even. You don't want to be lazy and add everyone. Even though, none of the servers I configured are using everyone permissions. And guests permissions, do not give users user rights. The purpose is to completely prevent access to the Serv-u directory through Webshell, if this step is not strict, even if set a serv-u password, through the Webshell download your serv-u to crack or open analysis with the UltraEdit-32, also may cause attacks.
　　
　　
4, disk directory permissions, that is, you use FTP operations directory permissions such as Web directories, in addition to the necessary IIS account permissions, only administrators and to run the Serv-u account permissions can be set to full control.
　　
5, be sure to set a local management password, to prevent the use of Webshell connection to the default user name password to attack.
　　
6, recommend using ULTRAEDIT-32 to change serv-u default account password, in fact, also spend a lot of time.
　　
7, the port settings, can be set according to personal preferences, individuals think and security is not much of a relationship, because even if the default 21 port changes, if someone want to attack, the same can be scanned out.
　　
As long as strict attention to the above points, then you can say you can safely use your serv-u. Of course, the security of the server is a whole, any place of negligence is likely to cause the entire server security risks. The above mentioned only is the Serv-u related security setting, does not represent the entire server to be safe. This point must be noted. Let's say the firewall settings.
　　
　　
Third, Serv-u related firewall settings:
　　
One of the most common challenges about firewall processing is the difference between active FTP and passive FTP and how to configure firewalls and support them perfectly. Many administrators may find that there is always such a small problem with FTP transmissions on a firewall-driven server, sometimes the data is "not fluent". Fortunately, this article can help you understand the problem of how to support FTP in a firewall environment.
　　
The FTP service is a TCP-only service and does not support UDP. The difference is that FTP uses 2 ports, a data port and a command port (also known as a control port). Typically, the two ports are the command port (21) and the data port (20). But when we find that different data ports are not always 20 o'clock depending on the way (FTP works), the new problem comes out.
　　
Active ftp:
　　
The active way of FTP is this: the client connects to the FTP server's command port from an arbitrary n>;1024 port, or port 21. The client then starts listening on the port n+1 and sends the FTP command "Port n+ 1" to the FTP server. The server then connects to the client-specified data port (n+1) from its own data port (20).
　　
For the firewall in front of the FTP server, you must allow the following traffic to support active FTP
Port 21 for any port to the FTP server (client-initiated connection S)
FTP server 21 port to port greater than 1023 (server responds to client's control port s->c)
FTP server 20 port to port greater than 1023 (server-side initialization data is connected to the client's data port s->c)
20 ports greater than 1023 ports to the FTP server (the client sends an ACK response to the server's data port S)
　　
The main problem with active FTP is actually the client. The FTP client does not actually establish a connection to the server data port, it simply tells the server to listen to the port number, the server back to connect the client this specified port. For the firewall of the client, this is the connection from the external system to the internal client, which is usually blocked.
　　
Passive FTP
　　
In order to solve the problem that the server initiates the connection to the customer, people developed a kind of different FTP connection way. This is called passive mode, or PASV, which is enabled when the client notifies the server that it is in passive mode. In the common FTP transfer software also have related settings, such as FLASHFXP in the option-"parameter Settings-" Agent inside the relevant options.
　　
　　
　　
In passive FTP, both the command connection and the data connection are made by the client, which resolves the problem of the inbound connection from the server to the client's data port being filtered out by the firewall. When an FTP connection is turned on, the client opens two arbitrary non privileged local ports (N >; 1024 and n+1). The first port connects to the server's 21 port, but unlike active FTP, the client does not submit the Port command and allows the server to go back and forth to its data port, instead submitting the PASV command. The result is that the server will open an arbitrary, unprivileged port (P >; 1024) and send the port p command to the client. The client then initiates a connection to port p from the local port n+1 to the server to transmit the data.
　　
For a server-side firewall, the following traffic must be allowed to support passive ftp:
Port 21 (client initiated connection S) from any port to the server
Server's 21 port to any port greater than 1023 (the server responds to the client's control port connection s->c)
Greater than 1023 ports from any port to the server (in; client-initiated data is connected to any port specified by the server)
　　
Server greater than 1023 port to remote port greater than 1023 (out; server sends ACK response and data to client data port s->c)
　　
　　
Here is a brief summary of the pros and cons of active and passive ftp:
　　
Active FTP is advantageous to the management of FTP server, but it is unfavorable to the management of the client. Because the FTP server attempts to establish a connection with the client's high random port, the port is likely to be blocked by the client's firewall. Passive FTP is advantageous to the management of FTP clients, but not to server-side management. Because the client wants to establish two connections to the server, one of them is connected to a high random port, and the port is likely to be blocked by the server-side firewall.
　　
Fortunately, there is a compromise approach. Since the FTP server administrator needs to have the most client connections for their servers, it must support passive FTP. We can reduce the exposure of server high ports by assigning a limited range of ports to the FTP server. In this way, any port that is not in this range will be blocked by the server's firewall. While this does not eliminate all risks to the server, it greatly reduces the risk.
　　
When installing serv-u and running for the first time, the firewall prompts you to indicate whether to allow serv-u to connect to the network, and here we choose to allow. So ServUDaemon.exe is in the trusted program of the firewall.
　　
Add ports to the firewall and note that if your FTP port is the default 21, you need to add two ports, 21, and 20. If your FTP port is 1000, add another 999, and so on. It is worth mentioning that, after adding ports, in the firewall of the advanced settings do not have to set, with personal experience this place if again opened, but there will be some problems. Previously because of the setting of this place baffled and depressed, and then finally understand only set a place can be. As shown in the figure:
　　
　　
　　
Next set the Serv-u PASV: as shown in the picture, this place is related to the frequent FTP transmission is "smooth" problem, especially in the slow speed of the situation. The port range here must be specified if the server on the free section of the port range, such as some of the software used 3306, here do not use 3000-3500, this place is said to be mentioned above for the FTP server to specify a limited range of ports to reduce the exposure of the server high port. This is also a lot of domestic virtual host business practices.
　　
　　
　　
Look at the transmission of the situation: from the FLASHFXP transmission log can be seen without transmission of a file port will be from the specified PASV port plus one, add to the maximum and then return to the port range of the smallest port, so that the cycle of FTP file transfer. Obviously if this can not smooth open the port, will cause the interruption of FTP transmission, that is often said not fluent, need to reconnect to the FTP.
　　
　　
In short, serv-u is not a lot of firewall-related settings, basically is the most common port based and program based on the firewall mode, other firewalls can also be set.
　　
　　
Finally, add a bit about the Serv-u banner and login message settings.
　　
You may have encountered similar to the following connection to the FTP server when the message, in fact, this place even if you do not know the other side of the FTP account password, as long as you know the port (may also be scanned out of the port to try out) with FTP transmission software to connect it will come out, Even directly in the DOS window with a command prompt open your FTP server, you will come up with a similar message, so it is not honest to tell others you use Serv-u do FTP server and the version used?
　　
[Right] is connected to 60.215.XX. Xx
[Right] serv-u FTP Server v6.4 for WinSock ready ...
[Right] USER XPB
[Right] 331 User name okay, need password.
[Right] pass (hidden)
[Right] 230 User logged in, proceed.
[Right] Syst
[Right] 215 UNIX Type:l8
[Right] FEAT
[Right] 211-extension supported
[Right] CLNT
　　
　　
　　
In fact, there are settings in the Serv-u, there is a message in the domain settings, you can customize the server response message, this can be based on your favorite to get rid of these messages, such as the Welcome to Microsoft FTP Service ... And so on. Other FTP Service software banner, can play a certain degree of confusion.
　　
　　
Secondly, let's talk about how the following hints that you may often encounter are made.
Program code
　　
　　
[Right] connected to 202.194.xxx.xxx
[Right] 220-Welcome to XX University FTP server ...
[Right] 220-Your IP address is: 211.64.xxx.xxx
[Right] 220-the time of the current server is 08:56:45
[Right] 220-1585 users have visited this FTP in the last 24 hours
[Right] 220-This FTP server has been running for 21 days, 18 hours and 6 points.
[Right] 220-
[Right] 220-server operation:
[Right] 220-
[Right] 220-all logged-in users: Total
[Right] 220-number of users currently logged in: 18
[Right] 220-bytes already downloaded: 372000 Kb
[Right] 220-bytes already uploaded: 118940 Kb
[Right] 220-number of files downloaded: 92
[Right] 220-number of files uploaded: 1360
[Right] 220-server average bandwidth: 810 kb/sec
[Right] 220 server current bandwidth: 945 kb/sec
[Right] USER XPB
　　
　　
In fact this setting this place is also very simple, only need to set a user log in when the message file on it, set the place in the Serv-u domain settings inside, on the top set the server response message below, where the login message file format is as follows:
Program code
　　
You have successfully logged on to the FTP server
Your IP address is:%IP
The time the server is currently located is%time
There have been%u24h users who have accessed this ftp in the last 24 hours
This FTP server has been running for%serverdays days,%serverhours hours and%servermins points.
　　
How the server works:
　　
Total number of logged-in users:%loggedinall Total
Number of users currently logged in:%unow
Bytes already downloaded:%serverkbdown Kb
Number of bytes already uploaded:%serverkbup Kb
Number of files already downloaded:%serverfilesdown
Number of files uploaded:%serverfilesup
Server average bandwidth:%serveravg kb/sec
Server Current Bandwidth:%serverkbps kb/sec
　　
　　
Save this file to a text file such as Logininfo.txt, put it in the Serv-u directory (you can also put it in a different directory, put it here because you don't have to set the permissions for the file separately), and then set the file to the message file at logon.