Blog

Managed File Transfer and Network Solutions

How to Detect Rogue FTP Servers on your Network

Posted by John V. on Tue, Jan 08, 2013 @ 12:16 PM

Overview

Rogue FTP servers can be a menace. Not only do they pose a serious threat to company privacy, they can also stand in the way of regulatory compliance. In this post, you'll learn where these servers come from, what specific dangers accompany them, and how they can be detected.

 

How networks spring forth rogue FTP servers

First of all, FTP servers are not difficult to install. In fact, all widely used operating systems (Windows, Mac OS X, and Linux, included) already have built-in FTP servers and even FTP clients. It's just a matter of having a user with the know-how and enough administrator privileges to activate them. 

 

Built-in FTP server on Mac OS X

built in ftp server in Mac resized 600

 

There are also a lot of free FTP servers and free FTP clients which can be downloaded from the Web. Obviously, anybody who wants to use FTP can easily do so. That's why FTP is often the preferred ad-hoc solution by people who need to share files.

With enough know-how, some individuals can even set up public FTP servers, which can enable them to easily share files over the Internet. 

But as ad-hoc solutions, FTP servers don't usually go through the company's normal software acquisition process. In other words, employees don't bother to seek approval from their IT departments (or even inform IT staff) before deploying them. Now that you know how these rogue servers come about, it's time to discuss why you wouldn't want any lying around in your network.

 

Dangers of having rogue FTP servers

We know that end users rarely pay attention to information security. All they're concerned with is to get their tasks done as quickly as possible. They don't bother to implement access control, authentication, authorization, encryption, and other proper security measures. 

And even if these people wanted to apply security, they still lack the skills to carry out security measures effectively. Besides, deploying security tools without sufficient background on actual threats, vulnerabilities, and best practices can give users a false sense of security, which can make them even more vulnerable. 

Moreso because we're talking about an ancient technology that first came into existence in the 1970's, at a time when the main motivation for developing Internet technologies was information sharing and had nothing to do with information security.

Because of FTP's inherently insecure architecture, attackers can easily carry out a number of exploits like:

Let me give you one example that highlights the risks brought about by regular end users who install applications like FTP:

A tech-savvy employee named Jason wants to share files with a client. Thinking it's no big deal, Jason decides to deploy Windows' built-in FTP server on his Windows XP desktop without informing his company's IT department.

Just like most users, Jason accepts the default settings during installation. As a result, the FTP server he manages to deploy is set to active mode, the default mode of Windows XP's FTP service.

Sadly, an active mode FTP server is vulnerable to bounce attacks, which will not only allow attackers to identify and (eventually) gain access to other servers in Jason's network. Bounce attacks can also make it difficult for the origin of the attacks to be traced.

As fate had it, an attack ensues and it takes some time before IT staff discovers the security breach. By then, the attackers had already been long gone and the loot (confidential information consisting of employees' presonal information, financial data, and trade secrets) already passed on to the black market.

Jason had absolutely no intention of exposing confidential company data. But the data got exposed anyway.

While it may be almost impossible to stop end users like Jason (as well as those users with malicious intentions) from installing rogue FTP servers, you can certainly take steps to uncover these highly vulnerable servers before any harm is done.

 

Detecting rogue FTP servers

First, you'll have to identify all file transfer servers that have been deployed by your IT department. A list of these servers will presumably be found in your inventory of services.

Once the exact location/IP addresses of these servers have been pinpointed, you can then run a scan on your network to discover any file transfer servers (FTP or otherwise) that have been deployed without your knowledge. To do this effectively, you would need a network scanning tool like JSCAPE MFT Monitor. Here's how you would use it.

Let's say you have a LAN that has legitimate file transfer services running on Server 1 (with IP address 10.0.0.4) and Server 2 (with 10.0.0.5). According to your existing inventory of services, Server 1 should be running an FTP service and an FTPS service, while Server 2 should be running only one file transfer service: an SFTP service. 

 

before mft monitor scan resized 600

To verify that these services exist, you would enter them into JSCAPE MFT Monitor's list of Known Services as shown below.

 

known file transfer services resized 600

 

You would then set up a scan that would search for certain file transfer services. In the screenshot shown below, for example, what are being searched for are FTP, FTPS (Implicit), and SFTP services. Under the Network section, you see that the CIDR address of 10.0.0.0/24 is entered into the IP Address field. This will instruct JSCAPE MFT Monitor to scan all possible IP addresses in the network, i.e., 10.0.0.1 - 10.0.0.255.

Alernatively, you can specify specific addresses (e.g. 10.0.0.4, 10.0.0.5, 10.0.0.6) if you're absolutely sure those are the only machines connected to the network.

 

jscape mft monitor scan settings

 

Here's an example of how the results of such a scan looks like:

 

mft monitor unlisted server resized 600

 

From that result, you would be able to determine what file transfer services make up your network and where they are located. We now know, for example, that a rogue FTP service is actually running on Server 2. In addition, we also now know that another rogue FTP service is actually running on an unlisted physical server!

 

services detected by mft monitor

 

Because of these discoveries, you would be able to quickly take action and deactivate those rogue services before malicious individuals can take advantage of them. It's best if you conduct scans from time to time to prevent possible rogue servers from staying active too long. 

 

Summary

You've just learned how rogue FTP servers come about, what dangers they bring, and how you can detect them. JSCAPE MFT Monitor not only scans your network for rogue file transfer servers. You can also set it up to conduct scheduled automated scans as well as to notify you when rogue servers are detected. We'll talk about those features on another blog post, so stay tuned for that.

 

 

 

Topics: Managed File Transfer, Security, Compliance, JSCAPE MFT Monitor

Subscribe via E-mail

Download Now
Free Consultation
Request Demo

Latest Blog Posts

How To Delete A File On Your Server After It’s Downloaded
How To Set Up An SFTP Reverse Proxy
Business Benefits Of An SFTP Server
Setting SFTP Algorithms On Your SFTP Server