How to Detect Rogue FTP Servers on your Network
Rogue FTP servers can be a menace. Not only do they pose a serious threat to company privacy, they can also stand in the way of regulatory compliance. In this post, you'll learn where these servers come from, what specific dangers accompany them, and how they can be detected.
How networks spring forth rogue FTP servers
First of all, FTP servers are not difficult to install. In fact, all widely used operating systems (Windows, Mac OS X, and Linux, included) already have built-in FTP servers and even FTP clients. It's just a matter of having a user with the know-how and enough administrator privileges to activate them.
Built-in FTP server on Mac OS X
There are also a lot of free FTP servers and free FTP clients which can be downloaded from the Web. Obviously, anybody who wants to use FTP can easily do so. That's why FTP is often the preferred ad-hoc solution by people who need to share files.
With enough know-how, some individuals can even set up public FTP servers, which can enable them to easily share files over the Internet.
But as ad-hoc solutions, FTP servers don't usually go through the company's normal software acquisition process. In other words, employees don't bother to seek approval from their IT departments (or even inform IT staff) before deploying them. Now that you know how these rogue servers come about, it's time to discuss why you wouldn't want any lying around in your network.
Dangers of having rogue FTP servers
We know that end users rarely pay attention to information security. All they're concerned with is to get their tasks done as quickly as possible. They don't bother to implement access control, authentication, authorization, encryption, and other proper security measures.
And even if these people wanted to apply security, they still lack the skills to carry out security measures effectively. Besides, deploying security tools without sufficient background on actual threats, vulnerabilities, and best practices can give users a false sense of security, which can make them even more vulnerable.
Moreso because we're talking about an ancient technology that first came into existence in the 1970's, at a time when the main motivation for developing Internet technologies was information sharing and had nothing to do with information security.
Because of FTP's inherently insecure architecture, attackers can easily carry out a number of exploits like:
Let me give you one example that highlights the risks brought about by regular end users who install applications like FTP:
A tech-savvy employee named Jason wants to share files with a client. Thinking it's no big deal, Jason decides to deploy Windows' built-in FTP server on his Windows XP desktop without informing his company's IT department.
Just like most users, Jason accepts the default settings during installation. As a result, the FTP server he manages to deploy is set to active mode, the default mode of Windows XP's FTP service.
Sadly, an active mode FTP server is vulnerable to bounce attacks, which will not only allow attackers to identify and (eventually) gain access to other servers in Jason's network. Bounce attacks can also make it difficult for the origin of the attacks to be traced.
As fate had it, an attack ensues and it takes some time before IT staff discovers the security breach. By then, the attackers had already been long gone and the loot (confidential information consisting of employees' presonal information, financial data, and trade secrets) already passed on to the black market.
Jason had absolutely no intention of exposing confidential company data. But the data got exposed anyway.
While it may be almost impossible to stop end users like Jason (as well as those users with malicious intentions) from installing rogue FTP servers, you can certainly take steps to uncover these highly vulnerable servers before any harm is done.
Detecting rogue FTP servers
First, you'll have to identify all file transfer servers that have been deployed by your IT department. A list of these servers will presumably be found in your inventory of services.
Once the exact location/IP addresses of these servers have been pinpointed, you can then run a scan on your network to discover any file transfer servers (FTP or otherwise) that have been deployed without your knowledge. To do this effectively, you would need a network scanning tool like JSCAPE MFT Monitor. Here's how you would use it.
Let's say you have a LAN that has legitimate file transfer services running on Server 1 (with IP address 10.0.0.4) and Server 2 (with 10.0.0.5). According to your existing inventory of services, Server 1 should be running an FTP service and an FTPS service, while Server 2 should be running only one file transfer service: an SFTP service.
To verify that these services exist, you would enter them into JSCAPE MFT Monitor's list of Known Services as shown below.
You would then set up a scan that would search for certain file transfer services. In the screenshot shown below, for example, what are being searched for are FTP, FTPS (Implicit), and SFTP services. Under the Network section, you see that the CIDR address of 10.0.0.0/24 is entered into the IP Address field. This will instruct JSCAPE MFT Monitor to scan all possible IP addresses in the network, i.e., 10.0.0.1 - 10.0.0.255.
Alernatively, you can specify specific addresses (e.g. 10.0.0.4, 10.0.0.5, 10.0.0.6) if you're absolutely sure those are the only machines connected to the network.
Here's an example of how the results of such a scan looks like:
From that result, you would be able to determine what file transfer services make up your network and where they are located. We now know, for example, that a rogue FTP service is actually running on Server 2. In addition, we also now know that another rogue FTP service is actually running on an unlisted physical server!
Because of these discoveries, you would be able to quickly take action and deactivate those rogue services before malicious individuals can take advantage of them. It's best if you conduct scans from time to time to prevent possible rogue servers from staying active too long.
You've just learned how rogue FTP servers come about, what dangers they bring, and how you can detect them. JSCAPE MFT Monitor not only scans your network for rogue file transfer servers. You can also set it up to conduct scheduled automated scans as well as to notify you when rogue servers are detected. We'll talk about those features on another blog post, so stay tuned for that.
JSCAPE MFT Monitor