Stable FTP Server Creation 1. The choice of operating system The FTP server is first operated based on the operating system, so the security of the operating system itself determines the level of security of the FTP server. Although Windows 98/Me can set up an FTP server, its security is not strong and vulnerable, so it is best not to use it. Windows NT is like a chicken rib, no matter what. It is best to use Windows 2000 and above, and remember to patch in time. As for Unix and Linux, it is not discussed. Stable FTP server build 2, use the firewall port is the logical interface between the computer and the external network, is also the first barrier of the computer, the port configuration is correct or not directly affects the security of the host, in general, only open what you need to use Ports, it is safer to shield other ports that are not needed. There are many ways to limit the port. You can use a third-party personal firewall. Here is only the firewall setting method that comes with Windows. 1. Using TCP/IP filtering function In Windows 2000 and Windows XP, the system has TCP/IP filtering function, which can be used to easily set the port. Take Windows XP as an example. Open the attribute of “Local Area Connection” and find “Internet Protocol (TCP/IP)” in the “General” option. Double-click it to open the property setting window of the protocol. Click the “Advanced” button at the bottom right to go to “Advanced TCP/IP Settings”. Select “TCP/IP Filter" in the "Options" and double click to enter its property settings. Here we can set the system to allow only open ports, if the erected FTP server port is 21, first select “ enable TCP /IP filtering (all adapters) & rdquo; then select “ only allow & rdquo; in the TCP port options, Click “ Add & rdquo;, enter the port number 21, OK. In this way, the system only allows 21 ports to be opened. To open other ports, continue adding. This can effectively prevent the most common 139 port intrusion. The disadvantage is that the function is too simple, you can only set the port that is allowed to open, and you cannot customize the port to be closed. If you have a large number of ports to open, you have to add them one by one, which is more troublesome. 2. Open Internet Connection Firewall For Windows XP system, it has the function of “Internet Connection Firewall”, which is more convenient and more powerful than TCP/IP filtering. In addition to its own firewall port open rules, you can add and delete it yourself. Open “Network Connections in the Control Panel, right-click on the dial-up connection, go to the “Advanced” tab, check “Enable my computer and network by restricting or blocking access to this computer from the Internet” ” , enable it. By default, the FTP port is closed, so you need to set up a firewall to open the FTP port you are using. Click the “Settings> button in the bottom right corner to go to “Advanced Settings“, select “FTP Server”, edit it. Since the default port of the FTP service is 21, the rest cannot be changed except the IP address column. Fill in the server public network ip in the IP address column, and then exit and you can take effect immediately. If the FTP server port is set to another port, such as 22, you can click “Add” under the “Services” tab, enter the server name and public IP address, and fill in the external port number and internal port number. Enter 22. Stable FTP server build III. Setting up server software such as IIS and Serv-u In addition to relying on the security measures provided by the system, it is necessary to use the settings of the FTP server software itself to improve the security of the entire server. 1. IIS security settings 1) Install new patches in time For IIS security vulnerabilities, it can be said that it is "excellent", and an average of two or two vulnerabilities will occur every two or three months. Fortunately, Microsoft will provide patches based on newly discovered vulnerabilities, which requires you to update and install the latest patches. 2) Set the installation directory to a non-system disk, and turn off the unneeded service Some malicious users can gain access to the system through the IIS vulnerability. Putting IIS on the system partition will make the system files and IIS also face illegal access, which is easy for illegal users to invade the system partition. In addition, since IIS is a comprehensive service component, each service will reduce the security of the entire service. Therefore, do not install or start the unneeded services. 3) Allow only anonymous connections The biggest security hole in FTP is that the process of transmitting passwords by default is transmitted in plain text, which is easy to be sniffed. IIS is managed based on Windows user accounts, so it is easy to leak the system account name and password. If the account has certain administrative rights, it will affect the security of the entire system. Set to "Allow only anonymous connections" to avoid the risk of leaking during transmission. Go to “Default FTP Site" in the "Security Account" tab of the property, select this option. 4) Carefully set the home directory and its permissions IIS can set the FTP site home directory to the shared directory of another computer in the LAN, but in the LAN, the shared directory is easy to incur other computer infected virus attacks, even in severe cases The entire LAN is not a last resort. It is best to use a local directory and set the home directory to a non-system partition in NTFS format. In this way, when setting permissions on the directory, you can set the corresponding permissions for each directory by different groups or users. Right-click on the directory you want to set and go to “Share & Security→Security" in the settings, if not necessary, don't grant “write” permissions. 5) Try not to use the default port number 21 to enable logging, in case of anomalies. 2. Serv-u security settings Compared with IIS FTP service, Serv-u is doing a good job in terms of security. 1) Set the "local server" setting First, select “ intercept FTP_bounce attack and XP”. Generally, when using the FTP protocol for file transfer, the client first sends a "Port" protocol to the FTP server, which contains the IP address of the user and the port number that will be used for data transmission. After the server receives it, The user's address information provided by the command is used to establish a connection with the user. In most cases, the above process will not cause any problems, but when the client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the PORT command. Although this malicious user may not have the right to directly access a particular machine, if the FTP server has access to the machine, the malicious user can still use the FTP server as an intermediary to finally achieve the connection with the target server. This is FXP, also known as cross-server attack. Once selected, this can be prevented. Second, in the "Advanced" tab, check if "Encryption Password" and "Enable Security" are selected, if not, select them. “Encrypted password"Use a one-way hash function (MD5) to encrypt the user's password. The encrypted password is stored in ServUDaemon.ini or the registry. If you do not select this option, the user password will be saved in the file in clear text: "Enable Security"; will start the Serv-u server security success.
2) Setting up the server in the domain As mentioned before, FTP defaults to clear text transmission password, which is easy to be sniffed. For accounts with only general permissions, the risk is not great, but if the account has Remote management, especially system administrator privileges, will be remotely controlled by the entire server. Serv-u provides the following three security types for each account password: rule password, OTP S/KEY MD4 and OTP S/KEY MD5. Different types have different encryption methods for transmission, and rule passwords have the lowest security. . In the settings for an account with certain administrative rights, find the “Password Type” drop-down list box under the “General” tab, select the second or third type, and save it. Note that when the user logs in to the server with this account, the FTP client software is required to support this password type, such as CuteFTP Pro. When the password is entered, the corresponding password type can be selected to authenticate through the server. As with IIS, you should be careful to set the home directory and its permissions. If you do not need to give writes and other permissions to modify the server file or directory, try not to give it. Finally, go to “Settings>, in the “Log> tab, select "Enable logging to file", and set the log file name and save path, record parameters, etc., so that you can easily query the server for any reason. .
The IBM System x3500 M4 is a two-way tower server. It is the latest server from IBM in rece
I. Introduction to DHCP: The full name of DHCP is the Dynamic Host Configuration Protocol (Dynamic H
Linux supports Chinese, modify /etc/sysconfig/i18n file LANG="zh_CN.GB18030" SUPP
Reducing keyboard input can greatly improve the productivity of programmers. The use of sho
About Apache server access control
Server setup diagram Description
Prompt for password when resolving Web access
What should I do if the server is down? Server failure emergency plan
How to configure the network server
Avoiding the real "virtual" VMware super practical skills
The server must know a few knowledge
Device Stage: A new way to interact with devices on Windows 7
Windows7 turns off speech recognition to save system space skills
How to set Win8 picture password in Win8 system
Teach you how to increase hard disk space in Linux virtual machine
Windows 8.1 application installation error 0×80004005 solution
How to set up Win7 virtual memory is best? How to set virtual memory