RhinoSoft.com - Newsletter Archive
Newsletter Archives
Back to Newsletter Archive homepage.
12-07-2009 - IP Access Rules and Secure Passwords In Serv-U
Hello,
Welcome to another installment of the RhinoSoft.com newsletter. You are getting this newsletter because you signed up on our web site. If you would like to stop receiving these newsletters, please visit: http://www.RhinoSoft.com/newsletter/unsubscribe.asp
The intent of this newsletter is to give you some pointers on our products. This newsletter highlights Serv-U's security features.
IP Access Rules In Serv-U
One of the most powerful but misunderstood features of Serv-U is the use of IP Access rules to configure access to the server. IP Access rules allow administrators to define which Internet hosts are trusted by Serv-U enough to log in, which hosts are not trusted for logging in, and even allows specific user accounts to be restricted to connections from certain IP addresses.
By default, Serv-U allows anyone to connect and provide a username and password combination to log in to the server. If their username and password do not match a valid account, the user cannot log on. IP Access rules provide an extra layer of security in this regard. If a rule is defined at the Server level or at the Domain level, users who are not trusted by the IP Access rules will be disconnected immediately and not allowed to log on. If a rule is defined at the user level, the user will be allowed to log on but after the username and password are provided, if the user's IP address does not match a trusted IP address, the logon will be rejected.
Allow vs Deny Rules
There are two types of IP Access rules: "Allow" and "Deny". "Deny" rules are simpler to understand so we will cover them first.
A "Deny" IP Access rule defines an IP address, or a range of addresses that are not allowed to connect to Serv-U (or to log on using a certain user account). When a "Deny" rule is configured, Serv-U will deny connections from "Denied" addresses, but allow connections from all other hosts. This is most commonly seen when a server is under attack by an automated password-guessing utility, and is covered in the next section. Rules can also be set up for IP ranges that are known to host malware and pose a threat. These rules are optional for security, but remember that as long as you choose secure passwords for your users the chance of a dictionary attack being successful is very small.
An "Allow" rule is more complex. Whereas a "Deny" rule only blocks specific IP addresses, an "Allow" rule instead explicitly allows connections only from specific IP addresses and denies all other connections by adding an implicit "deny-all" rule to the end of the list. This "deny-all" will not be visible in the list, but it is implied since an "Allow" rule indicates that you will be explicitly stating all users who may connect.
The "Allow" rule, then, requires more planning and care than a "Deny" rule. Using "Allow" rules effectively allows you as an administrator to restrict incoming connections to only IP address ranges that you trust, which may be only internal IP addresses or perhaps your IP range and that of a partner. If you configure IP Access rules and find that you can no longer connect to Serv-U, it is usually because an "Allow" rule was added incorrectly, and all that is necessary is to configure it so your IP range is part of the trusted IP addresses.
IP Access Rule Formatting
IP Access rules can be entered either as a single host, as a wildcard, as a reverse DNS record or as a CIDR block of addresses. The following are all valid IP Access rules:
192.168.1.70 - Specifies a single host
192.168.1.* - Specifies all addresses in the 192.168.1.1-255 range
192.168.1.0/24 - Specifies all addresses from 192.168.1.1-255 using CIDR notation
*google.com - Specifies all IP addresses whose reverse DNS record resolves to an address including the string "google.com"
Blocking Brute Force / Dictionary Attacks
Serv-U also supports the option to automatically block brute force attacks that try to repeatedly guess passwords. To enable this option, open the Server Limits & Settings | Settings menu, and enable the "Block users who connect more than..." option on the top of the page. Remember that only incomplete and unsuccessful connections are counted against users, so a user who opens 10 FTP transfers at the same time will not trigger the limit because he has valid credentials for each connection.
Creating Secure Passwords
Good passwords are at least six characters long or more, include upper/lower case letters and at least one number, and are not based on dictionary words. These passwords are often based on phrases that are easy to remember, such as:
"I love my dog Ginger" -> "1lmdGin"
"Serv-U is my file server" -> "SUim5S"
These phrases help make passwords easier to remember and help mitigate the "passwords on sticky notes" risk that can happen when users choose passwords which make little sense, such as a truly random character combination.
Try Serv-U Free for 30 Days
Download Serv-U:
http://www.Serv-U.com/download/
FREE SUPPORT OPTIONS
If you need technical or sales support, please use one of the following URLs. Our support turn-around time is very fast during normal working hours Central Time U.S.:
Technical Support:
http://www.RhinoSoft.com/support
Knowledge Base:
http://www.RhinoSoft.com/kb
Sales Support:
http://www.RhinoSoft.com/sales
ON-LINE CUSTOMER SERVICE
If you need to change any of your customer information, you can make
changes on-line. The RhinoSoft.com On-line Customer Service page
allows you to resend your registration ID, receipt, invoice, and
change your information in our database. To use visit:
http://www.RhinoSoft.com/customer
Thank you for taking the time to read.
Thomas J. Parikka - Technical Support Engineerhttp://www.RhinoSoft.com
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628
