FTP Account Lockout

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

FTP Account Lockout

Stuart VanZee
Hello list,

The company I work for is required to get PCI (Payment Card
something-or-other) certified in order to keep doing some of the things that
we
are doing with credit card payments.  When I started working here it was an
all MS
shop, including the FTP server.  In order to help secure things (at all), I
talked the boss into letting me setup an OpenBSD server as the FTP server
instead of
windows2003.  Since then, I have also setup firewalls, mail server, IDS etc.
all based
upon OpenBSD (and loving every minute of it).  However, now that we need
this cert,
one of the few things still standing in the way is the requirement that we
set up
the FTP server to lockout (for 30min.) any account that fails to login 3
times in a row.  I haven't been able to find any ftp software that does
that.  The FTP server that ships with OpenBSD uses system accounts, and I
haven't
figured out how to do that there either.

If I don't get this figured out soon, The boss will loose patience and I
will be right
back to MS hell trying to secure a win2003 ftp server just because it will
lockout
an account that fails login 3 times in a row.  (and then probably figure out
how to
setup a win2003 firewall, IDS, exchange server, etc etc etc... you get the
pic)

If anyone has any suggestions, please let me know.

thanks.

Stuart van Zee
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Ryan McBride
> The company I work for is required to get PCI (Payment Card
> something-or-other) certified in order to keep doing some of the things
> that we are doing with credit card payments.

Payment Card Industry Data Security Standard

[snip]

> However, now that we need this cert, one of the few things still
> standing in the way is the requirement that we set up the FTP server
> to lockout (for 30min.) any account that fails to login 3 times in a
> row.

You mean besides the fact that you're running FTP at all, right?
- PCI requires that all passwords are encrypted in transmission, and FTP
  doesn't do this.
- Depending on how you interpret the wording, PCI either prohibits or
  strongly discourages the use of FTP from 'untrusted' networks/hosts

Consider replacing your FTP solution with scp/sftp.

-Ryan

--
Ryan T. McBride, CISSP - [hidden email]
Countersiege Systems Corporation - http://www.countersiege.com
PGP key fingerprint = 5A63 31A0 B2E0 4A64 3D16  C474 99A7 BEFE F9BA A8E0

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Stuart VanZee
In reply to this post by Stuart VanZee
Ryan,

Thanks for your input.  I have been gently pushing those who make
the decisions here towards sftp for some time now; however,
ultimately that is one decision that is out of my hands.  
According to the inspector that is doing our PCI inspection the
only requirement we haven't met as reguards to our FTP server is the
one for locking out an account that has failed 3 times in a row.
Personally I think that this requirement is rather dumb and adds
little to security, but we have to do what the inspector wants if
we want certification.  I have told my supervisor of your thoughts
as to encrypted passwords (or the lack of in FTP) so we'll see if
that helps.

Thanks again,
stuart

>You mean besides the fact that you're running FTP at all, right?
>- PCI requires that all passwords are encrypted in transmission, and FTP
>  doesn't do this.
>- Depending on how you interpret the wording, PCI either prohibits or
>  strongly discourages the use of FTP from 'untrusted' networks/hosts
>
>Consider replacing your FTP solution with scp/sftp.
>
>-Ryan

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Ryan Corder
In reply to this post by Stuart VanZee
On Fri, 2006-10-06 at 12:56 -0400, stuartv wrote:
> However, now that we need this cert,
> one of the few things still standing in the way is the requirement that we
> set up
> the FTP server to lockout (for 30min.) any account that fails to login 3
> times in a row.  I haven't been able to find any ftp software that does
> that.  The FTP server that ships with OpenBSD uses system accounts, and I
> haven't
> figured out how to do that there either.

I was faced with a similar situation a couple of years ago.  What I did
was use PureFTPd (availabe in ports) which allows you to write your own
authentication backend.  I wrote mine in perl and stored everything I
needed in a SQL database.

not the safest, or most stable solution, but given the requirements of
the project it worked really well and allowed for easy administration.

of course, normal disclaimers apply...your server will only be as
"secure" (if you can call FTP secure) as your custom authentication
program is.

hope this helps.
ryanc

--
Ryan Corder <[hidden email]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Damian Wiest
In reply to this post by Stuart VanZee
On Fri, Oct 06, 2006 at 02:41:31PM -0400, stuartv wrote:

> Ryan,
>
> Thanks for your input.  I have been gently pushing those who make
> the decisions here towards sftp for some time now; however,
> ultimately that is one decision that is out of my hands.  
> According to the inspector that is doing our PCI inspection the
> only requirement we haven't met as reguards to our FTP server is the
> one for locking out an account that has failed 3 times in a row.
> Personally I think that this requirement is rather dumb and adds
> little to security, but we have to do what the inspector wants if
> we want certification.  I have told my supervisor of your thoughts
> as to encrypted passwords (or the lack of in FTP) so we'll see if
> that helps.
>
> Thanks again,
> stuart
>
> >You mean besides the fact that you're running FTP at all, right?
> >- PCI requires that all passwords are encrypted in transmission, and FTP
> >  doesn't do this.
> >- Depending on how you interpret the wording, PCI either prohibits or
> >  strongly discourages the use of FTP from 'untrusted' networks/hosts
> >
> >Consider replacing your FTP solution with scp/sftp.
> >
> >-Ryan

I've had the misfortune of working with auditors regarding SOX
compliance.  I'm not sure who's coming up with these security
policies, but they don't seem to have a background in security work.
To compound the problem, the auditors I've dealt with seemed to simply
be following a checklist.  It's almost like the people creating the
auditing requirements read Gene Spafford's article on "Security Myths and
Passwords" [1] and decided to base their policies on the myths.

        So where did the change passwords once a month dictum
        come from? Back in the days when people were using
        mainframes without networking, the biggest uncontrolled
        authentication concern was cracking. Resources, however,
        were limited. As best as I can find, some DoD
        contractors did some back-of-the-envelope calculation
        about how long it would take to run through all the
        possible passwords using their mainframe, and the result
        was several months. So, they (somewhat reasonably) set
        a password change period of 1 month as a means to defeat
        systematic cracking attempts. This was then enshrined
        in policy, which got published, and largely accepted by
        others over the years. As time went on, auditors began
        to look for this and ended up building it into their
        best practice that they expected. It also got written
        into several lists of security recommendations.

-Damian

[1] http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Sam Chill
In reply to this post by Stuart VanZee
On 10/6/06, stuartv <[hidden email]> wrote:
> Hello list,
Hi!
<snip>
> However, now that we need this cert,
> one of the few things still standing in the way is the requirement that we
> set up
> the FTP server to lockout (for 30min.) any account that fails to login 3
> times in a row.  I haven't been able to find any ftp software that does
> that.  The FTP server that ships with OpenBSD uses system accounts, and I
> haven't
> figured out how to do that there either.
I haven't thought about this too much, but initial testing looks
promising. OpenBSD's ftpd run with the -l switch logs failed login
attempts to /var/log/xferlog. If you wrote a small daemon that used
kqueue(2) to monitor this log file you could parse the xferlog to look
for repeated failed attempts at logging in and add that user to
/etc/ftpusers and then remove him 30 minutes later. It of course would
be better, than this hack,  to modify ftpd to keep track of failed
logins and internally manage the locking out of accounts themselves,
but that might be beyond what you are willing to do. If you are
interested mail me off-list and I might be able to help you hack
something together.
Good luck,
Sam

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Tobias Ulmer
In reply to this post by Stuart VanZee
proftpd + mod_ban

Tobias

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Joachim Schipper
In reply to this post by Stuart VanZee
On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote:

> Hello list,
>
> The company I work for is required to get PCI (Payment Card
> something-or-other) certified in order to keep doing some of the things that
> we
> are doing with credit card payments.  When I started working here it was an
> all MS
> shop, including the FTP server.  In order to help secure things (at all), I
> talked the boss into letting me setup an OpenBSD server as the FTP server
> instead of
> windows2003.  Since then, I have also setup firewalls, mail server, IDS etc.
> all based
> upon OpenBSD (and loving every minute of it).  However, now that we need
> this cert,
> one of the few things still standing in the way is the requirement that we
> set up
> the FTP server to lockout (for 30min.) any account that fails to login 3
> times in a row.  I haven't been able to find any ftp software that does
> that.  The FTP server that ships with OpenBSD uses system accounts, and I
> haven't
> figured out how to do that there either.
>
> If I don't get this figured out soon, The boss will loose patience and I
> will be right
> back to MS hell trying to secure a win2003 ftp server just because it will
> lockout
> an account that fails login 3 times in a row.  (and then probably figure out
> how to
> setup a win2003 firewall, IDS, exchange server, etc etc etc... you get the
> pic)
>
> If anyone has any suggestions, please let me know.

How about writing a login_* program for /usr/libexec/auth? It would be
sufficient to check if there have been too many login attempts recently,
and if not, call /usr/libexec/auth/login_passwd (or similar), and pass
the response.

There is quite a bit of information in login.conf(5). You'll also need
to modify this file, so it's a good place to start.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

Mark Maxey-3
You can approach this a couple of ways

1. eliminate plaintext ftp all together. SSHv2 is an excellent free
replacement here or you can use FTP-SSL

2. restrict access to this service in your firewall by ip

3. put the ftp behind vpn

I'm a visa QDSP and these are a couple of things you could do.

Joachim Schipper said:

> On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote:
>> Hello list,
>>
>> The company I work for is required to get PCI (Payment Card
>> something-or-other) certified in order to keep doing some of the things
>> that
>> we
>> are doing with credit card payments.  When I started working here it was
>> an
>> all MS
>> shop, including the FTP server.  In order to help secure things (at
>> all), I
>> talked the boss into letting me setup an OpenBSD server as the FTP
>> server
>> instead of
>> windows2003.  Since then, I have also setup firewalls, mail server, IDS
>> etc.
>> all based
>> upon OpenBSD (and loving every minute of it).  However, now that we need
>> this cert,
>> one of the few things still standing in the way is the requirement that
>> we
>> set up
>> the FTP server to lockout (for 30min.) any account that fails to login 3
>> times in a row.  I haven't been able to find any ftp software that does
>> that.  The FTP server that ships with OpenBSD uses system accounts, and
>> I
>> haven't
>> figured out how to do that there either.
>>
>> If I don't get this figured out soon, The boss will loose patience and I
>> will be right
>> back to MS hell trying to secure a win2003 ftp server just because it
>> will
>> lockout
>> an account that fails login 3 times in a row.  (and then probably figure
>> out
>> how to
>> setup a win2003 firewall, IDS, exchange server, etc etc etc... you get
>> the
>> pic)
>>
>> If anyone has any suggestions, please let me know.
>
> How about writing a login_* program for /usr/libexec/auth? It would be
> sufficient to check if there have been too many login attempts recently,
> and if not, call /usr/libexec/auth/login_passwd (or similar), and pass
> the response.
>
> There is quite a bit of information in login.conf(5). You'll also need
> to modify this file, so it's a good place to start.
>
> Joachim
>
>


--
Mark Maxey
Information Security Specialist - Masters of Tech
[hidden email]
Phone: 859.948.5841
PGP ID: 0x0EA3D5A2

Reply | Threaded
Open this post in threaded view
|

Re: FTP Account Lockout

ICMan
Also, you could do the following:

1) Limit the scope of the PCI certification by placing all CC storing or
processing systems on a DMZ behind an appropriately configured firewall;

AND

2) make sure that your FTP server is outside of this DMZ.

This assumes that the FTP server does not contain or process credit card
data, and does not have access to the new credit card processing
environment.

Appropriately configured firewall of course means configured according
to the principle of least privilege, and in accordance with the rest of
the PCI DSS requirements.

Mark Maxey wrote:

>You can approach this a couple of ways
>
>1. eliminate plaintext ftp all together. SSHv2 is an excellent free
>replacement here or you can use FTP-SSL
>
>2. restrict access to this service in your firewall by ip
>
>3. put the ftp behind vpn
>
>I'm a visa QDSP and these are a couple of things you could do.
>
>Joachim Schipper said:
>  
>
>>On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote:
>>    
>>
>>>Hello list,
>>>
>>>The company I work for is required to get PCI (Payment Card
>>>something-or-other) certified in order to keep doing some of the things
>>>that
>>>we
>>>are doing with credit card payments.  When I started working here it was
>>>an
>>>all MS
>>>shop, including the FTP server.  In order to help secure things (at
>>>all), I
>>>talked the boss into letting me setup an OpenBSD server as the FTP
>>>server
>>>instead of
>>>windows2003.  Since then, I have also setup firewalls, mail server, IDS
>>>etc.
>>>all based
>>>upon OpenBSD (and loving every minute of it).  However, now that we need
>>>this cert,
>>>one of the few things still standing in the way is the requirement that
>>>we
>>>set up
>>>the FTP server to lockout (for 30min.) any account that fails to login 3
>>>times in a row.  I haven't been able to find any ftp software that does
>>>that.  The FTP server that ships with OpenBSD uses system accounts, and
>>>I
>>>haven't
>>>figured out how to do that there either.
>>>
>>>If I don't get this figured out soon, The boss will loose patience and I
>>>will be right
>>>back to MS hell trying to secure a win2003 ftp server just because it
>>>will
>>>lockout
>>>an account that fails login 3 times in a row.  (and then probably figure
>>>out
>>>how to
>>>setup a win2003 firewall, IDS, exchange server, etc etc etc... you get
>>>the
>>>pic)
>>>
>>>If anyone has any suggestions, please let me know.
>>>      
>>>
>>How about writing a login_* program for /usr/libexec/auth? It would be
>>sufficient to check if there have been too many login attempts recently,
>>and if not, call /usr/libexec/auth/login_passwd (or similar), and pass
>>the response.
>>
>>There is quite a bit of information in login.conf(5). You'll also need
>>to modify this file, so it's a good place to start.
>>
>> Joachim