Securing Ports and Services
The BGSU Information Security Team periodically monitors the administrative network to identify vulnerabilities and risks. This helps protect the confidentiality, integrity, and availability of information systems necessary for the academic mission of BGSU.
Computer systems connected to the network advertise open ports and
services. Attackers often perform reconnaissance on these services,
research existing vulnerabilities and use them to gain access to
Solid administration practices of these networked systems is imperative. It is important to review these services and verify that they updated to address vulnerabilities and disabled if not necessary for academic purposes.
The following drop-down menus provide additional detail and information regarding secure administration of these services.
SSH is a secure network protocol that is used to create a secure connection between two systems. By default the service runs on TCP port 22 and provides encryption capability.
Unfortunately attackers on the Internet constantly scan for this service and when detected may focus more attention on this and other available services running on the system. As with other protocols vulnerabilities (weaknesses) are discovered that can allow attackers to compromise systems advertising the SSH service. Once compromised, these systems can be used for cyber criminal activity such as spam, identity theft & as botnets.
SSH can also be subject to "brute force" attacks. This continual process guesses usernames & passwords until access to the service is met. Although monitoring logs and adding additional layers of protection could help avoid these attacks they may go unnoticed.
In April 2009 SANS reported a sharp rise in SSH server attacks and the importance of being vigilant regarding SSH services.
- Enable SSH service only when necessary.
- Use strong usernames & passwords. Change them often.
Reconfigure SSH to only use password protected SSH keys and not permit plain passwords.
- Configure firewall to only allow necessary systems to connect to SSH service. This prevents strangers from brute force attacks.
- Monitor SSH logs on regular basis to see who is trying to get in.
- Disable root log-ins & limit user logins only necessary users.
- Strongly recommended to disable SSH version 1 protocol. This protocol is older and less secure.
- Move service from TCP port 22 to higher unused port. Although this relies more on obscurity than security, it may help deter SSH attacks.
FTP (File Transfer Protocol) is a network protocol for transferring files between a client and server. Unfortunately FTP is was not developed with security in mind and can reveal personal information and file contents to unauthorized users. It is strongly recommended to examine other secure file transfer technologies that are available.
- Usernames and passwords are transferred in plaintext. These can be intercepted by unauthorized users.
- FTP login screens can reveal server information versions and other information. This can lead to directed attacks to gain unauthorized access.
- Anonymous logins can lead to information exposure and system compromises if not properly maintained, logged and periodically updated to address vulnerabilities.
- If FTP is required, only enable when necessary & disable immediately after user.
- Change banner message not to show FTP software version.
- Disable anonymous user access. Often attackers will look for this to hijack server.
- Enable logging to determine account is being used as expected.
- Enable Access Control Lists (ACL’s) if available
- Set up FTP as “blind put.” This allows user only to place files if needed and does not display the file directory.
- Enable disk quotas.
- Enable logon time restrictions.
- Restrict access by IP. This will greatly reduce exposure to unauthorized access.
- Audit logon events.
- Enable strong password requirement.
- Enable account lockout and account lockout threshold.
- Install SFTP – Secure FTP that applies encryption on messages between client and server.
- Configure FTPS – FTP over SSL (Secure Sockets Layer)