My Sonicwall won’t let me FTP! Error: FTP: PASV response bounce attack dropped
A user in one of my remote home offices has a Sonicwall TZ-170 and they can not download files from a FTP for work. There connections keep closing before they ever authenticate. After some investigation I decided it was his hardware firewall blocking the connection as I could log in from my office. I looked into it a little further and found that the Sonicwall was indeed stopping these connections thinking they were malicious.
According to Microsoft a FTP Bounce Attack is:
The CERT (http://www.Cert.org) (http://www.Cert.org)) Advisory CA-97.27 warns of an FTP security attack called the “Bounce” attack. This involves misuse of the Port command to maliciously open a connection to a port on the File Transfer Protocol (FTP) server.
But they also go on to say any of there versions of IIS 4.0 or better will stop these attacks. So why is my firewall not letting me log into a clients FTP site? It is logging:
FTP: PASV response bounce attack dropped
Well there is a simple solution to this if you are not scared of visiting your Sonicwall’s back door to reconfigure this option. You can access you hidden options deep in your sonicwall by logging into your device and then changing your /main.cgi to /diag.html
After clicking on the button that says Internal Settings, You will get a screen that looks like this:
Simply scroll down and remove the check box next to FTP BOUNCE ATTACK PROTECTION and you will be FTP’ing again in no time! This works on all Sonicwall’s including TZ-170, TZ-150, Pro 200, Pro 300, Pro 3060 and probably a whole bunch more! Got any Sonicwall or other Firewall tips or tricks? Leave em’ in the comments!
July 30, 2008 - 2:02 pm
It looks like the low end hardware firewalls are now being initially configured to limit what can get out, and you have to make adjustments for what you need, outside of the manufacturers default settings.
Smoothwall Express 3.0 (Free)when first installing does have about three initial set-ups you can select, and as far as I can remember one blocks everything, one allows the main ports, I think the other one was let everything through. I selected the main ports settings, and then had to add a couple of special email ports and the time ports to the allow list.
At first I didn’t realize what was wrong, but the logs in Smoothwall Express help you to see what’s getting blocked .
I suppose the problem with going this route is having the inclination to install it (it’s not that hard) and having an old computer, putting a minimum of two NIC’s in and having the space to park it.
If anyone is interested in going this route, for version 3.0 you need a minimum of about a 300Mhz Pentium, 128MB ram and about 6.4Gb disk, with keyboard and CD drive required just for the installation. you use your web browser for any configuration, monitoring, etc after installation. Go to Smoothwall.org to download the free ISO version, just need to burn a CD.
You could go the mini ITX route to keep it quite small like the Sonicwall but the box would be a bit OTT for a firewall.
I use a Shuttle box that was a bit OTT, just so I could fit it in a cupboard where my mains, telephone, tv and network distribution is.
Click to Reply to This Comment.
July 30, 2008 - 2:21 pm
Cool, I will check that out. We happen to use Sonicwall pretty extensively.
-EDP
Click to Reply to This Comment.
July 30, 2008 - 4:28 pm
I think the real question here is why use FTP?
http://stevenf.com/archive/dont-use-ftp.php
Click to Reply to This Comment.
July 31, 2008 - 2:43 am
Adrian – Um, why not use FTP? FTP is a great tool for moving larger files. (Maybe you say why in your link but it’s not working.)
Click to Reply to This Comment.
July 31, 2008 - 3:18 am
I use FTP daily and SSL Ftp if I need something a little more secure. But yeah I agree with Peter why shouldn’t I be using FTP Steven?
I get a 404 on that link as well – is this some sort of viral link that is supposed to make me search around for your post/answer?
Click to Reply to This Comment.
July 31, 2008 - 11:06 am
I use FTP for all kinds of stuff, the number one is that I do not allow email attachments over 10MB. If someone needs to get a file to us or from us that is larger than 10MB they can drop it off or pick it up from the FTP server (which I don’t have to backup, unlike the email server).
I would take Adrian’s advice with a grain of salt (more like a baseball sized chunk than a grain really).
Click to Reply to This Comment.
August 13, 2008 - 3:22 pm
I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!
Click to Reply to This Comment.
December 22, 2008 - 9:10 am
Thank you for this information – it helped me troubleshoot a remote site for several users on a construction project we’re working on.
Click to Reply to This Comment.
February 2, 2009 - 6:05 pm
The link is still bad, but the biggest reason to limit the use of FTP is because, most of the time, it is clear text. That means your username and password are sent unencrypted across the Internet. When possible, use FTP w/ SSL or SCP/SFTP to make sure your transactions are secure.
As for this post, I personally don’t like SonicWall firewalls (slow, need reboots, etc.). But, with that being said, by disabling bounce attack protection in a dedicated appliance, you’re relying on an operating system that was originally created for easy file-sharing (Windows) to do the security job… this is not good practice.
Why not just switch to active mode ftp?
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
February 4th, 2009 at 4:58 am
After looking into active mode ftp – it is a great suggestion.. Thanks Clay.
Click to Reply to This Comment.