DigitalOcean Firewall
      Back to home
      1. CNS Policies
      2. DigitalOcean Knowledge Base
      3. DigitalOcean Firewall

      Open FTP

      Risk Level: High

      Description: 

      This plugin determines if the TCP port 20/21 for FTP (File Transfer Protocol) is open to the public. Unlike HTTP and HTTPS, which can be available to public access, TCP port 20 and 21 must be restricted to known IP addresses. These ports are used by File Transfer Protocol to transfer files and establish connections between client-server. To minimize false positives, this plugin reports only those firewalls with public IP associated with any of its droplets.

      About the Service :

      DigitalOcean Firewall:

      DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can behave based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.

      Impact : 

      Firewall for the droplets are used to control the incoming and outgoing traffic. There are rules defined under firewalls that can allow specific IP addresses to access the droplets with the protocol and the Ports specified. FTP is a protocol used to transfer files on a computer network. Since the authentication for establishing an FTP connection is done in plain text, hackers can easily retrieve the username and password. In such an event, if the FTP connection can be accessed publicly, attackers can list all the files on the server and exploit the data obtained. Misconfigured FTP servers can lead to enormous data leaks.

      Steps to Reproduce :

      1. Login to the digital ocean console.
      2. Select Networking under the MANAGE section.
      3. Switch to the Firewalls tab.
      4. Select a firewall from the given lists.
      5. Check under Inbound Rules and/or Outbound Rules, if the Type is set to All TCP/custom, Protocol as TCP and Port Range includes either All ports or port 20 or 21, visit the Steps for Remediation section.  
      6. Repeat the process for other firewalls with open FTP ports as well.

      Steps for Remediation :

      1. Login to the digital ocean console.
      2. Select Networking under the MANAGE section.
      3. Switch to the Firewalls tab.
      4. Select a firewall from the given lists.
      5. Check under Inbound Rules and/or Outbound Rules, if the Type is set to All TCP/custom, Protocol as TCP and Port Range includes either All ports or port 20 or 21, we will have to change the source and destination for the port to enhance security.  
      6. Select the rule in which port 20 or 21 is open to all source or destination by clicking on More, click on Edit Rule.  
      7. Under Sources remove All IPv4 and All IPv6 options, add the eligible source (in Inbound Rules) / destination (in Outbound Rules) IP address and click on Save
      8. Repeat the process for other open FTP ports as well.