Selected "Disallow plain unencrypted FTP" Selected "Enable FTP over TLS support (FTPS)" Cleared the "Listen on these ports" field Encryption set to "Require Implicit FTP over TLS"
Protocol set to "FTP - File Transfer Protocol" Based on your feedback I now have the following setup: Tries to login to a non FTPS enabled FTP service without sending a 'AUTH TLS' command first and checks if the service is accepting the login without enforcing the use of the 'AUTH TLS' command.ĭetails: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.3.28) Please see the manual of the FTP service for more information. You have to use FTP over TLS.Īn attacker can uncover login names and passwords by sniffing traffic to the FTP service.Įnable FTPS or enforce the connection via the 'AUTH TLS' command. Anonymous sessions: 331 This server does not allow plain FTP. Non-anonymous sessions: 331 This server does not allow plain FTP. The remote FTP service accepts logins without a previous sent 'AUTH TLS' command. The remote host is running a FTP service that allows cleartext logins over unencrypted connections. NVT: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.3.28) I am using a self signed 2048 bit certificate and using 990 for implicit TLS connections (disallowing explicit FTP over TLS)Īny guidance on closing this vulnerability would be appreciated. X - Require TLS session resumption on data connection when using PROT P X - Force PROT P to encrypt file transfers when using FTP over TLS
I have the following settings configured on the server: That means that an attacker can sniff network traffic and potentially capture clear text login and password information. Currently the server will accept a login attempt without requiring a TLS session be established first. In scanning our environment for security vectors I have identified a configuration issue with how TLS over FTP is working on our Filezilla Server. Filezillasettings.jpg (116.91 KiB) Viewed 3764 times
0 kommentar(er)
