Quote:
Originally Posted by Smiling Dragon
You'll never be able to fully prevent users from running ftp to an uncontrolled remote host but you can make it harder by restricting connections on port 21 from AAA to BBB. It's not a prefect solution though as an ftpd can be run on any port, a determined user will just move the ftpd and carry on doing it.
However, in 90% of the cases where I hear these sorts of questions, it actually the wrong question being asked. Are you sure this is the correct solution to your problem? Why do you want to prevent the ftp in the first place? Why is BBB being targeted as a server to prevent access to?
If you are trying to prevent users from using the system for unathorised purposes (eg it's a school computer perhaps), it might be better to define what is acceptable and what is not, then perform 'after the fact' auditing and clobber whoever did it  It's a matter of human nature, if we see a fence, we try and go over it. Making a stronger fence only encourages us to try harder. If we get attacked by a bull in the paddock, we'll probably think twice about climbing that fence next time no matter how easy it was to get past... |
hi,Smiling Dragon,thanks for your reply.
if BBB open port 21/20 to transfer the data from AAA, i can use "iptables"(on linux, or any others software like have a firewall functions) to drop the data package, like you saied " It's not a prefect solution though as an ftpd can be run on any port ".
i think is the wrong question to ask someone.
