IP Networking

hi,all, i have a question to trouble you.

a workstation named AAA, and open the ftp services to permit user download and upload files. i have root password.

a pc install windows 2k named BBB, someone install a serv-u ftp ( a ftp server software ) to transfer data. i don't have the administrators password.

On BBB:
user can use: ftp AAA to transfer data, i permit.

but i don't permit on AAA to use ftp BBB to transfer data.

i can delete the ftp command or chmod 500, but someone could also upload a ftp command. or rename ftp to another name.

so, i want to know how to deny someone use ftp on AAA ?
anyone can help me.

You'll never be able to fully prevent users from running ftp to an uncontrolled remote host but you can make it harder by restricting connections on port 21 from AAA to BBB. It's not a prefect solution though as an ftpd can be run on any port, a determined user will just move the ftpd and carry on doing it.

However, in 90% of the cases where I hear these sorts of questions, it actually the wrong question being asked. Are you sure this is the correct solution to your problem? Why do you want to prevent the ftp in the first place? Why is BBB being targeted as a server to prevent access to?

If you are trying to prevent users from using the system for unathorised purposes (eg it's a school computer perhaps), it might be better to define what is acceptable and what is not, then perform 'after the fact' auditing and clobber whoever did it It's a matter of human nature, if we see a fence, we try and go over it. Making a stronger fence only encourages us to try harder. If we get attacked by a bull in the paddock, we'll probably think twice about climbing that fence next time no matter how easy it was to get past...

Rather than attempt restriction at the source, do the restriction at the server.

Deny the user at AAA access rights at the server.

If you manage to lock down the user at AAA, what happens if he changes seat and is sitting at CCC?

If the user has a C compiler at AAA he can do anything he wants, so you have to restrict at the server.

hi,Smiling Dragon,thanks for your reply.

if BBB open port 21/20 to transfer the data from AAA, i can use "iptables"(on linux, or any others software like have a firewall functions) to drop the data package, like you saied " It's not a prefect solution though as an ftpd can be run on any port ".

i think is the wrong question to ask someone.

hi, porter,i'am glad to see your reply.

i think closed the ftpd services on BBB is the only way to do that.