You can approach this a couple of ways 1. eliminate plaintext ftp all together. SSHv2 is an excellent free replacement here or you can use FTP-SSL
2. restrict access to this service in your firewall by ip 3. put the ftp behind vpn I'm a visa QDSP and these are a couple of things you could do. Joachim Schipper said: > On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote: >> Hello list, >> >> The company I work for is required to get PCI (Payment Card >> something-or-other) certified in order to keep doing some of the things >> that >> we >> are doing with credit card payments. When I started working here it was >> an >> all MS >> shop, including the FTP server. In order to help secure things (at >> all), I >> talked the boss into letting me setup an OpenBSD server as the FTP >> server >> instead of >> windows2003. Since then, I have also setup firewalls, mail server, IDS >> etc. >> all based >> upon OpenBSD (and loving every minute of it). However, now that we need >> this cert, >> one of the few things still standing in the way is the requirement that >> we >> set up >> the FTP server to lockout (for 30min.) any account that fails to login 3 >> times in a row. I haven't been able to find any ftp software that does >> that. The FTP server that ships with OpenBSD uses system accounts, and >> I >> haven't >> figured out how to do that there either. >> >> If I don't get this figured out soon, The boss will loose patience and I >> will be right >> back to MS hell trying to secure a win2003 ftp server just because it >> will >> lockout >> an account that fails login 3 times in a row. (and then probably figure >> out >> how to >> setup a win2003 firewall, IDS, exchange server, etc etc etc... you get >> the >> pic) >> >> If anyone has any suggestions, please let me know. > > How about writing a login_* program for /usr/libexec/auth? It would be > sufficient to check if there have been too many login attempts recently, > and if not, call /usr/libexec/auth/login_passwd (or similar), and pass > the response. > > There is quite a bit of information in login.conf(5). You'll also need > to modify this file, so it's a good place to start. > > Joachim > > -- Mark Maxey Information Security Specialist - Masters of Tech [EMAIL PROTECTED] Phone: 859.948.5841 PGP ID: 0x0EA3D5A2
