Hi everyone,
I am sorry if this subject has already been discussed, but I haven’t been able to find an answer in this forum.
I have a machine with SBS 2003 and have installed CIS firewall only (antivirus crashed badly) product version 5.
I am running a IIS server with FTP server service and I cannot get contents of the folders in the ftp.
The first time I try to connect to the ftp server with windows explorer from another machine, CIS firewall asks and creates a rule for inetinfo.exe. Inmediatelly, I can connect and can introduce my user and password, but tha is as far as I get. There is no way I can get the contents of the folder and it times-out eventually.
I have look into the firewall events and there is no block event logged.
It happens exactly the same when I try to connect with a browser, either explorer or firefox.
If I disable the firewall, all is fine though.
Please, any advice? which rule am I missing?
Many thanks in advance.
Aznarepse
Hi welcome to the forums!
Please have a read here;
https://forums.comodo.com/firewall-help-cis/cis-blocks-access-totalcommander-t53263.0.html
Almost sounds as if local loopback is being blocked.
What I’ve discovered is that certain components require permission to initiate connections between 0.0.0.0 & 127.0.0.1. To that end I’ve created two zones:
local_0 : 0.0.0.0
local_127 : 127.0.0.1
NIC : the network interface card, i.e., ME
There’s a difference between either [local_0], [local_127] and [NIC]. Even so its true there is no place like ‘127.0.0.1’, I’ve neither seen either [local_0] or [local_127] intiate connection to either the [NIC] or the cloud (and certainly not both). Nor have I seen [local_127] initiate any connection to anything; FWIW, I’ve never observed [local_0] initiate connection to anything but [local_127].
That being said, I question why CIS AV causes your system to crash. Do have 'nother AV running on the server? IF so get rid of it; you do NOT need it. If you have paid subscription to Avira, de-install CIS & reinstall w/out AV.
You mention SBS 2003; that is an iteration of Server 2003, no? I’ll have you know that I’m running Server 2003 Standard as primary desktop O/S. I have yet to find something that I can’t get to work w/CIS v5.x Since you obviously do have an issue, my speculatoin is the issue lies NOT with CIS but with YOUR workload; you don’t have time to finger it out.
As server admin you should understand that overzealous blocking will cause prollems. Do you have experience w/[squid or fwbuilder? Whatever either of those can do, CIS can accomplish readily 80% (w/out an issue whatsoever). Your job as MS server admin is to get the remaining 10% incorporated into your security policy; if you need more than that: you wouldn’t be running on MS product.
IF the server in qwexion is FTP server, then your main concern is to protect the server’s ■■■■■■. In that case its more an issue of protected files/folders rather than connections. That being said, there are3 at least two things critical to server HIPS protection:
proxy
ChkAcc
The former requiring access to:
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
The latter requiring access to:
C:\WINDOWS\Debug\UserMode\ChkAcc.bak
C:\WINDOWS\debug\UserMode\ChkAcc.log
Thank you very much for your reply.
Ronny,
I have tried those settings and still can’t get the contents of the folder. There is no change. Unfortunately, I believe that the browser works on passive by default and it doesn’t work.
Moreover, if I use the Stealth Port wizard and set to alert me, when I try to connect to the FTP, I receive no alert whatsoever.
WxMan1,
SBS 2003 is a suit on top of server 2003. The installation is brand new. I formated the disks and installed all from scratch. There is no other antivirus on the system. So, after having the server running with all MS software and Freeproxy, I install the complete CIS and it seems to crash. I don’t mean the server but CIS. I receive the window to report the bug and I have reported it several times. The server keeps running, the problem is that when CIS crashes I cannot access the server from the network and have to restart the whole system. I have tried several things and finally have noticed that Firewall alone doesn’t crash.
The server is connected to internet through a router/modem and a nic. There is another nic to another router that gives network to our machines at home. I am runnning Freeproxy on the server, which seems stable although it could be the problem with CIS; I don’t know, perhaps I should try to find the time and install CIS without freeproxy installed. But first, I need to solve this issue with FTP.
It is very frustrated and I am sure that I am missing something. I have tried Ronny’s suggestion without success.
I am not sure if I understand well your advice regarding the zones. I have created a new zone for local 0, the local 127 and nic already existed with mask. It didn’t work.
I have created also a zone from 0 to 127 and doesn’t work. Please, could you explain a bit better the settings for these three zones you define?
All the best,
Sorry I misread your post I guess.
Running CIS firewall on the FTP Server side takes a bit of configuration.
And understanding of how FTP works.
The first connection is from client to FTP Server to port TCP 21 on the server.
The data channel depends on Active or Passive connection and that’s where it get’s tricky.
Please read this page here http://slacksite.com/other/ftp.html
You also have to verify your FTP Server setup
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0d2a9b2e-b697-4bb3-8a61-0fad73a1fa08.mspx
By default, the FTP server allocates ports for passive-mode connections from the WinSock dynamic range, 1024 to 5000
You have to configure access to this hard in the network policy (global and app) alerts seem not to be 100% trustworthy on 2003 server as I have seen blocks that did not alert…
Ronny, many thanks again! I am now trying with the new information.
WxMan1,
I rectify my words! CIS just crashed again with only the firewall!
[attachment deleted by admin]
Can you have a look in %ALLUSERSPROFILE%\Comodo\CisDumps and see if that contains dump files?
If so please provide them as they help Devs to fix the issue.
Sure! I have already done so!
Sorry, was it send over the automatic mailer?