Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

5668/0, Unauthenticated FTP Connection

So I have some internal application that is apparently issuing a PORT command with out authenticating first, causing this sig to fire. I'm trying to decide whether I care (does this have security implications or is this just another stupid app).

What is the purpose of the signature? Is there a particular vulnerability it attempts to detect? Is there some FTP server that allows the PORT command without authentication first?

Cisco Employee

Re: 5668/0, Unauthenticated FTP Connection

Yes, there are actually a couple vulnerable servers that allow that to happen.

It is exactly the port command issued to start the session. If the signature fires from a constant source or to a constant destinatio, I'd investigate at least so you know what it is and make your decision.


Re: 5668/0, Unauthenticated FTP Connection

Thanks. Can you give me details on which ftp software is affected? I know in this case, the ftp daemon is not affected.

Cisco Employee

Re: 5668/0, Unauthenticated FTP Connection

HP-UX had an issue with it's FTP daemon. That was what this was written for. Basically, the daemon allowed connections and directory listing retreival as user root ... unauthenticated. I seem to remmeber another, but can;t find it.

CreatePlease to create content