https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/241187#M46795 <P>Our gateway running on R81.20&nbsp; with JHF 89 but still the output of&nbsp;ps aux | grep -i ftp showing it is listening on port 21.</P><P>&nbsp;</P><P>what we can do to resolve this?</P> Fri, 14 Feb 2025 07:45:02 GMT tavi0906 2025-02-14T07:45:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/204863#M38620 <P>Hi team<BR />Hi community<BR />I have Security Gateway with multiple FTP service ports opened. Ports are high numbered &gt;33000<BR />Nmap says "Check Point Firewall - 1 ftpd".<BR />The vulnerability scanner says "Remote Management Service Accepting Unencrypted Credentials Detected (FTP)".<BR />Please, help. Could it be a false positive? Like credentials are realy encrypted.<BR />Why so many (about 14) ftp ports are opened?<BR />Should I configure ftpd via expert mode?</P> Fri, 02 Feb 2024 07:09:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/204863#M38620 m_k_user 2024-02-02T07:09:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/204892#M38624 <P>By default, no ftp ports are open on the Check Point firewall.<BR /><BR />1) Maybe you have NAT rules to internal FTP servers. I would check the NAT rules. <BR />&nbsp;&nbsp;&nbsp;&nbsp; In this case I would use SFTP or SSH, then the traffic is encrypted.&nbsp;<BR /><BR />2) It may also be that open ports are recognised incorrectly by NMAP. It depends on how you perform the NMAP scan.<BR /><BR /></P> Fri, 02 Feb 2024 14:48:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/204892#M38624 HeikoAnkenbrand 2024-02-02T14:48:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221780#M42474 <P>Hi,&nbsp;<BR />I think this vulnerability should be investigated.</P><P>Check in expert mode which service listening on this ports:<BR />for example on tcp 37517:<BR /><EM>lsof -i TCP:37517</EM></P><P>if your output look similar like this:<BR /><EM>in.aftpd 4993 admin 0u IPv4 49264 TCP *:37517 (LISTEN)</EM></P><P>then you should implement solution described here (upgrade a hotfix and comment 21 port in file):<BR /><A href="https://support.checkpoint.com/results/sk/sk180505" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk180505</A></P><P>you can also check on which ports n.aftpd listened:<BR /><EM>ps aux | grep in.aftpd</EM></P> Wed, 24 Jul 2024 12:50:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221780#M42474 4mon 2024-07-24T12:50:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221855#M42513 <P>Why it needs to be investigated if I may ask? Everyone knows you should not use FTP and instead use an encrypted alternative like FTPS or SSH. Also the SK is pretty clear to me.&nbsp;</P> Wed, 24 Jul 2024 19:39:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221855#M42513 Lesley 2024-07-24T19:39:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221880#M42521 <P>To prevent?<BR />If some service works and listening on multilpe ports when we don't using them then is better leave it works or turn off?</P> Thu, 25 Jul 2024 10:28:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221880#M42521 4mon 2024-07-25T10:28:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221883#M42522 <P>The way the SK is written it shouldn't be an issue with the appropriate JHF installed.</P> <P>If you are seeing different then you should take it with TAC for investigation obviously.</P> Thu, 25 Jul 2024 10:46:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/221883#M42522 Chris_Atkinson 2024-07-25T10:46:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/241187#M46795 <P>Our gateway running on R81.20&nbsp; with JHF 89 but still the output of&nbsp;ps aux | grep -i ftp showing it is listening on port 21.</P><P>&nbsp;</P><P>what we can do to resolve this?</P> Fri, 14 Feb 2025 07:45:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/241187#M46795 tavi0906 2025-02-14T07:45:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/241195#M46796 <P>Which version is the MGMT?</P> <P>If the SK has been followed and the issue persists please contact TAC to investigate.&nbsp;</P> Fri, 14 Feb 2025 08:58:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-service-accepting-unencrypted-credentials/m-p/241195#M46796 Chris_Atkinson 2025-02-14T08:58:21Z