FTP

From Indie IT Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This page explains how to allow FTP access to a server behind a NAT masquerading firewall using Passive mode. 

Client --> Modem --> Firewall --> Server

Modem

Ports: TCP: 20,21,60000-60500

Firewall

Kernel Config: nf_conntrack_ftp,nf_nat_ftp

# Allow FTP access
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   20
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   21
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   60000:60500

Server

vsFTPd

sudo apt-get install vsftpd
sudo nano /etc/vsftpd.conf
  anonymous_enable=NO
  local_enable=YES
  write_enable=YES
  local_umask=022
  ftpd_banner=Hello
  chroot_local_user=YES
  pam_service_name=vsftpd
  allow_writeable_chroot=YES
  pasv_enable=YES
  pasv_address=xx.xxx.xx.xxx
  pasv_addr_resolve=NO
  pasv_min_port=40000
  pasv_max_port=40100
  port_enable=YES
sudo nano /etc/pam.d/vsftpd
  # auth  required        pam_shells.so
sudo service vsftpd restart
telnet 127.0.0.1 21

https://help.ubuntu.com/community/vsftpd

Thanks - http://www.swhite.co/2012/05/how-to-set-up-wordpress-on-amazon-ec2_31.html

Security

Install SSL Certificate... 

cat server.crt bundle.crt > vsftpd-domain_com.crt
cat server.key > vsftpd-domain_com.key
cp -av vsftpd-domain_com.crt /etc/ssl/certs/
cp -av vsftpd-domain_com.key /etc/ssl/private/

Configure SSL Certificate... 

sudo nano /etc/vsftpd.conf

ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd-domain_com.crt
rsa_private_key_file=/etc/ssl/private/vsftpd-domain_com.key
allow_anon_ssl=NO
force_local_logins_ssl=YES
force_local_data_ssl=YES
implicit_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH

sudo service vsftpd restart

Test SSL Certificate... 

openssl s_client -starttls ftp -connect 127.0.0.1:21 -showcerts -CApath /etc/ssl/certs

Thanks - http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/

Fun

220 127.0.0.1 FTP server ready
(press enter)
500 Invalid command: try being more creative

ProFTPd

sudo nano /etc/proftpd/proftpd.conf
sudo nano /etc/proftpd.conf

Passive Mode tweaks

PassivePorts   60000 60500

Security tweaks

ServerIdent Off
DefaultRoot   ~
UseFtpUsers on
<Limit LOGIN>
  # single ip address example
  Allow from 192.168.0.1
  # multiple ip addresses example
  Allow from 192.168.0.1 10.30.124.6
  # subnet example
  Allow from 192.168.0.0/16
  # hostname example
  Allow from example.net
  # deny the rest
  DenyAll
</Limit>

Remove all lines for the Anonymous sections... 

 <Anonymous /home/user/public_ftp>
   UseFtpUsers                   on
   RequireValidShell             off
   UseFtpUsers                   on
   RequireValidShell             off
   User                          ftp
   Group                         ftp
   UserAlias                     anonymous ftp
   DisplayLogin                  welcome.msg
   DisplayChdir                  .message true
   <Limit WRITE>
     DenyAll
   </Limit>
   <Directory incoming>
     <Limit STOR>
       AllowAll
     </Limit>
     <Limit WRITE READ>
       DenyAll
     </Limit>
   </Directory>
 </Anonymous>

Create the file... 

nano /etc/ftpusers
     root
     ftp
     anonymous

Restart the server... 

sudo service proftpd restart
sudo /etc/init.d/proftpd restart

Thanks - http://www.the-art-of-web.com/system/block-ftp-hacking/

Software

ncFTP
ncftp -u username -p password server

ncftp> passive
ncftp> ls
ncftp> quit

FileZilla
ProFTPd

Test with OpenSSL Client

openssl s_client -CApath /etc/ssl/certs -connect server.mydomain.com:21 -no_ssl3 -starttls ftp

HOWTO: Fix: VSFTPD: Error: FAIL LOGIN: Client

sudo nano /etc/pam.d/vsftpd
# auth  required        pam_shells.so
sudo service vsftpd restart

HOWTO: FIX: ERROR: proftpd: pam_env(ftp:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory

nano /etc/pam.d/ftp
# session  include   system-auth

/etc/init.d/proftpd restart

HOWTO: FIX: Error: proftpd: PAM adding faulty module: /lib/security/pam_listfile.so

If you are seeing this in your logs... 

Apr 10 13:00:07 server proftpd: PAM unable to dlopen(/lib/security/pam_listfile.so)
Apr 10 13:00:07 server proftpd: PAM [error: /lib/security/pam_listfile.so: wrong ELF class: ELFCLASS32]
Apr 10 13:00:07 server proftpd: PAM adding faulty module: /lib/security/pam_listfile.so
Apr 10 13:00:07 server proftpd: PAM unable to dlopen(/lib/security/pam_pwdb.so)
Apr 10 13:00:07 server proftpd: PAM [error: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]
Apr 10 13:00:07 server proftpd: PAM adding faulty module: /lib/security/pam_pwdb.so

..., and you are using FTP virtual users, then you can turn off PAM authentication and move the offending file to another directory. 

mv /etc/pam.d/ftp /root/

...then restart ProFTPd... 

/etc/init.d/proftpd restart

HOWTO: FIX: Error: unable to open TransferLog '/var/log/xferlog': Too many levels of symbolic links

ls -la /var/log/xferlog
lrwxrwxrwx 1 root root 41 Dec  4  2011 /var/log/xferlog -> ../../usr/local/apache/domlogs/ftpxferlog

rm /var/log/xferlog


References

http://www.shorewall.net/FTP.html

http://www.proftpd.org/docs/howto/NAT.html

http://slacksite.com/other/ftp.html

http://slacksite.com/other/ftp-appendix1.html

http://www.ncftp.com

http://filezilla-project.org

http://www.proftpd.org

Retrieved from ‘https://wiki.indie-it.com/index.php?title=FTP&oldid=291