FTP

From Indie IT Wiki
Jump to: navigation, search

This page explains how to allow FTP access to a server behind a NAT masquerading firewall using Passive mode.

Client --> Modem --> Firewall --> Server

Modem

Ports: TCP: 20,21,60000-60500

Firewall

Kernel Config: nf_conntrack_ftp,nf_nat_ftp
# Allow FTP access
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   20
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   21
DNAT   net:123.456.789.0   loc:192.168.0.201   tcp   60000:60500

Server

vsFTPd

sudo apt-get install vsftpd
sudo nano /etc/vsftpd.conf
  anonymous_enable=NO
  local_enable=YES
  write_enable=YES
  local_umask=022
  ftpd_banner=Hello
  chroot_local_user=YES
  pam_service_name=vsftpd
  allow_writeable_chroot=YES
  pasv_enable=YES
  pasv_address=xx.xxx.xx.xxx
  pasv_addr_resolve=NO
  pasv_min_port=40000
  pasv_max_port=40100
  port_enable=YES
sudo nano /etc/pam.d/vsftpd
  # auth  required        pam_shells.so
sudo service vsftpd restart
telnet 127.0.0.1 21

https://help.ubuntu.com/community/vsftpd

Thanks - http://www.swhite.co/2012/05/how-to-set-up-wordpress-on-amazon-ec2_31.html

Security

Install SSL Certificate...

cat server.crt bundle.crt > vsftpd-domain_com.crt
cat server.key > vsftpd-domain_com.key
cp -av vsftpd-domain_com.crt /etc/ssl/certs/
cp -av vsftpd-domain_com.key /etc/ssl/private/

Configure SSL Certificate...

sudo nano /etc/vsftpd.conf

ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd-domain_com.crt
rsa_private_key_file=/etc/ssl/private/vsftpd-domain_com.key
allow_anon_ssl=NO
force_local_logins_ssl=YES
force_local_data_ssl=YES
implicit_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
sudo service vsftpd restart

Test SSL Certificate...

openssl s_client -starttls ftp -connect 127.0.0.1:21 -showcerts -CApath /etc/ssl/certs

Thanks - http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/

Fun

220 127.0.0.1 FTP server ready
(press enter)
500 Invalid command: try being more creative

ProFTPd

sudo nano /etc/proftpd/proftpd.conf
sudo nano /etc/proftpd.conf

Passive Mode tweaks

PassivePorts   60000 60500

Security tweaks

ServerIdent Off
DefaultRoot   ~
UseFtpUsers on
<Limit LOGIN>
  # single ip address example
  Allow from 192.168.0.1
  # multiple ip addresses example
  Allow from 192.168.0.1 10.30.124.6
  # subnet example
  Allow from 192.168.0.0/16
  # hostname example
  Allow from example.net
  # deny the rest
  DenyAll
</Limit>

Remove all lines for the Anonymous sections...

 <Anonymous /home/user/public_ftp>
   UseFtpUsers                   on
   RequireValidShell             off
   UseFtpUsers                   on
   RequireValidShell             off
   User                          ftp
   Group                         ftp
   UserAlias                     anonymous ftp
   DisplayLogin                  welcome.msg
   DisplayChdir                  .message true
   <Limit WRITE>
     DenyAll
   </Limit>
   <Directory incoming>
     <Limit STOR>
       AllowAll
     </Limit>
     <Limit WRITE READ>
       DenyAll
     </Limit>
   </Directory>
 </Anonymous>

Create the file...

nano /etc/ftpusers
     root
     ftp
     anonymous

Restart the server...

sudo service proftpd restart
sudo /etc/init.d/proftpd restart

Thanks - http://www.the-art-of-web.com/system/block-ftp-hacking/

Software

ncFTP
ncftp -u username -p password server

ncftp> passive
ncftp> ls
ncftp> quit
FileZilla
ProFTPd

HOWTO: Fix: VSFTPD: Error: FAIL LOGIN: Client

sudo nano /etc/pam.d/vsftpd
# auth  required        pam_shells.so
sudo service vsftpd restart

HOWTO: FIX: ERROR: proftpd: pam_env(ftp:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory

nano /etc/pam.d/ftp
# session  include   system-auth

/etc/init.d/proftpd restart

HOWTO: FIX: Error: proftpd: PAM adding faulty module: /lib/security/pam_listfile.so

If you are seeing this in your logs...

Apr 10 13:00:07 server proftpd: PAM unable to dlopen(/lib/security/pam_listfile.so)
Apr 10 13:00:07 server proftpd: PAM [error: /lib/security/pam_listfile.so: wrong ELF class: ELFCLASS32]
Apr 10 13:00:07 server proftpd: PAM adding faulty module: /lib/security/pam_listfile.so
Apr 10 13:00:07 server proftpd: PAM unable to dlopen(/lib/security/pam_pwdb.so)
Apr 10 13:00:07 server proftpd: PAM [error: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]
Apr 10 13:00:07 server proftpd: PAM adding faulty module: /lib/security/pam_pwdb.so

..., and you are using FTP virtual users, then you can turn off PAM authentication and move the offending file to another directory.

mv /etc/pam.d/ftp /root/

...then restart ProFTPd...

/etc/init.d/proftpd restart

HOWTO: FIX: Error: unable to open TransferLog '/var/log/xferlog': Too many levels of symbolic links

ls -la /var/log/xferlog
lrwxrwxrwx 1 root root 41 Dec  4  2011 /var/log/xferlog -> ../../usr/local/apache/domlogs/ftpxferlog
rm /var/log/xferlog


References

http://www.shorewall.net/FTP.html

http://www.proftpd.org/docs/howto/NAT.html

http://slacksite.com/other/ftp.html

http://slacksite.com/other/ftp-appendix1.html

http://www.ncftp.com

http://filezilla-project.org

http://www.proftpd.org