NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FTPS access over WAN?
Setting up a FTP connection over WAN to a ReadyNAS device can be very tricky. After some time I found a solution and posted it here.
But I have noticed that it's possible to login over FTPS locally, but not from outside, from WAN. Strange, parts of this WAN block lives on.
The intersting stuff starts below, in the second post.
At first wehre are all ProFTPd files located? Here:
Active FTP configuration file is /etc/proftpd.conf. It looks like this:
And it includes a ftps conf file, /etc/frontview/proftpd/ftps.conf, that reads:
But I have noticed that it's possible to login over FTPS locally, but not from outside, from WAN. Strange, parts of this WAN block lives on.
The intersting stuff starts below, in the second post.
At first wehre are all ProFTPd files located? Here:
# find / \( -path '/c' -o -path '/USB' \) -prune -or -iname '*proftpd*' -exec ls -ld {} \;
drwx------ 2 admin admin 16384 Jan 21 14:57 /etc/default/config/etc/frontview/proftpd
-rw------- 1 admin admin 168 Jan 17 2007 /etc/default/config/etc/frontview/usb/access/non-share/proftpd
-rw------- 1 admin admin 162 Jan 17 2007 /etc/default/config/etc/frontview/usb/access/non-share/proftpd.vfat
-rw------- 1 admin admin 159 Jul 11 2006 /etc/default/config/etc/frontview/usb/access/share/proftpd
-rw------- 1 admin admin 153 Jul 11 2006 /etc/default/config/etc/frontview/usb/access/share/proftpd.vfat
-rw-r--r-- 1 admin admin 2006 Apr 8 2009 /etc/default/config/etc/proftpd.conf
-rw-r--r-- 1 root root 211 Jul 11 2006 /etc/default/proftpd
-rwxr-xr-x 1 root root 4200 Jun 5 2008 /etc/init.d/proftpd
drwxr-xr-x 2 admin admin 16384 Jan 21 15:08 /etc/frontview/proftpd
-rw------- 1 admin admin 168 Jan 17 2007 /etc/frontview/usb/access/non-share/proftpd
-rw------- 1 admin admin 162 Jan 17 2007 /etc/frontview/usb/access/non-share/proftpd.vfat
-rw------- 1 admin admin 169 Jan 21 15:08 /etc/frontview/usb/access/share/proftpd
-rw------- 1 admin admin 163 Jan 21 15:08 /etc/frontview/usb/access/share/proftpd.vfat
-rw-r--r-- 1 root root 298 Aug 25 00:55 /etc/pam.d/proftpd
-rw-r--r-- 1 admin admin 2138 Jan 25 22:18 /etc/proftpd.conf
-rwxr-xr-x 1 root root 1139488 Nov 10 2011 /usr/sbin/proftpd
-rw-r--r-- 1 root root 36 Nov 10 2011 /var/lib/dpkg/info/proftpd.list
-rw-r----- 1 root root 15885 Jan 28 14:19 /var/log/proftpd.log
drwxr-xr-x 2 nobody admin 16384 May 22 2008 /var/run/proftpd
srwxrwxrwx 1 root root 0 Jan 25 22:18 /var/run/proftpd.sock
-rw-r--r-- 1 root root 632 Jan 28 14:19 /var/run/proftpd.scoreboard
-rw-r--r-- 1 root root 6 Jan 25 22:18 /var/run/proftpd.pid
-rw-r--r-- 1 root root 6440 Jan 25 22:17 /var/run/proftpd.delayActive FTP configuration file is /etc/proftpd.conf. It looks like this:
# cat /etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody/nogroup" and "ftp" for normal operation and anon.
ServerName "NETGEAR ReadyNAS"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
AllowStoreRestart on
UseReverseDNS off
IdentLookups off
TimesGMT off
WtmpLog off
ServerLog /var/log/proftpd.log
SystemLog /var/log/proftpd.log
TransferLog /var/log/proftpd.log
BanLog /var/log/proftpd.log
MaxLoginAttempts 2
BanEngine on
BanTable /ramfs/ftp_ban.tbl
BanOnEvent MaxLoginAttempts 5/00:10:00 00:15:00
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
DenyFilter \*.*/
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd on
# Uncomment this if you would use quota module:
#Quotas on
# Port 21 is the standard FTP port.
Port 21
MasqueradeAddress duo
DynMasqRefresh 7200
PassivePorts 49000 49020
AllowForeignAddress on
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
AllowOverwrite on
</Directory>
Include /etc/frontview/proftpd/ftps.conf
Include /etc/frontview/proftpd/User.conf
And it includes a ftps conf file, /etc/frontview/proftpd/ftps.conf, that reads:
# cat /etc/frontview/proftpd/ftps.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/frontview/apache/apache.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
TLSOptions NoSessionReuseRequired
TLSOptions NoSessionReuseRequired
</IfModule>
22 Replies
Replies have been turned off for this discussion
- Tried to port forward 989-990, bu could still not login from WAN:
ftps-data 989/tcp ftp protocol, data, over TLS/SSL
ftps-data 989/udp ftp protocol, data, over TLS/SSL
ftps 990/tcp ftp protocol, control, over TLS/SSL
ftps 990/udp ftp protocol, control, over TLS/SSL
http://fixunix.com/firewalls/69105-ther ... r-tls.html - Ok it contiounes
Read something about adding more ciphers. It didn't work. Here is what I tried:
/etc/proftpd.conf - addedTlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
That made ProFTPd to fail on startup - /etc/init.d/proftpd restart
I also tried this tip:
/etc/frontview/proftpd/ftps.conf added# Support both SSLv3 and TLSv1
Result = No change when connecting from WAN.
TLSProtocol SSLv3 TLSv1
http://www.proftpd.org/docs/howto/TLS.html
http://www.proftpd.org/docs/howto/Stopping.html
http://www.faqs.org/docs/Linux-HOWTO/SS ... HOWTO.html - What NAS model do you have? Explicit FTP over TLS worked out-of-the-box for me on the V1 products and the Pro. I didn't need to make any settings changes at all to the NAS.
- My nas = ReadyNAS Duo v.1 - info in signature :)
Yes I'm starting to think that the problem is at the modem or most likely Apple AirPort Extreme.
Since I can login with FTP and FTPS from LAN, but only plain FTP from WAN. - If you have an FTP proxy on the path or if the router firewall is protocol-aware then that could certainly create an issue. I use non-standard ports for WAN access, and the routers on the path are simply forwarding.
- No proxy. Tried with a non-standard port in AirPort Extreme Base Station (AEBS), same thing. Though plain FTP still worked just fine with other ports in AEBS.
OMG, it might be a bug in AEBS that has caused me all this headache.
http://fetchsoftworks.com/fetch/news/ft ... se-station
My AEBS is generation 2 and has never failid for anything else. Never hanged and never demanded a restart. Steady as a rock.
I really like Apple, but the next router will probably come from Asus. - ProFTPd debugging
http://www.proftpd.org/docs/howto/Debugging.html
TLS options
http://www.proftpd.org/docs/contrib/mod ... TLSOptionsQuestion: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?
Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.
Firewalls, Routers, and NAT
http://www.proftpd.org/docs/howto/NAT.html - List open ports and the process that owns them:
netstat -lptu
netstat -tulpn
eton wrote: ProFTPd debugging
http://www.proftpd.org/docs/howto/Debugging.html
TLS options
http://www.proftpd.org/docs/contrib/mod ... TLSOptionsQuestion: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?
Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.
Of course if you are using NAT you need to configure the NAS to use passive ports, and forward the control port and the passive ports in your router. If your router's firewall is FTP aware, you are better off forwarding a non-standard port for the control connection. There are several how-to's posted here on setting up FTP.- SOLVED IT!
Change the FTP port to something else than standard port 21.
Do it in Frontview or in terminal.vi /etc/proftpd.conf
/etc/init.d/proftpd restart
And change the router port forward settings under NAT to the custom port. And remember to specify custom port in FTP client.
In combination with "AllowForeignAddress on" this also enables FXP support. :)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
