Secure FTP options?

Discussion in 'ISPConfig 3 Priority Support' started by Tanaka, Nov 19, 2013.

  1. Tanaka

    Tanaka New Member

    Hello,

    I have tried to establish a secure FTP connection to my ISPConfig managed server but to no avail:

    - if I tell Filezilla to use "plain FTP" everything works as it should
    - if I set Filezilla to use "explicit FTP over TLS" it connects but shortly afterwards the connection times out with the message "failed to retrieve directory listing"
    - setting Filezilla to use "implicit FTP over TLS" does not connect at all - "Connection attempt failed with "ECONNREFUSED - Connection refused by server" - although I have opened ports 989 and 990 on the firewall (bastille)

    Any ideas?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you run a firewall on your Linux server and want to use passive FTP connections, you have to define the passive port range in pure-ftpd and your firewall to ensure that the connections dont get blocked. The following example is for pure-ftpd on Debian or Ubuntu Linux and ISPConfig 3:

    1) Configure pure-ftpd

    echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
    /etc/init.d/pure-ftpd-mysql restart

    2) Configure the firewall. If you use ISPConfig 3 on my server to configure the bastille firewall, you can add the nescessera port range in the ISPConfig firewall settings.

    Change the list of Open TCP ports from:

    20,21,22,25,53,80,110,143,443,3306,8080,10000

    to:

    20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210
    and then click on “Save”.
     
  3. Tanaka

    Tanaka New Member

    It Works!

    Thanks a lot for your quick answer,

    It is working like a charm now...:)

    I need one more thing though in order to better secure pure-ftpd, and that is to set it to accept only SSL/TLS authentication. Where/how can I set the --tls switch in order to achieve that?
    I have looked in the start-script of pure-ftpd but I'm not sure what to do.

    Thanks in advance,
    Tanaka

    PS. BTW, running Debian Wheezy with ISPConfig 3.0.5.3 (updated with the 3053_ftpuser patch)
     
    Last edited: Nov 19, 2013
  4. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    I have the same question - how to enforce SSL/TLS connections for pure-ftpd.
    I've made a guess and tried "echo 2 > /etc/pure-ftpd/conf/TLS" then restarted.
    But the server still responds to a normal FTP client (Mac OSX) on the usual port number, so it seems to be a clear-text connection.
    Thanks for any advice.
     
  5. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    OK syslog file shows:
    > Aug 25 12:29:43 localhost pure-ftpd-mysql[18341]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -O clf:/var/log/pure-ftpd/transfer.log -D -u 1000 -A -J ALL:!aNULL:!SSLv3 -E -8 UTF-8 -Y 2 -H -b -B

    Which looks like TLS-only is enabled (-Y 2).
    And when I login using a regular client I get:

    > 421 Sorry, cleartext sessions are not accepted on this server.
    > ftp: Login failed

    Now to find a client and test whether the secure connection works...
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    just run:

    echo 2 > /etc/pure-ftpd/conf/TLS

    and resatrt pure-ftpd.

    Sure, ftp over tls is on the ame port and all normal ftp clients support it.
     
  7. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    When I connect to my server using the Mac ftp client, I get this:
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 1 of 50 allowed.
    220-Local time is now 13:13. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    421 Sorry, cleartext sessions are not accepted on this server.
    ftp: Login failed
    ftp>

    I've tried 2 different Mac clients which support FTPS - Fetch and Viper. Neither of them work in SSL/TLS mode.

    I've opened ports 20 and 21, also 989 and 990 (the official FTPS ports) on the firewall.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    So it works correctly, the server disconnected you as tls is enforced.

    Which errors do you get in the client and the pure ftp log?
     
  9. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    Still can't get any success with other Mac clients - Transmit and RBrowser - which are listed supposed to be compatible according to:
    http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
    Maybe there's a certificate issue, but I've followed those instructions too, and in any case there is no message from any client about any certificate issue. So I'm at a complete loss.

    If not with FTP what other secure method is available for ISPconfig clients to manage files on their websites?

    Thanks for any further advice!
     
  10. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    I've increased the log level:
    echo “yes” > /etc/pure-ftpd/conf/VerboseLog
    /etc/init.d/pure-ftpd-mysql restart

    I tried 4 clients which support "FTP with TLS/SSL" - Transmit, Viper, Fetch and RBrowser.
    In every case the syslog shows the same condition:
    Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [INFO] New connection from 122.105.125.199
    Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
    Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

    Finally tried FileZilla and I get further. It identified the certificate and asked me to accept it.
    syslog shows:

    Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [INFO] New connection from 122.105.125.199
    Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
    Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
    Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [DEBUG] Command [user] [admin]
    Aug 26 00:12:13 localhost pure-ftpd: ([email protected]) [DEBUG] Command [pass] [<*>]
    Aug 26 00:12:13 localhost pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address
    Aug 26 00:12:13 localhost systemd[1]: Started Session c5 of user admin.

    Now I guess I just have to open the right ports and it should work.
     
  11. exyfeplin

    exyfeplin New Member HowtoForge Supporter

    Finally, it works! Here are some notes on the experience.
    1. Documentation
    This page is not complete:
    https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
    In addition, need to look at the documentation here:
    https://www.howtoforge.com/how-to-configure-pureftpd-to-accept-tls-sessions-on-debian-lenny
    http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/
    I suggest to update the "Perfect Server" docs because TLS security really is essential for FTP, and it has not been easy to set it up.
    2. FTP-TLS Clients
    Out of 5 MAC OSX clients tried, only one worked: FileZilla
    Warning on FileZilla download: https://filezilla-project.org/download.php?type=client
    The Sourceforge link points to a client which is corrupt and which apparently contains spyware.
    The link to FileZilla_3.13.1_macosx-x86.app.tar.bz2 is the one that worked for me.
    3. Other
    Make sure FTP transfer mode (in client) is Passive not Active.
    Beware NAT: your FTP client cannot access FTP through a NAT. If you have a NATted connection, you'll need to fire up a VPN to get FTP to work. FileZilla apparently support IPv6, so that may be a better option if you ISP gives it to you.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    1) The documentation is complete, it configures FTP to allow connections with and without TLS. Enforcing TLS might be fine for your own purpose but that's nothing to be enforced in general as this would lead to many complaints when software without TLS support is used for an FTP connection. I verified that on the server that's is the exact copy/paste version of the tutorial, connections with and without TLS are working out of the box when you followed the perfect server guide.
    3) FTP connections are working fine in both modes and you don't need a VPN. All you have to do is to ensure that the passive port range of your FTP client http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/ matches the passive port range that you opened for FTP in your firewall.
     

Share This Page