PURPOSE
Install and configure a secure FTP server. After installation the FTP server will be able to accept ordinary non encrypted FTP connections as well as SSL and TLS secure connections.
==================================================
NOTES
Most of the information in this HowTo is a collection from different sources.
TESTED ON: Asus WL-500gP
ASSUMPTIONS:
i.- firmware: Oleg 1.9.2.7-10
ii.- root file system on the external USB drive
iii.- telnet/ssh deamon installed and active
iv. - ipkg package installed
v.- nano editor installed
SOURCES:
i.- http://www.castaglia.org/proftpd/doc...HOWTO-NAT.html
ii.- http://www.proftpd.org/docs/directiv...d/by-name.html
iii.- This forum
==================================================
Stop Asus inbuilt FTP Server via web interface under "USB Application". Apply changes and reboot.
Remount the root file system as read-write.
Fetch and install proftpd
Code:
ipkg install proftpd
Create certificates and keys
A simple way of generating a 1024bits RSA key pair valid for about 3 years is:
Code:
openssl req -new -x509 -days 1200 -nodes -out /opt/etc/ftpd/server.cert.pem -keyout /opt/etc/ftpd/server.key.pem
Create Certificate Authority (CA)
Code:
openssl genrsa -des3 -out /opt/etc/ftpd/ca.key 1024
openssl req -new -x509 -days 1200 -key /opt/etc/ftpd/ca.key -out /opt/etc/ftpd/root.cert.pem
Delete RSA private key
Code:
rm /opt/etc/ftpd/ca.key
Save the original proftpd.conf configuration file
Code:
rm /opt/etc/proftpd.conf /opt/etc/proftpd.conf_orig
Create a new configuration file
Code:
nano /opt/etc/proftpd.conf
Paste the following text (do not exit nano yet!)
Code:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
# ServerType inetd
ServerType standalone
DefaultServer on
WtmpLog off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 10
MasqueradeAddress [your_public_address or dns_hostname]
<Global>
RootLogin On
RequireValidShell off
AuthUserFile /etc/passwd
AllowStoreRestart on
# TransferRate RETR 25
# TransferRate APPE,STOR 100:2048
PassivePorts [first_port last_port]
</Global>
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 5
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /tmp/tls.log
# TLSProtocol TLSv1
# SSLv23 Compatibility mode, used to allow both SSLv3 and TLSv1
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /opt/etc/ftpd/server.cert.pem
TLSRSACertificateKeyFile /opt/etc/ftpd/server.key.pem
# CA the server trusts
TLSCACertificateFile /opt/etc/ftpd/root.cert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotiations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
</IfModule>
In the text above modify following lines MasqueradeAddress and PassivePorts as required. Do not use brackets, for instance:
MasqueradeAddress 123.123.123.123
PassivePorts 12345 54321
Move the tls.log to same folder as syslogd.
Code:
rm /var/ftpd/tls.log
touch /tmp/tls.log
Accept FTP traffic from WAN: run the following commands at the command prompt:
Code:
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
Paste the following line at the prompt but substitute first_port:last_port by the passive ports given above under PassivePorts
Code:
iptables -I INPUT -p tcp --dport first_port:last_port -j ACCEPT
For instance:
iptables -I INPUT -p tcp --dport 12345:54321 -j ACCEPT
Add the necessary NAT information to be able to connect via SSL/TSL from WAN (passive mode) or when forcing no encripted -ordinary, FTP to connect in passive mode. Substitute first_port:last_port by the passive ports given above under PassivePorts and lan_ip by the IP address of the br0 interface of your Asus router.
Code:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport first_port:last_port -j DNAT --to-destination lan_ip
For instance:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 12345:54321 -j DNAT --to-destination 192.168.1.1
Save changes
Code:
flashfs save && flashfs commit && flashfs enable
Starting FTP deamon
Start the FTP deamon: run the following at the command prompt:
Testing the FTP server
The test has been performed using FTP client FileZilla ver. 2.2.32.
Logontype: Normal
Servertype: FTP, FTP over SSL or FTP over TLS
user/password: same as Asus log-in
Final notes
iptables commands should be added to post-firewall.
proftpd command can be added to post-mount.
If the FTP client is behind a firewall, port 113 at client side should be open but it is not mandatory.
For further advanced configuration and settings, please refer to the sources.
Reply With Quote