Desperately trying to set up an FTP server

Thread Starter

cmartinez

Joined Jan 17, 2007
8,218
I'm pulling my hair here ... I've been trying to set up an FTP in my personal computer and I've been hitting wall after wall after wall.

It wasn't until I installed a software named Complete FTP Manager that I made significant progress. But I still can't make a complete, working connection from any computer. I've been told that the problem is that I need to install a certificate of sorts. And I've used SSL.com Manager tool for this purpose. What I did was I generated a self-signed certificate and installed it in the CompleteFTP software. But I still can't login from any Windows based computer. I've been using FileZilla for that purpose.

Can anyone help me out here? I've set up a folder with disposable files in it so that anyone can try and see if they can read/write to it. Just PM me and I'll give you the domain, username and pwd.

@Yaakov , @MrSoftware
 

eetech00

Joined Jun 8, 2013
3,856
I'm pulling my hair here ... I've been trying to set up an FTP in my personal computer and I've been hitting wall after wall after wall.

It wasn't until I installed a software named Complete FTP Manager that I made significant progress. But I still can't make a complete, working connection from any computer. I've been told that the problem is that I need to install a certificate of sorts. And I've used SSL.com Manager tool for this purpose. What I did was I generated a self-signed certificate and installed it in the CompleteFTP software. But I still can't login from any Windows based computer. I've been using FileZilla for that purpose.

Can anyone help me out here? I've set up a folder with disposable files in it so that anyone can try and see if they can read/write to it. Just PM me and I'll give you the domain, username and pwd.

@Yaakov , @MrSoftware
Hi

First test that you can connect using FTP from your own computer.

is this a windows 10 computer running the FTP server?
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,218
I DID IT!!!! ... I stupidly turned on and off my firewalls for a brief moment, to see if that would change the situation, to no avail. But by doing that I inadvert reset its settings. And that forced me to go again not only through the inbound/outbound rules, but also I manually added the CompleteFTP server software to the list of programs (which I hand't done before, because it was already (partially) working) ... and voilá! , we're online.

Yaakov, please test the connection with the parameters I gave you in my PM, if you can.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,218
For the record, here's a list of the most important steps I had to take when setting up the server. Attention to detail is crucial for things to go smoothly. The process was a real PITA, it took me an entire week to make things work because I had to figure things out almost entirely by myself. And it would've taken me much longer if it weren't for Yaakov's generous assistance, and whose questions and observations pointed me in the right direction.

The CompleteFTP Manager software and its server made setting things up a lot easier than using the Windows Internet Information Services (IIS) app to make things work.

  • Download and install the DUC (Dinamic Update Client) app/service from www.noip.com. This sets up a free of charge domain that always points to the intended host computer, even if its external ip changes.
  • Install CompleteFTP Manager and set up a site and server along with its corresponding local directory,
  • Also set up a user account and its password
  • Enable all inbound/outbound rules for FTP in the advanced settings section of the Windows Defender Firewall
  • In the same inbound/outbound rules section, add the Complete FTP Manager app for the TCP protocol, checking all three Private/Domain/Public boxes.
  • Do the same setup described in the previous step for the CompleteFTP Service app
  • In CompleteFTP Manager, make sure that the External IP address in the PASV Settings is set to the network's external address. (www.whatsmyip.com). This IP address will have to be manually updated if and when it changes. The only way to avoid this nuance is to purchase/rent a fixed address from the provider. When that happens, the DUC app/service from www.noip.com won't be needed anymore.
  • Set the Windows Firewall to allow both CompleteFTP Manager and CompleteFTP Service through it
  • Check the FTP Server boxes in the same Allowed apps dialog box of the Firewall
  • Configure the router's port forwarding so that ports 20, 21 and 990 are directed to the host computer. Always specify the TCP protocol and enabled mapping for this set up.
  • In the same router's port forwarding section, add another port forwarding field pointing to the host computer with a port range of 100, using port values of between 1024 and 65535 (I used the range of 15000-15100) so that the exchange of information stays clear of other applications that use standard port values/ranges
  • In the PASV settings of CompleteFTP Manager, add said port range (15000-15100) in its Maximum and Minimum port number fields.
  • Generate a self-signed certificate in CompleteFTP Manager in Sites -> MySite -> FTP/FTPS-> Advanced FTP/FTPS Settings -> Security Settings
  • Test the settings using the https://ftptest.net/ website, using as host the domain that was set up in www.noip.com, the username and password, standard port 21, and Explicit FTP over TLS protocol.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,218
An observation about the CompleteFTP Manager app: It has the excellent advantage that makes it easy to add users that don't have a local Windows account.
 

MrSoftware

Joined Oct 29, 2013
2,188
Glad you got it working! Ironically I'm back after being gone from here for some time and just now saw the notification that you tagged me. I would have replied earlier, but great to hear you've got it working! All of that said; do not, do not put anything important on that machine that cannot afford to be exposed to the internet. Also I would at a minimum separate that machine from every other machine by VLAN, so if/when someone does get into it, they have a more difficult time getting to other machines on the network. These days security is a full time job, the days of running an ftp server yourself are gone for anything that is important, there' just too many security issues to keep up with and it takes full time staff to stay on top of it.
 

Thread Starter

cmartinez

Joined Jan 17, 2007
8,218
Glad you got it working! Ironically I'm back after being gone from here for some time and just now saw the notification that you tagged me. I would have replied earlier, but great to hear you've got it working! All of that said; do not, do not put anything important on that machine that cannot afford to be exposed to the internet. Also I would at a minimum separate that machine from every other machine by VLAN, so if/when someone does get into it, they have a more difficult time getting to other machines on the network. These days security is a full time job, the days of running an ftp server yourself are gone for anything that is important, there' just too many security issues to keep up with and it takes full time staff to stay on top of it.
Thanks for chiming in, MS. Your help and counsel is always thoroughly appreciated.

Just so you know, I do understand the fragility of today's computer systems, especially running under Microsoft. So I take security very seriously.

Question, doesn't an FTP server contain all activity to its authorized folder only? The folder I set up will only be storing ascii files. No exe, sys, com, jpg nor any other type of file exceeding a 7-bit encoding in it. How can an attacker worm his way out of the restricted directory?
 
Last edited:

eetech00

Joined Jun 8, 2013
3,856
Question, doesn't an FTP server contain all activity to its authorized folder only?
That's what it should do but you need to verify.

The folder I set up will only be storing ascii files. No exe, sys, com, jpg nor any other type of file exceeding a 7-bit encoding in it.
That's what it should do but you need to verify

How can an attacker worm his way out of the restricted directory?
that's classified....;)
But again...you need to verify the security configuration of your FTP server.

Confirm ports open on your firewall router (you should have one) are only those that need to be open, and do the same on your FTP server host computer. You can be sure someone will scan your Host IP address for open ports. Make sure you have logging enabled on the host and firewall.
 
Top