Welcome to WebmasterWorld Guest from 35.170.81.210

Forum Moderators: bakedjake

Message Too Old, No Replies

Remote FTP access with wu-ftpd

Can only login from within the same subnet as the server

     
12:18 am on May 1, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 18, 2005
posts:70
votes: 0


Hello all. First, the backstory:

I have a development server running debian etch on my local network with all the usual bells and whistles (Apache, MySQL, PHP, Perl, exim4). wu-ftpd was my choice of FTP daemon. Up until now, everything has been fine in the FTP department - I have a login tied to my user account, and anon logins disabled. Works fine.

However, I can't login from outside my network, nor can my good friend (who also has appropraite login credentials) who needed some testing space. I can also replicate the problem locally by attempting to connect to the exernal domain name rather than internal. When trying to access, the FTP client will connect, wait for a while, then get a "connection closed by remote host", with an optional "error reading response from server" from some clients.

Searching around, I found a few promising-looking results, but nothing that solved my problem. The relevent lines from my ftpaccess:


class local real,guest,anonymous 192.168.0.*
class remote real,guest,anonymous *
class all real,guest,anonymous *

The first two lines were originally commented out. I'm not exactly sure what the classes are for (the man page wasn't a great deal of help), which doesn't help matters. There are currently no

deny
lines.

So, what should I change to allow FTP logins from ouside my subnet?

Cheers all.

7:38 pm on May 1, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 20, 2004
posts:1477
votes: 0


From the wu-ftp ftpaccess manpage:

If multiple "class" commands can apply to the current session, the first one listed in the access file is used.

Have you tried re-commenting out the first line (at least) in your ftpaccess file? It sounds like your login is being treated as "local" because that's the first class where "real" ( a "real" user) is defined as being allowed.

Perhaps trying this single line might do the trick:

class all real *

(Allow "real" users to log in either locally or from any IP address block, but no guests or anonymous logins allowed from anywhere.)

7:52 pm on May 1, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 18, 2005
posts:70
votes: 0


I actually had re-commented out the top two lines -- having them all uncommented didn't seem to allow for any logins ('cept for maybe localhost which I didn't try).

As it stands I have the following line:


class all real *

which is fine for logins from the same subnet, but external logins still fail. My ftpservers files is blank, and the ftpusers file isn't denying either of the two accounts.

I'm not if the issue may lie elsewhere, as the problem occurs when I use the external hostname from a machine within the same subnet. Is it maybe in some way similar to Apache whereby you have to have the servers defined from the correct hostnames? If not, I don't see why:

Client --> Server works, while

Client --> Router --> Server and
Client --> Internet --> Server both fail.

I'm probably missing something obvious in a config file somewhere, but the man pages are keeping the secret well-hidden.

7:57 pm on May 3, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 26, 2005
posts:3041
votes: 0


Do you have a firewall? (Either external hardware or internal software?) Do you have seLinux? Are your firewall and/or seLinux configured to permit FTP connections from outside your subnet?

In any case, since you are on a private local subnet (the 198. address is a dead givaway) you will need to set up port forwarding on your router or firewall. Have you done that? Users will connect to the WAN-side address of your router. The router needs to know which machine on your local network to forward the packets to.

Is this for end-user access or for administration? (i.e. upload/download software, webpages, etc.)

If it is for administration, I wouldn't recommend using FTP. Use SFTP/SSH. I wouldn't expose FTP or Telnet to the Internet, unless you absolutely have to to support end-users. And, even so, I would then only use it for end-user access and only then when security isn't a big consideration, and DON'T also use it for administration.

The problem is that FTP and Telnet both send passwords over the net "in the clear". Your root password could be compromised, for example, if you use FTP or Telnet to connect to your remote server.

SSH provides a secure channel for both console sessions and file transfer, and encrypts both data and passwords across the entire path.

8:36 pm on May 3, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 26, 2005
posts:3041
votes: 0


Scratch my comments about software firewall and seLinux configuration. Because you are on a local private network, you HAVE to use NAT on your router to translate addresses to the local network. Your Linux box won't be able to tell the difference between a local and a remote connection anyway. If you can connect from any address on your local network, a connection from the Internet should work as well, as it's just going to appear to be originating from the LAN-side address of your router.

Your router is most likely the culprit. You have to set up port-forwarding, and I'm guessing that you haven't.

9:04 pm on May 3, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 18, 2005
posts:70
votes: 0


> jtara et al

I'm beginning to suspect my router is the source of the problem actually. Not because the ports aren't forwarded, but because the behaviour is very strange. I have many other services forwaded fine, so it's not a problem with ipmasq as such. Also, other ftpd software fails in a similar way to wu-ftpd.

To further elaborate: my router is a wee Freesco box which has been happily routing for a few years. Back in the day when I was running Windows 2000 on my development server FTP would work fine. I could login from outside no problem. Then for a while I shut down FTP since I didn't need it internally or externally. I re-enabled FTP in the last few months, but didn't need to use it or have the means to test it, so I had just assumed it was working as before.

Now, by changing port forwarding configurations and such, I have been able to connect to a greater degree, but still not do anything like transfer a file or get a directory listing. For the ftp server I'm running on my internal Windows server, the problem seems to be related to passive mode. For my linux server, the issue is the same as above: client can connect, but then no communication takes place between client and server, then after a while the server disconnects.

Weirdly, I get further trying to login to the Windows FTP server with a browser (FF, IE), rather than an actual FTP client. In any case, it would seem the packets on port 21 (I also tested some non-standard ports) are getting forwarded okay, but something is interfering elsewhere. I don't get very far trying to connect to my linux FTP daemon (yes, I changed the port forwarding config to test both!).

As an example; Windows 2000 machine:


(62.252.128.17) > connected to ip : 192.168.0.6
(000200) 02/05/2006 18:21:41 - (not logged in) (62.252.128.17) > sending welcome message.
(000200) 02/05/2006 18:21:41 - (not logged in) (62.252.128.17) > 220 Secondary FTP Server
(000200) 02/05/2006 18:21:41 - (not logged in) (62.252.128.17) > USER robert
(000200) 02/05/2006 18:21:41 - (not logged in) (62.252.128.17) > 331 Password required for robert.
(000200) 02/05/2006 18:21:41 - (not logged in) (62.252.128.17) > PASS ********
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > logged in.
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > 230 User robert logged in.
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > PWD
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > 257 "/" is current directory.
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > TYPE A
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > 200 Type set to A.
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > PASV
(000200) 02/05/2006 18:21:41 - robert (62.252.128.17) > 227 Entering Passive Mode (86,0,XX,XXX,117,48).

After which it does nothing, then times out after several minutes. With linux (wu-ftpd, pureftpd, etc) I get the timeout before any welcome message, banner, or login attempt.

NB the IP above is a cache server for my ISP. I X'ed out part of my IP.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members