Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: bakedjake
I have a development server running debian etch on my local network with all the usual bells and whistles (Apache, MySQL, PHP, Perl, exim4). wu-ftpd was my choice of FTP daemon. Up until now, everything has been fine in the FTP department - I have a login tied to my user account, and anon logins disabled. Works fine.
However, I can't login from outside my network, nor can my good friend (who also has appropraite login credentials) who needed some testing space. I can also replicate the problem locally by attempting to connect to the exernal domain name rather than internal. When trying to access, the FTP client will connect, wait for a while, then get a "connection closed by remote host", with an optional "error reading response from server" from some clients.
Searching around, I found a few promising-looking results, but nothing that solved my problem. The relevent lines from my ftpaccess:
class local real,guest,anonymous 192.168.0.*
class remote real,guest,anonymous *
class all real,guest,anonymous *
The first two lines were originally commented out. I'm not exactly sure what the classes are for (the man page wasn't a great deal of help), which doesn't help matters. There are currently no
So, what should I change to allow FTP logins from ouside my subnet?
If multiple "class" commands can apply to the current session, the first one listed in the access file is used.
Have you tried re-commenting out the first line (at least) in your ftpaccess file? It sounds like your login is being treated as "local" because that's the first class where "real" ( a "real" user) is defined as being allowed.
Perhaps trying this single line might do the trick:
class all real *
(Allow "real" users to log in either locally or from any IP address block, but no guests or anonymous logins allowed from anywhere.)
As it stands I have the following line:
class all real *
which is fine for logins from the same subnet, but external logins still fail. My ftpservers files is blank, and the ftpusers file isn't denying either of the two accounts.
I'm not if the issue may lie elsewhere, as the problem occurs when I use the external hostname from a machine within the same subnet. Is it maybe in some way similar to Apache whereby you have to have the servers defined from the correct hostnames? If not, I don't see why:
Client --> Server works, while
Client --> Router --> Server and
Client --> Internet --> Server both fail.
I'm probably missing something obvious in a config file somewhere, but the man pages are keeping the secret well-hidden.
In any case, since you are on a private local subnet (the 198. address is a dead givaway) you will need to set up port forwarding on your router or firewall. Have you done that? Users will connect to the WAN-side address of your router. The router needs to know which machine on your local network to forward the packets to.
Is this for end-user access or for administration? (i.e. upload/download software, webpages, etc.)
If it is for administration, I wouldn't recommend using FTP. Use SFTP/SSH. I wouldn't expose FTP or Telnet to the Internet, unless you absolutely have to to support end-users. And, even so, I would then only use it for end-user access and only then when security isn't a big consideration, and DON'T also use it for administration.
The problem is that FTP and Telnet both send passwords over the net "in the clear". Your root password could be compromised, for example, if you use FTP or Telnet to connect to your remote server.
SSH provides a secure channel for both console sessions and file transfer, and encrypts both data and passwords across the entire path.
Your router is most likely the culprit. You have to set up port-forwarding, and I'm guessing that you haven't.
I'm beginning to suspect my router is the source of the problem actually. Not because the ports aren't forwarded, but because the behaviour is very strange. I have many other services forwaded fine, so it's not a problem with ipmasq as such. Also, other ftpd software fails in a similar way to wu-ftpd.
To further elaborate: my router is a wee Freesco box which has been happily routing for a few years. Back in the day when I was running Windows 2000 on my development server FTP would work fine. I could login from outside no problem. Then for a while I shut down FTP since I didn't need it internally or externally. I re-enabled FTP in the last few months, but didn't need to use it or have the means to test it, so I had just assumed it was working as before.
Now, by changing port forwarding configurations and such, I have been able to connect to a greater degree, but still not do anything like transfer a file or get a directory listing. For the ftp server I'm running on my internal Windows server, the problem seems to be related to passive mode. For my linux server, the issue is the same as above: client can connect, but then no communication takes place between client and server, then after a while the server disconnects.
Weirdly, I get further trying to login to the Windows FTP server with a browser (FF, IE), rather than an actual FTP client. In any case, it would seem the packets on port 21 (I also tested some non-standard ports) are getting forwarded okay, but something is interfering elsewhere. I don't get very far trying to connect to my linux FTP daemon (yes, I changed the port forwarding config to test both!).
As an example; Windows 2000 machine:
(188.8.131.52) > connected to ip : 192.168.0.6
(000200) 02/05/2006 18:21:41 - (not logged in) (184.108.40.206) > sending welcome message.
(000200) 02/05/2006 18:21:41 - (not logged in) (220.127.116.11) > 220 Secondary FTP Server
(000200) 02/05/2006 18:21:41 - (not logged in) (18.104.22.168) > USER robert
(000200) 02/05/2006 18:21:41 - (not logged in) (22.214.171.124) > 331 Password required for robert.
(000200) 02/05/2006 18:21:41 - (not logged in) (126.96.36.199) > PASS ********
(000200) 02/05/2006 18:21:41 - robert (188.8.131.52) > logged in.
(000200) 02/05/2006 18:21:41 - robert (184.108.40.206) > 230 User robert logged in.
(000200) 02/05/2006 18:21:41 - robert (220.127.116.11) > PWD
(000200) 02/05/2006 18:21:41 - robert (18.104.22.168) > 257 "/" is current directory.
(000200) 02/05/2006 18:21:41 - robert (22.214.171.124) > TYPE A
(000200) 02/05/2006 18:21:41 - robert (126.96.36.199) > 200 Type set to A.
(000200) 02/05/2006 18:21:41 - robert (188.8.131.52) > PASV
(000200) 02/05/2006 18:21:41 - robert (184.108.40.206) > 227 Entering Passive Mode (86,0,XX,XXX,117,48).
After which it does nothing, then times out after several minutes. With linux (wu-ftpd, pureftpd, etc) I get the timeout before any welcome message, banner, or login attempt.
NB the IP above is a cache server for my ISP. I X'ed out part of my IP.