proFTPd timing out while requesting LIST

In the process of locking down our servers we’ve been setting up host-based firewalls on one of our internal FTP servers.

The default thing was to deny access to everything but ICMP and SSH, good start.

Our first command was to only allow a given host access to port 21, FTP:

sudo iptables -I INPUT 1 -s 10.1.2.3 -p tcp -m tcp --dport 21 -j ACCEPT

This allows the client to connect:

Status:  Resolving address of server
Status: Connecting to server:21...
Status: Connection established, waiting for welcome message...
Response:   220 ProFTPD 1.3.1 Server
Command:    USER username
Response:   331 Password required for username
Command:    PASS **************
Response:   230 User username logged in
Command:    SYST
Response:   215 UNIX Type: L8
Command:    FEAT
Response:   211-Features:
Response:    LANG en
Response:    MDTM
Response:    UTF8
Response:    REST STREAM
Response:    SIZE
Response:   211 End
Command:    OPTS UTF8 ON
Response:   200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/home/username" is the current directory
Command:    TYPE I
Response:   200 Type set to I
Command:    PORT 10,1,2,3,10,215
Response:   200 PORT command successful
Command:    LIST

And there it sat, until it timed out.

After doing some research I found that the server was running in Passive mode, which wasn’t allowed through the firewall. Configuring proFTPd to expose specific Passive Ports (Instead of those in the high-RPC range)

To configure the server, I opened proftpd.conf and added the following line:

PassivePorts 50000 50005

I also opened the firewall:

sudo iptables -I INPUT 2 -s 10.1.2.3 -p tcp -m tcp --dport 50000:50005 -j ACCEPT

And was able to connect successfully! 🙂

Now, this is a very lightly used server and a very contrived example so be careful when opening up ports that you allow at least 2x the expected connection count when opening ports.

References



#Linux #proftpd #Security #Work