In the process of locking down our servers we’ve been setting up host-based firewalls on one of our internal FTP servers.
The default thing was to deny access to everything but ICMP and SSH, good start.
Our first command was to only allow a given host access to port 21, FTP:
sudo iptables -I INPUT 1 -s 10.1.2.3 -p tcp -m tcp --dport 21 -j ACCEPT
This allows the client to connect:
Status: Resolving address of server Status: Connecting to server:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD 1.3.1 Server Command: USER username Response: 331 Password required for username Command: PASS ************** Response: 230 User username logged in Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Features: Response: LANG en Response: MDTM Response: UTF8 Response: REST STREAM Response: SIZE Response: 211 End Command: OPTS UTF8 ON Response: 200 UTF8 set to on Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/home/username" is the current directory Command: TYPE I Response: 200 Type set to I Command: PORT 10,1,2,3,10,215 Response: 200 PORT command successful Command: LIST
And there it sat, until it timed out.
After doing some research I found that the server was running in Passive mode, which wasn’t allowed through the firewall. Configuring proFTPd to expose specific Passive Ports (Instead of those in the high-RPC range)
To configure the server, I opened proftpd.conf and added the following line:
PassivePorts 50000 50005
I also opened the firewall:
sudo iptables -I INPUT 2 -s 10.1.2.3 -p tcp -m tcp --dport 50000:50005 -j ACCEPT
And was able to connect successfully! 🙂
Now, this is a very lightly used server and a very contrived example so be careful when opening up ports that you allow at least 2x the expected connection count when opening ports.