How to make local FTP Linux server accessible globally
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Yes, but you really do not want to do that. FTP is an inherently insecure protocol and serious vulnerability. Anyone who can sniff the data steam can strip off accounts and passwords at will.
My best advice, set up a limited number of accounts with limited rights and resources and only allow those to connect to sftp (OpenSSH file trasnfer) on a non-standard port (example 8122) in addition to the normal port 22 standard. Put a bypass into your firewall so that port is forwarded to your sftp server on that port.
If you have a fixed IP address externally, you are done. If you have a dynmaic address, register with one of the dyndns services that forward a name to your external, and run an update client in your network somewhere to update the dyndns service when your external address changes.
Now anyone outside your network can address your sftp server from the wild using your dyndns name and port 8122.
Inside your network you will do better using the local name or ip address, and the standard port.
This is terribly easy the second time. Getting it the first time can take some research and 'fiddling' with things. I hope that this helps.
In addition, if you are going to open your system to the world, you really(!) need to read the Stickies in the Security Forum (just the relevant bits to start with).
Excellent suggestion! If you decide NOT to do all that reading (better if you DO), then you might want to at least install something like fail2ban and configure it to monitor your connections. It can trigger IP based blocking upon some configurable number of failed login attempts. A dictionary attack trying to guess or discover your passwords will generate enough failures to block an attacker. It does not stop the bad guys, but it does make you look like a difficult enough target to make them go elsewhere.
Trust me, once you open to the internet you WILL become a target. I have seen servers start taking hits within the first 5 minutes, before we even had the name in DNS.
Last edited by wpeckham; 07-01-2016 at 05:54 AM.
Reason: Fixing typo, thank you chrism01
Why didn't it work? Ports? ISP issue? Router issue? DNS or DDNS issue?
A lot of places use FTP still. If you want free access then it is a useful way to share files. Your ftp server or http server also might be considered. Not much of a speed difference anymore between ftp and http access usually.
Could consider something like barracudadrive also for https access. Might not be as secure as ssh. ssh is subject to a number of attacks so you will have to harden it. Most web pages suggest not using a password and moving to either two party authentication or self signed certificates.
@wpeckham: Thanks for the reply and very sorry for replying so late, I am actually not so good at port forwarding thing. I forwarded port 8122/tcp to 22/tcp on an IP 192.168.1.80 (my localhost). But I didn't get what you said afterwards. I have a static IP and my public IP that is shown on the internet is my router's IP (so every system connected to this very router will get the same IP).
@wpeckham: Thanks for the reply and very sorry for replying so late, I am actually not so good at port forwarding thing. I forwarded port 8122/tcp to 22/tcp on an IP 192.168.1.80 (my localhost). But I didn't get what you said afterwards. I have a static IP and my public IP that is shown on the internet is my router's IP (so every system connected to this very router will get the same IP). , I don't actually get it sir.
In the /etc/ssh (or /etc/openssh depending upon versions and distribution) you find the conf files for ssh. The sshd_conf file has the port setting for the listener, Usually commented out so that the default applies. Uncomment it and add another do you have two entries:
(working from memory here, so check the file and the man pages) then in your firewall forward 8022 to your server (192.168.1.80) at port 8122. Then do a restart on sshd to pick up the change.
You should now be able to run
netstat -an|grep 22
and see listen on ports 22 and 8122. When external to your network, you should be able to ssh (or sftp) to your external address on port 8122 and find the traffic expected from hitting an ssh listener.
BTW: unsecured ssh is still a lot more secure than ftp. That said, security is all about layers of protection and precaution so that one vulnerability is not enough to lose the ranch. Going through a nat helps, being on an unexpected port helps, using a more secure protocol helps, adding fail2ban would help: but nothing is foolproof. Not wanting to scare you, just be aware and be smart. ;-)
dnsdynamic.com is excellent but had no linux client the last time I checked, so you have to update it manually.
A quick google search will bring up articles with different lists. It is such an easy and inexpensive service to offer that several companies offer free services as a benefit for doing business with them. If they are not jerks, you might check with your ISP: they may support such a service for customers.
I have heard that some governments offer such services for 'free', but keep or log all transaction data. This allows them to track you through IP changes, and I have never trusted such services.