LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-29-2016, 04:01 AM   #1
Shubham Dingar
LQ Newbie
 
Registered: Jun 2016
Location: India
Distribution: Redhat Enterprise Linux, Centos, Ubuntu
Posts: 6

Rep: Reputation: Disabled
Question How to make local FTP Linux server accessible globally


Is there any way to make my local FTP Linux server accessible outside my home network? I used ngrok, but that didn't work. I am using Redhat Linux 7.
 
Old 06-29-2016, 06:07 AM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 1,653

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
Yes, but you really do not want to do that. FTP is an inherently insecure protocol and serious vulnerability. Anyone who can sniff the data steam can strip off accounts and passwords at will.

My best advice, set up a limited number of accounts with limited rights and resources and only allow those to connect to sftp (OpenSSH file trasnfer) on a non-standard port (example 8122) in addition to the normal port 22 standard. Put a bypass into your firewall so that port is forwarded to your sftp server on that port.

If you have a fixed IP address externally, you are done. If you have a dynmaic address, register with one of the dyndns services that forward a name to your external, and run an update client in your network somewhere to update the dyndns service when your external address changes.

Now anyone outside your network can address your sftp server from the wild using your dyndns name and port 8122.
Inside your network you will do better using the local name or ip address, and the standard port.

This is terribly easy the second time. Getting it the first time can take some research and 'fiddling' with things. I hope that this helps.

Last edited by wpeckham; 06-29-2016 at 06:08 AM.
 
Old 06-30-2016, 07:40 AM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Great advice above.

In addition, if you are going to open your system to the world, you really(!) need to read the Stickies in the Security Forum (just the relevant bits to start with).
 
Old 06-30-2016, 10:28 PM   #4
wpeckham
Senior Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 1,653

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
Quote:
Originally Posted by chrism01 View Post
Great advice above.

In addition, if you are going to open your system to the world, you really(!) need to read the Stickies in the Security Forum (just the relevant bits to start with).
Excellent suggestion! If you decide NOT to do all that reading (better if you DO), then you might want to at least install something like fail2ban and configure it to monitor your connections. It can trigger IP based blocking upon some configurable number of failed login attempts. A dictionary attack trying to guess or discover your passwords will generate enough failures to block an attacker. It does not stop the bad guys, but it does make you look like a difficult enough target to make them go elsewhere.

Trust me, once you open to the internet you WILL become a target. I have seen servers start taking hits within the first 5 minutes, before we even had the name in DNS.

Last edited by wpeckham; 07-01-2016 at 06:54 AM. Reason: Fixing typo, thank you chrism01
 
Old 07-01-2016, 03:59 AM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
.. and because its important, I'm going to pick up wpeckham's typo there; the actual tool name is fail2ban.
http://www.fail2ban.org/wiki/index.php/Main_Page
(Sorry mate )

You also really need to understand the basics of iptables (imho).

HTH
 
Old 07-01-2016, 03:52 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
Hello and welcome to LQ.

Why didn't it work? Ports? ISP issue? Router issue? DNS or DDNS issue?

A lot of places use FTP still. If you want free access then it is a useful way to share files. Your ftp server or http server also might be considered. Not much of a speed difference anymore between ftp and http access usually.

Could consider something like barracudadrive also for https access. Might not be as secure as ssh. ssh is subject to a number of attacks so you will have to harden it. Most web pages suggest not using a password and moving to either two party authentication or self signed certificates.
 
Old 07-02-2016, 01:18 AM   #7
Shubham Dingar
LQ Newbie
 
Registered: Jun 2016
Location: India
Distribution: Redhat Enterprise Linux, Centos, Ubuntu
Posts: 6

Original Poster
Rep: Reputation: Disabled
Unhappy Unable to understand Port Forwarding

@wpeckham: Thanks for the reply and very sorry for replying so late, I am actually not so good at port forwarding thing. I forwarded port 8122/tcp to 22/tcp on an IP 192.168.1.80 (my localhost). But I didn't get what you said afterwards. I have a static IP and my public IP that is shown on the internet is my router's IP (so every system connected to this very router will get the same IP).
Quote:
If you have a fixed IP address externally
, I don't actually get it sir.
Attached Thumbnails
Click image for larger version

Name:	Screenshot from 2016-07-02 10:26:25.png
Views:	10
Size:	77.6 KB
ID:	22286  
 
Old 07-02-2016, 01:21 AM   #8
Shubham Dingar
LQ Newbie
 
Registered: Jun 2016
Location: India
Distribution: Redhat Enterprise Linux, Centos, Ubuntu
Posts: 6

Original Poster
Rep: Reputation: Disabled
@chrism01: Thank you very much for the suggestion. I will go through the Security Forum as well
 
Old 07-02-2016, 01:27 AM   #9
Shubham Dingar
LQ Newbie
 
Registered: Jun 2016
Location: India
Distribution: Redhat Enterprise Linux, Centos, Ubuntu
Posts: 6

Original Poster
Rep: Reputation: Disabled
@jefro: It didn't work because ngrok doesn't work well with FTP. I mailed them regarding the issue and they replied me saying this. Although it works well with SFTP :\
 
Old 07-02-2016, 10:02 AM   #10
wpeckham
Senior Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 1,653

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
Quote:
Originally Posted by Shubham Dingar View Post
@wpeckham: Thanks for the reply and very sorry for replying so late, I am actually not so good at port forwarding thing. I forwarded port 8122/tcp to 22/tcp on an IP 192.168.1.80 (my localhost). But I didn't get what you said afterwards. I have a static IP and my public IP that is shown on the internet is my router's IP (so every system connected to this very router will get the same IP). , I don't actually get it sir.
In the /etc/ssh (or /etc/openssh depending upon versions and distribution) you find the conf files for ssh. The sshd_conf file has the port setting for the listener, Usually commented out so that the default applies. Uncomment it and add another do you have two entries:
Code:
Port=22
Port=8122
(working from memory here, so check the file and the man pages) then in your firewall forward 8022 to your server (192.168.1.80) at port 8122. Then do a restart on sshd to pick up the change.

You should now be able to run
Code:
netstat -an|grep 22
and see listen on ports 22 and 8122. When external to your network, you should be able to ssh (or sftp) to your external address on port 8122 and find the traffic expected from hitting an ssh listener.

BTW: unsecured ssh is still a lot more secure than ftp. That said, security is all about layers of protection and precaution so that one vulnerability is not enough to lose the ranch. Going through a nat helps, being on an unexpected port helps, using a more secure protocol helps, adding fail2ban would help: but nothing is foolproof. Not wanting to scare you, just be aware and be smart. ;-)

Last edited by wpeckham; 07-02-2016 at 10:03 AM.
 
Old 07-08-2016, 04:07 AM   #11
Shubham Dingar
LQ Newbie
 
Registered: Jun 2016
Location: India
Distribution: Redhat Enterprise Linux, Centos, Ubuntu
Posts: 6

Original Poster
Rep: Reputation: Disabled
@wpeckham: dyndns is not free. Is there any alternative to it? I want to use only open source tools and services.
 
Old 07-08-2016, 07:14 AM   #12
wpeckham
Senior Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 1,653

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
no-ip.com
dynu.com
dnsdynamic.com is excellent but had no linux client the last time I checked, so you have to update it manually.
Duckdns.com
Afraid.com

A quick google search will bring up articles with different lists. It is such an easy and inexpensive service to offer that several companies offer free services as a benefit for doing business with them. If they are not jerks, you might check with your ISP: they may support such a service for customers.

I have heard that some governments offer such services for 'free', but keep or log all transaction data. This allows them to track you through IP changes, and I have never trusted such services.

Last edited by wpeckham; 07-08-2016 at 07:16 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
configure web server,name resolution,make it accessible over LAN and make secured Jocose Linux - Newbie 2 10-30-2015 05:37 PM
Mail server in local network, should be accessible from outside proNick Linux - Newbie 6 06-19-2013 05:02 PM
[SOLVED] Trying to make local web page accessible from internet (IP question) SkyerSK Linux - Newbie 8 12-27-2010 01:43 PM
How to make HTTPS dir accessible only from local network and one IP adress nevarlen Linux - Security 4 02-12-2005 12:09 AM
ssh and ftp server not accessible bbenz3 Linux - Networking 1 03-04-2002 07:53 PM


All times are GMT -5. The time now is 12:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration