I wanted to set up a secure FTP server with proftpd so I can put some large files on the web for my pops. Here is my problem, I use a clearwire modem that won't allow you to change any of the settings but appears to have some pre-set firewalling capabilities. I also have a linksys wireless router connected to the modem. That firewall has all the port forwarding settings ready to go, and there hasn't been an issue with anything else, so here it goes.

I have a properly configured secure FTP setup with proftpd and the client app I'm using is Filezilla. I know it is configured right because I was able to use the FTP server via my LAN. Maybe my logic is wrong but, I was connecting to the FTP server at it's IP on the LAN of 192.168.1.5:21. If I wanted my pops to connect from out of state I would give him the ip the internet sees when I surf the web, right? Looks something like this 68.44.22.113. I should tell him to configure Filezilla to connect to 68.44.22.113:21. If my logic is wrong, please let me know, because when I try to do this I get an error that says connection refused by host. Can anyone shed any light on this issue for me? Thanks in advance

add1kt

check the internal (192.168.1.5) ftp server logs to see if the connections are reaching this box and that the ftp server is running.
if no logs are being generated upon ftp attempts and the ftp server is confirmed running, then the problem could be the modem/router

Keep in mind also that many ISP's block common server ports...to "help protect you from viruses" until you pay more for their business tier. You may have more success using nonstandard ports.

I'm still as confused as ever with this, perhaps I have my proftpd.conf misconfigured to allow outside connections? I don't know if that is even possible. I tried a simple experiment to see if I could hit my computer's firewall through my modem via Shields Up. I tried a few different ports, some opened some closed and they all came through my modem's firewall to my computer. I suppose here it is worth noting that I have configured my LAN IP (192.168.2.2) with DMZ settings (effectively bypassing my modem's firewall, right?) Shields Up used my WAN IP of 68.44.22.113. Perhaps I am going about this wrong but here is how I try to connect to my FTP server (non secure of course) via firefox:

assuming my WAN IP is 68.44.22.113 and the port I have configured with proftp is 60100 i type in the address bar

ftp://68.44.22.113:60100

and firefox says:

Failed to Connect


Firefox can't establish a connection to the server at 68.44.22.113:60100

Though the site seems valid, the browser was unable to establish a connection.

* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.


is this the correct way to use ftp with firefox?

filezilla doesn't work either with this address giving the simple error:

Error: Could not connect to server

I get no hits on my firewall (failed or accepted) with either attempt.

I also attached my proftpd.conf to maybe further someone else in helping me.

Thanks again
add1kt

Attached Files

proftpd.txt (5.6 KB, 41 views)

And it all comes down to this from the clearwire website:

A "static IP address" is an address that is permanently assigned to your computer or router every time you connect to the Internet. You need a static IP address if you plan to use remote management software like PC Anywhere, Remote Management, Terminal Server or If you are going to setup a mail or FTP server. Some VPN connections require a static IP.

The cost $10 per address

Now I'm a newb when it comes to this but is there any way around this?

Easier if you narrow the problem down to where it might be.
Can you see the port listening and accepting connections locally?
If yes, can you see the port listening remotely?? (test with netcat or nmap).
Try ftp from the command line and see how that works. I am not certain you are using the correct syntax,. Is it anonymous ftp or with user details??

is port 60100 open on the router?
is port 60100 forwarded to your server, and does the firewall accepts connections on port 60100? ?

My computer's firewall is setup correctly, I know this because I have tested it from another computer from within the LAN. The server has also been confirmed operational from within the LAN. But when I try to access it from the internet it fails. To make things simpler I am plugged into only the modem (which has a firewall), setup the local IP assigned by the modem as a DMZ, and it still fails.
I'm thoroughly confused and am about to give up. Nevertheless thanks for the advice.

Still failing miserably can anyone please help me?

sorry

hi,

have you opened the port numbers 20 and 21 in your modem.

No, I have placed my IP in the DMZ of the router. This is easily noted by my software firewall getting pinged by scans all day long. When I'm not in DMZ I see almost no scans get to my firewall. Interestingly I see port scans that make it to my software firewall, but I am unable to use filezilla to access my open ftp port.

Hi addux,
I'm surprised this thread is still alive, it's crazy that you've been putting up with this problem for so long.

So, in the original post you indicated that you had set up a "secure FTP server", which would lead me to believe that you are peforming FTP over SSH. This would mean you need to connect with SFTP protocol or use something like SCP from a windows client. It may or may not be the case, but I think it might be important to clarify which you're using SFTP or FTP.

Looks like you had mentioned at one point using a nonstandard port, which I think is good because I still suspect your ISP is most likely blocking inbound standard FTP ports. Most will block FTP, HTTP, etc.

As for placing it in the DMZ and using a software firewall on the box, I personally think having a device upstream of your box block ports that shouldn't get in is better, but that's me.

I think probably the best way to do this would be:
1) Set up DynDNS on your server. (see free hosting sites like dyndns.org or similar, use inadyn daemon or other)
2) Take the server out of the DMZ
3) Set up SSH on the server.
4) Create a userID on the server for your pop, put xyz files in his home directory.
5) Set up port forwarding for SSH on your firewall/router to point to your server.
6) Have your pops install WinSCP (free) on his box and connect in using your dyndns hostname.

This works in that DynDNS will provide a single hostname for your server, regardless of the IP periodically changing. Have inadyn perform updates daily, hourly whatever. Then, when your pops connects in from WinSCP it's going to be secure connection rather than sending his username and password to your server in clear text across the public internet. Should work no problem.

Alternatively, if your father is anything like mine and installing new software on his client machine doesn't quite fit his fancy...you'd have to stick with the FTP solution. In this case, I'd still recommend setting up dyndns. I did so years ago and it has made life much easier.
1) Set up DynDNS on your server. (see free hosting sites like dyndns.org or similar, use inadyn daemon or other)
2) Take the server out of the DMZ
3) Configure proftpd to listen on your desired alternate port(s) (60100).
4) Set up port forwarding for FTP alternate ports on your firewall/router to point to your server.
5) Have your pops connect to your server via something like "ftp://pops@whatever.host.name:60100"

If he's not terribly tech oriented, craft the link for him, email it to him and just have him click on it, then punch in his password. Keep in mind though that FTP does send the log in credentials in plain text. Also, when you're configuring the alternate ports, you may want to double check that you are changing both 20 and 21 to some alternate values rather than just changing one of them and having the other stay the same...effectively having the connection blocked by the ISP. Meaning, even if you moved 21 to 60100, if 20 was still 20 nothing would ever reach it.


Good luck addux, I hope this at least helps to inspire possible solutions!

illiadum

These are some great suggestions for the future, and thank you. My last update will be this...
I was able to set up my FTP server when I shifted ISP's from ClearWire to Time Warner. It is more evident that even with my non standard port, port forwarding set up, and my server/firewall configuration unchanged, that CrapWire blocks any ftp protocol. I am sill a networking novice so maybe this isn't possible or prudent, but this has to be. At one point the only change I made was shifting modems (they are both right next to me) and the server was accessible when using Time Warner and clearly (no pun intended) not when using ClearWire.
So I think the only thing I can conclude is they must block any incoming FTP protocol request on certain networks, not just the standard ports.
this link covers most of the same frustrations I have had with ClearWire. Read and BEWARE:
http://www.dslreports.com/comment/2879/56024