• March 28, 2024, 09:29:22 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: Need to get FTP to work properly without putting it on the DMZ.  (Read 8339 times)

vane0326

  • Level 1 Member
  • *
  • Posts: 10
Need to get FTP to work properly without putting it on the DMZ.
« on: November 10, 2009, 11:58:06 AM »

Hi Everyone,

I just bought DNS-323 device and I can't get the FTP to work properly.

Right now I have it on a DMZ through my DIR-825 router and it works. BUT I prefer NOT to have it on the DMZ.

This is how I setup the FTP.

Router: DIR-825
Firmware: Current
Virtual Server List: open port 21 point it to dns-323 device

Device: DNS-323
Firmware: 1.08
FTP: Enabled

With those configuration above FTP does not work. BUT if I put it on the DMZ it works perfectly.

Does anyone knows what else I should do?
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #1 on: November 10, 2009, 12:06:02 PM »

You are most likely using passive ftp and have not configured the forwarding for the data channel.
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

krenkey

  • Level 2 Member
  • **
  • Posts: 57
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #2 on: November 10, 2009, 12:30:29 PM »

do your self a favor and use a different port common port scanners will search for that port number you can specify any port you like pick a higher one and avoid headaches and attacks.
Logged

vane0326

  • Level 1 Member
  • *
  • Posts: 10
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #3 on: November 10, 2009, 12:41:25 PM »

You are most likely using passive ftp and have not configured the forwarding for the data channel.

I'm sorry I'm not sure what you are saying can you give me instruction how to forwarding for the data channel?


do your self a favor and use a different port common port scanners will search for that port number you can specify any port you like pick a higher one and avoid headaches and attacks.


I'll try the "Common Port Scanner" and see if that works.


Just to let you know I tried port# 20 and that did not work either. Are there any other functions on my router that might be causing the problem?
« Last Edit: November 10, 2009, 12:46:23 PM by vane0326 »
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #4 on: November 11, 2009, 03:17:21 AM »

What krnekey is suggesting is that you not use the standard ftp port (21) since this makes it easy for intruders to discover by scanning..

With regards the passive ftp ...

First - a bried description

Ftp is different to most internet protocols in that it uses two channels of communication, a control channel and a separate data channel - there are essentially two types of ftp...

 - active ftp - where the client establishes the control channel (default port 21) and the server establishes the data channel (default port 20) - active ftp often gives trouble when the client side firewall does not allow the data channel to be established, and this is exacerbated when the control channel is moved to a non standard port.  Active ftp requires port 21 to be fowarded at the server side firewall and also the client side firewall MUST be able to "fixup" the ftp protocol

 - passive ftp - where the client establishes the control channel (default port 21) and also the data channel, based on an address and port number sent by the server - passive ftp requires port forwarding for both the control & data channels at the server side firewall.

BOTH your router AND the DNS-323 will need to be configured for passive ftp, and the settings are interrelated.

In the DNS-323 ftp server page you'll see a section where it allows you to select the port range - either accept the defaults or choose your own range - whatever you set here - must also be forwarded at the router.  At the bottom of that section you'll also see a setting to "Report external IP in passive mode" - you may also need to set that.

I would suggest sticking with the default port 21 initially - at least until you have the passive ftp up & running, and then consider changing it.
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #5 on: November 11, 2009, 05:48:20 AM »

FWIW, if your FTP can't stand up to an attack from outside, you have no business exposing it to the Internet in the first place.  Unless it's for very limited use, moving it to a nonstandard port will just make things harder for you to use it.
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

krenkey

  • Level 2 Member
  • **
  • Posts: 57
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #6 on: November 16, 2009, 06:18:22 PM »

how hard is it to use a port 2121 or 21000 any port other that 21 is your best bet even under limited ftp use
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #7 on: November 16, 2009, 06:55:14 PM »

how hard is it to use a port 2121 or 21000 any port other that 21 is your best bet even under limited ftp use

It's not difficult - however because it's not the default, then every person using the ftp server has to be told what port he/she must connect to - on the other hand, running an ftp server on the default port is also not the security risk that so many people make it out to be.

The primary reason ftp (and telnet) are deemed insecure is the fact that credentials are sent in "clear text", what few people will tell you, is that unless the wannabe hacker can position him/her self at a strategic location, the probability of being able to capture those credentials becomes slim to non-existent - he/she would have to be on either the same LAN as the ftp server, or at the very least within the ISP network that the ftp connection to that server is routed through - and similarly at the ftp client side.  The further you are from from the end points, the greater the volume of data you will to sift through - so unless you have the resources of the NSA (No Such Agency :)), you can pretty much fuggetabadit.

For the record, I have been running an ftp server on port 21, for about seven years without logging a single unauthorized connection attempt - as strange as this may sound, it is true, but I am not going to explain here just what security measures were implemented to achieve that - and I also ran a completely open, anonymous ftp server, on port 21 using a DNS-323 and it took almost two months for it to be discovered.
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

mas110

  • Level 1 Member
  • *
  • Posts: 23
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #8 on: December 29, 2009, 12:04:40 PM »



In the DNS-323 ftp server page you'll see a section where it allows you to select the port range - either accept the defaults or choose your own range - whatever you set here - must also be forwarded at the router.  At the bottom of that section you'll also see a setting to "Report external IP in passive mode" - you may also need to set that.



Hi Fordem,

I can not locate anything like what you noted above.  In the web base configuration for FTP section, there is only one area to enter one port number.  Nothing about port range or "Report external IP in passive mode".  I am using the latest Firmwire (ver. 107).  Am I missing something?  I have a different problem with my FTP server which I believe might have similar solution to the subject of this thread.
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #9 on: December 29, 2009, 12:11:01 PM »

For the record, I have been running an ftp server on port 21, for about seven years without logging a single unauthorized connection attempt - as strange as this may sound, it is true, but I am not going to explain here just what security measures were implemented to achieve that
Well, the fact that you're not willing to share the method makes this statement pretty pointless here, right?
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #10 on: December 29, 2009, 12:23:44 PM »

Hi Fordem,

I can not locate anything like what you noted above.  In the web base configuration for FTP section, there is only one area to enter one port number.  Nothing about port range or "Report external IP in passive mode".  I am using the latest Firmwire (ver. 107).  Am I missing something?  I have a different problem with my FTP server which I believe might have similar solution to the subject of this thread.


What version of the firmware are you running?
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

mas110

  • Level 1 Member
  • *
  • Posts: 23
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #11 on: December 29, 2009, 12:28:01 PM »

Ver 1.07
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #12 on: December 29, 2009, 12:28:16 PM »

What version of the firmware are you running?
From the quoted part of his post, I'd guess 1.07. :D
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #13 on: December 29, 2009, 12:29:47 PM »

You need to load the 1.08 beta to get the secure FTP.
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

mas110

  • Level 1 Member
  • *
  • Posts: 23
Re: Need to get FTP to work properly without putting it on the DMZ.
« Reply #14 on: December 29, 2009, 12:32:34 PM »

Hi,  Are there lots of problem with the Beta version or it is pretty stable.  Given, I am new to the networking and not a pro at all, I preferr to be on the caution side.
Logged
Pages: [1] 2