Question Router / Firewall Configuration for FTP Server

[ImWolf]

Windows XP SP3
Quick'n'Easy FTP Server Pro
ActionTec C3000A Router
AVG Antivirus

No joy attempting to setup an FTP Server on my WinXP machine, and I'm not sure where the problem lies.

I have configured TCP/IP to be a static IP on the Local Network Settings.

The Windows Firewall is enabled.
On the Exceptions Tab, Quick'n'Easy FTP Server is listed and checked.
On the Advanced Tab, Local Area Connection is checked, and Settings>Services has FTP Server checked. (Users can access the service).
Under Advanced>Settings>ICMP nothing is checked.

There are no settings found with the AVG antivirus software that jumped out at me.

The default values listed for the server software configuration menu are;
(General) FTP Port = 21
PASV Settings = Get IP from remote server
Port Range = 1024 - 65535

For the router Port Forwarding settings I entered;
Select Device: = Static IP of local machine
Protocol: = TCP
WAN Starting Port: = 21 (also 1024)
WAN Ending Port: = 21 (also 2048)

When I entered the 1024 - 65535 Start/End ports a message said the range was already in use by something I didn't recognize.

I have not rebooted the router between configuration changes, and was not prompted to.

When I try to access the FTP Server from a remote machine it won't connect at all.

(FTP://User: Pass@routerIP:21)

I obviously missed something in all the reading material..... Thanks for any assistance.

Wolf

 

[kanewolf]

Windows XP SP3
Quick'n'Easy FTP Server Pro
ActionTec C3000A Router
AVG Antivirus

No joy attempting to setup an FTP Server on my WinXP machine, and I'm not sure where the problem lies.

I have configured TCP/IP to be a static IP on the Local Network Settings.

The Windows Firewall is enabled.
On the Exceptions Tab, Quick'n'Easy FTP Server is listed and checked.
On the Advanced Tab, Local Area Connection is checked, and Settings>Services has FTP Server checked. (Users can access the service).
Under Advanced>Settings>ICMP nothing is checked.

There are no settings found with the AVG antivirus software that jumped out at me.

The default values listed for the server software configuration menu are;
(General) FTP Port = 21
PASV Settings = Get IP from remote server
Port Range = 1024 - 65535

For the router Port Forwarding settings I entered;
Select Device: = Static IP of local machine
Protocol: = TCP
WAN Starting Port: = 21 (also 1024)
WAN Ending Port: = 21 (also 2048)

When I entered the 1024 - 65535 Start/End ports a message said the range was already in use by something I didn't recognize.

I have not rebooted the router between configuration changes, and was not prompted to.

When I try to access the FTP Server from a remote machine it won't connect at all.

(FTP://User: Pass@routerIP:21)

I obviously missed something in all the reading material..... Thanks for any assistance.

Wolf

Having a Windows XP box ANYWHERE on the web, especially as a server is a BAD idea. Why wouldn't you use Linux.

 

[gggplaya]

Yea, XP is not secure anymore.

ISP might be blocking port 21 because it's a common port that hacking bots will constantly ping. These hacking bots ping every address on the internet with common ports. If a port pings back, they'll try a dictionary attack of common username and passwords to get into your network. Never use a standard port address. Try using a different port coming in from the WAN and pointing to internal port 21 of your server.

Try using a program like WINSCP to connect to the FTP server.

 

[USAFRet]

No joy attempting to setup an FTP Server on my WinXP machine

Exposed to the outside world?

Please don't.

 

[bill001g]

As mentioned by other you should not be even attempting this. In addition to the other reason when you run FTP this way it passes all the login credentials in the clear where someone can capture them. You need to use one of the encrypted FTP options or better use some kind of VPN.

You need to first test that you can get to the server via the local lan ip. When you test from a remote machine that machine must really be remote. Many routers will not support attempting to connect to the external IP from a internal machine.

 

[Viking2121]

SFTP isn't hard to setup on modern Linux and Windows, but yeah I'd have to agree, I wouldn't trust XP at all for FTP let alone exposing ports from XP to the wild. Asking for trouble.

 

[ImWolf]

Just happened to check in here, and odd that I didn't receive any notifications after the first reply to the OP. Apologies if needed.... I’m really not one of those “ship in the night” members.

No surprise to see all the warnings when XP is mentioned…. I get it more often than not when asking advice here. Honestly though…. I don’t care. I’ve been running XP since it came out, still online almost 24/7, never had any issues. I have minimal AVG and Malwarebytes security, and use my wits with scanning and such. I have no money, I’m not a defence contractor or ever have been, I’m a retired machinist with no corporate secrets on my drives, my last name is not Assange, or Marley, or Lennon….. or Kennedy. Basically, I’m not a target. No one should want to waste their time on me…. Which is probably the best online security you can have?

So getting back to the OP, I want to share files with a small group of friends and family. Since I had setup an FTP server 25 or 30 years ago, I thought this would be simple. But now with routers and firewalls things sure have changed. I did a lot of reading, and decided to setup a User with a unique name and password, and with only read privileges. After spending as much time as I have on this already, I’m mostly still interested out of curiosity…. Why isn’t this working?

After ditching the Quick’N’Easy, I put FileZilla Server on one machine, and FZ Client on another. Both of these are XP machines and are on my LAN. (maybe that’s part of the problem?) Both machines have the last version of the software recommended for XP.

Like most folks, my ISP (CenturyLink) is giving me a dynamic IP, but during the testing it did not change. I used that IP as the specified external IP on the server, and as the host when trying to connect with the client. I assigned a static IP on the server machine, and in the router (port forwarding) created exclusions for that IP to use ports 20,21,990,1024 & 1025. After enough time had passed, I also added some exclusions to the Windows Firewall including Program “FilezillaServer.exe”, and the same 5 ports above. In the XP Firewall, you cannot enter a range or excluded ports, but there is a command line process which I only read about and have not tried.

In the FZ Server, I entered 21 as the listening port, and 1024-1025 as the PASV ports.

Eventually, I disabled the Windows Firewall on the server machine, then on both…. No connect.

The AVG Free Antivirus has no firewall, so I didn’t disable that.

Next I researched “Does CenturyLink block ports”. Even the CL site results said YES…. But who knows which?

So then I played with changing the Server listening port. I would assign Port 55 or 462, etc… and then update the router Port Forwarding to 54,55, or 461,462. After doing this several times it became tedious! And with all the OS Firewalls still shut off, the client never connected to the server. During all this testing, the client GUI would report;

“Connected to (external IP)….”
“Connection established… Waiting for Welcome Message”
“Connection Timed Out…..”
“Could not connect to server”

Until I started playing with the Listening Port…. Then it was just;
“Connected to (external IP)(Port)….”
“Connection Timed Out…..”
“Could not connect to server”

So, thanks for reading all this. Please spank me or advise me as you wish…

Wolf

 

[USAFRet]

No surprise to see all the warnings when XP is mentioned…. I get it more often than not when asking advice here. Honestly though…. I don’t care. I’ve been running XP since it came out, still online almost 24/7, never had any issues. I have minimal AVG and Malwarebytes security, and use my wits with scanning and such. I have no money, I’m not a defence contractor or ever have been, I’m a retired machinist with no corporate secrets on my drives, my last name is not Assange, or Marley, or Lennon….. or Kennedy. Basically, I’m not a target. No one should want to waste their time on me…. Which is probably the best online security you can have?

Your hardware, as a member of a botfarm, is more of a target than you, the average human.

 

[bill001g]

What you might want to try is one of the port scanning sites to see what port is open

When you test with a machine on inside to the outside IP address it is a very messy thing and not all routers support it.
So lets say your external IP is x.x.x.x And you have a server on 192.168.1.100 and your test machine on 192.168.1.150.
You have a rules that maps x.x.x.x to 192.168.1.100 on port 22.

What happens is you first get a packet that say
Source IP 192.168.1.150 port ???? destination x.x.x.x port 20.
So as the packet passes from lan to wan it gets translated to
Source IP x.x.x.x port ....(changed from ????) destination x.x.x.x port 20.
At this point you have the source IP and the destination ip the same x.x.x.x
Now if things work correctly the router will now do a second nat incoming.
Source IP x.x.x.x port .... destination 192.168.1.100 port 20.
When the traffic goes back it must be able to reverse this process.

This is a very confusing concept to even do manually. There are 2 ways a router might support it. First it could have a function called hairpin nat that knows about this. Even if the router supports it they tend to not document it. The other way this might work is your router is stupid and sends all traffic to the ISP router even after it translates it. The ISP router might also be dumb/smart and know that the destination IP needs to go back to you. So your traffic travels all the way to the ISP and back. Hard to say if the ISP supports this, some disable this to prevent loops.

In any case you need to test from a machine that is actually on a different internet connection.

BUT be very careful what used to happen when FTP was more popular was people would capture the traffic to get the userid and password since it is sent in the clear. They would then use the server to store their illegal files. At best you get a warning from your ISP that you are sharing copyrighted materials at worst you get law enforcement confiscating your machines accusing you of distributing child porn.

 

[ImWolf]

What you might want to try is one of the port scanning sites to see what port is open

Thanks for that... I was unaware of online Port checking sites. Most of the sites I tried didn't seem to report anything intelligible (to me), or they reported almost every port I chose to scan as being closed.

My router does have a Nat options section. The only choices are Enabled/Disabled (with a warning not to Disable.)

The only remote device I have that might be used for testing is an Android phone. Do you think I could disable WiFi and use the browser on the phone to type in an FTP URL to connect to my server?

Wolf

 

[bill001g]

You might have to load a app on android. FTP is considered extremely unsecured and I would not be surprised if android attempt to block you from using it.

 

[ImWolf]

You might have to load a app on android. FTP is considered extremely unsecured....

So what you guys are telling me is that FTP is not a safe way to share files any more even if I install a server on my Linux machine?

Since you're far more experienced with network traffic than I am, please try and answer me this Q:

If I have a server up and running with defined odd-ball ports, and those ports are forwarded in the router, and those ports are also entered as exceptions in my firewall, why would an online port checking service report them as being closed?

 

[USAFRet]

So what you guys are telling me is that FTP is not a safe way to share files any more even if I install a server on my Linux machine?

Since you're far more experienced with network traffic than I am, please try and answer me this Q:

If I have a server up and running with defined odd-ball ports, and those ports are forwarded in the router, and those ports are also entered as exceptions in my firewall, why would an online port checking service report them as being closed?

A lot of this depends on....
Who you wish to share with
What type of files
And Why?

 

[bill001g]

The most common reason it does not work when you have check your rules are correct and the server is actually running that leave you do not actually have a public IP address.
Check the IP that you see on your router wan port and compare it to a site like whatsmyip

 

[ImWolf]

A lot of this depends on....
Who you wish to share with
What type of files
And Why?

The goal is to have a repository of some photo's, history books in PDF form, along with articles written concerning 20th century history. Also some documentary videos I collected on the subject.

A friend of mine is trying to do this with a social media site in a specific user group, but it's becoming cluttered rapidly and you have to scroll endlessly to find something that had been previously posted. And in the case of a link, that information (video, news article) might have been taken down in the mean time.

So I thought that an FTP server making the information available directly off my HDD would be a much better method to easily find what you're looking for, and negates something being erased off the source site.

There is also software available to create a Web Server, but I've never messed with that and don't know if it's worth the trouble and/or has the same security issues.

Wolf

 

[ImWolf]

Check the IP that you see on your router wan port and compare it to a site like whatsmyip

I've done this quite a few times recently and they always match.

 

[USAFRet]

The goal is to have a repository of some photo's, history books in PDF form, along with articles written concerning 20th century history. Also some documentary videos I collected on the subject.

A friend of mine is trying to do this with a social media site in a specific user group, but it's becoming cluttered rapidly and you have to scroll endlessly to find something that had been previously posted. And in the case of a link, that information (video, news article) might have been taken down in the mean time.

So I thought that an FTP server making the information available directly off my HDD would be a much better method to easily find what you're looking for, and negates something being erased off the source site.

There is also software available to create a Web Server, but I've never messed with that and don't know if it's worth the trouble and/or has the same security issues.

Wolf

The "problem" is exposing your system and network to the wider internet.
All publicly exposed IP addresses get scanned every day. Looking for a way in.
Your router firewall rightly throws those requests away.
No harm, no foul.

They're not trying to attack "you", but rather any accessible system.
They don't know you....but rather ," lets see what there might be in this system".

But, if you purposely create a hole in that firewall, that is a vulnerability.
Further, this hole leads to an insecure protocol, FTP.
Further, this is hosted on a totally insecure OS, WinXP.

This 'hole' may give an outside attacker direct access to all the other systems in your LAN.

Hosting this at home is a bad idea.

Pay for a webserver somewhere, and let them worry about the security.

 

[ImWolf]

Obviously, I have much more studying to do b4 I attempt something like this again. Isn't there a pill or a Borg implant I can acquire to D/L all the info on IP's and Ports?

 

[gggplaya]

Obviously, I have much more studying to do b4 I attempt something like this again. Isn't there a pill or a Borg implant I can acquire to D/L all the info on IP's and Ports?

Those implants are only available in the Delta Quandrant. You'll need to go back to the academy to learn it the old fashioned way.

 

[ImWolf]

Those implants are only available in the Delta Quandrant. You'll need to go back to the academy to learn it the old fashioned way.

Heheh.... probably not a good idea to go there. Here in the Alpha quadrant there are over 3.7 billion public IP addresses, each with up to 65,535 ports, and according to USAFRet these 242.479.500.000.000 ports are being scanned constantly for a way into someone's system.... This must take a lot of time, but I bet those sneaky Borg can do it much faster! I'm staying out of the Delta quadrant!

 

[USAFRet]

Heheh.... probably not a good idea to go there. Here in the Alpha quadrant there are over 3.7 billion public IP addresses, each with up to 65,535 ports, and according to USAFRet these 242.479.500.000.000 ports are being scanned constantly for a way into someone's system.... This must take a lot of time, but I bet those sneaky Borg can do it much faster! I'm staying out of the Delta quadrant!

For the short time I had my NAS opened for outside access, it would get access attempts all the time.
A dozen or so a week, from all over the planet. Ohio, Portugal, China, Russia...
All rightfully thrown away, because the default user account is disabled.

But they tried.

This is one of the things botnets and trojans are for.

A bad actor can leverage a small army of compromised systems to do this scanning for him.
When one of them reports back with success of some sort, thats when HE can go into action.