Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[vane0326]

Hi Everyone,

I just bought DNS-323 device and I can't get the FTP to work properly.

Right now I have it on a DMZ through my DIR-825 router and it works. BUT I prefer NOT to have it on the DMZ.

This is how I setup the FTP.

Router: DIR-825
Firmware: Current
Virtual Server List: open port 21 point it to dns-323 device

Device: DNS-323
Firmware: 1.08
FTP: Enabled

With those configuration above FTP does not work. BUT if I put it on the DMZ it works perfectly.

Does anyone knows what else I should do?

[fordem]

You are most likely using passive ftp and have not configured the forwarding for the data channel.

[krenkey]

do your self a favor and use a different port common port scanners will search for that port number you can specify any port you like pick a higher one and avoid headaches and attacks.

[vane0326]

You are most likely using passive ftp and have not configured the forwarding for the data channel.

I'm sorry I'm not sure what you are saying can you give me instruction how to forwarding for the data channel?

do your self a favor and use a different port common port scanners will search for that port number you can specify any port you like pick a higher one and avoid headaches and attacks.

I'll try the "Common Port Scanner" and see if that works.


Just to let you know I tried port# 20 and that did not work either. Are there any other functions on my router that might be causing the problem?

[fordem]

What krnekey is suggesting is that you not use the standard ftp port (21) since this makes it easy for intruders to discover by scanning..

With regards the passive ftp ...

First - a bried description

Ftp is different to most internet protocols in that it uses two channels of communication, a control channel and a separate data channel - there are essentially two types of ftp...

 - active ftp - where the client establishes the control channel (default port 21) and the server establishes the data channel (default port 20) - active ftp often gives trouble when the client side firewall does not allow the data channel to be established, and this is exacerbated when the control channel is moved to a non standard port.  Active ftp requires port 21 to be fowarded at the server side firewall and also the client side firewall MUST be able to "fixup" the ftp protocol

 - passive ftp - where the client establishes the control channel (default port 21) and also the data channel, based on an address and port number sent by the server - passive ftp requires port forwarding for both the control & data channels at the server side firewall.

BOTH your router AND the DNS-323 will need to be configured for passive ftp, and the settings are interrelated.

In the DNS-323 ftp server page you'll see a section where it allows you to select the port range - either accept the defaults or choose your own range - whatever you set here - must also be forwarded at the router.  At the bottom of that section you'll also see a setting to "Report external IP in passive mode" - you may also need to set that.

I would suggest sticking with the default port 21 initially - at least until you have the passive ftp up & running, and then consider changing it.

[gunrunnerjohn]

FWIW, if your FTP can't stand up to an attack from outside, you have no business exposing it to the Internet in the first place.  Unless it's for very limited use, moving it to a nonstandard port will just make things harder for you to use it.

[krenkey]

how hard is it to use a port 2121 or 21000 any port other that 21 is your best bet even under limited ftp use

[fordem]

how hard is it to use a port 2121 or 21000 any port other that 21 is your best bet even under limited ftp use

It's not difficult - however because it's not the default, then every person using the ftp server has to be told what port he/she must connect to - on the other hand, running an ftp server on the default port is also not the security risk that so many people make it out to be.

The primary reason ftp (and telnet) are deemed insecure is the fact that credentials are sent in "clear text", what few people will tell you, is that unless the wannabe hacker can position him/her self at a strategic location, the probability of being able to capture those credentials becomes slim to non-existent - he/she would have to be on either the same LAN as the ftp server, or at the very least within the ISP network that the ftp connection to that server is routed through - and similarly at the ftp client side.  The further you are from from the end points, the greater the volume of data you will to sift through - so unless you have the resources of the NSA (No Such Agency , you can pretty much fuggetabadit.

For the record, I have been running an ftp server on port 21, for about seven years without logging a single unauthorized connection attempt - as strange as this may sound, it is true, but I am not going to explain here just what security measures were implemented to achieve that - and I also ran a completely open, anonymous ftp server, on port 21 using a DNS-323 and it took almost two months for it to be discovered.

[mas110]

In the DNS-323 ftp server page you'll see a section where it allows you to select the port range - either accept the defaults or choose your own range - whatever you set here - must also be forwarded at the router.  At the bottom of that section you'll also see a setting to "Report external IP in passive mode" - you may also need to set that.

Hi Fordem,

I can not locate anything like what you noted above.  In the web base configuration for FTP section, there is only one area to enter one port number.  Nothing about port range or "Report external IP in passive mode".  I am using the latest Firmwire (ver. 107).  Am I missing something?  I have a different problem with my FTP server which I believe might have similar solution to the subject of this thread.

[gunrunnerjohn]

For the record, I have been running an ftp server on port 21, for about seven years without logging a single unauthorized connection attempt - as strange as this may sound, it is true, but I am not going to explain here just what security measures were implemented to achieve that

Well, the fact that you're not willing to share the method makes this statement pretty pointless here, right?

[fordem]

Hi Fordem,

I can not locate anything like what you noted above.  In the web base configuration for FTP section, there is only one area to enter one port number.  Nothing about port range or "Report external IP in passive mode".  I am using the latest Firmwire (ver. 107).  Am I missing something?  I have a different problem with my FTP server which I believe might have similar solution to the subject of this thread.

What version of the firmware are you running?

[mas110]

Ver 1.07

[gunrunnerjohn]

What version of the firmware are you running?

From the quoted part of his post, I'd guess 1.07.

[gunrunnerjohn]

You need to load the 1.08 beta to get the secure FTP.

[mas110]

Hi,  Are there lots of problem with the Beta version or it is pretty stable.  Given, I am new to the networking and not a pro at all, I preferr to be on the caution side.