With this new feature, you can manage :
Several Connection Settings
How the clients log into your FTP server (2 Login modes available) and an IP filter (Black or White IP list)
Some Cosmetic Settings
Some more settings with an additional file (for advanced users)
a security extension that protect FTP data and commands using SSL encryption (server FTPS or FTPES)
a SFTP server (Secure File Transfer Protocol)
A configuration by default is available and you can display a FTP Log file
PS : In the chapter "How to do an Internet access for my FTP Server", useful information to set your Internet Box
Note : some features of FTP server menu are useful only with a FTP client (not with an Internet Browser or Microsoft explorer).
You can use these free Client FTP :
...
FireFTP (addons for FireFox)
Note : Somes features are affected when you enable the "Connection With TLS / SSL protocol". The chapter "Connexion with TLS/SSL protocol" details these changes.
FTP Port : configures the TCP port which FTP Server will listen to receive client commands (default value : 21)
Do not use ports that are already in use or will be used by other services like:
20 (FTP data port), 2121, 22, 139, 443, 445, 80, 3689, 8000, 8022, 8001, 8002, 8080, 9000, 9100, 9091, 49152
if you choose one of these ports, your configuration won't be saved.
Passive Ports : restricts the ports range which is used by the server when a PASV command is sent by client. This ports range is used for data files exchange. This option is useful for Internet access to the server (safety set) and you can keep the default value (1024-65535)
The range of passive ports must be chosen between 1024 and 65535. If you chose a port outside this range, the passive ports are been setting with the default values
The number of ports must be higher than the max clients number. If the range of passive ports isn't sufficient, the current range is corrected to have the wanted number of ports
Max Client Number : configures the maximum number of authenticated clients which may be logged into your server. Once this limit is reached, additional clients attempting to authenticate will be disconnected and a default message is sent to the client "Sorry, the maximum number of allowed users are already connected (%m)" where %m is your set value. You can't permit more than 10 clients. The message is displayed only with a FTP Client (not with any Internet Browser or Microsoft Explorer)
Max Clients Number by Host : configures the maximum number of clients allowed to connect per host. A default message is sent to the client attempting to exceed the maximum value : "Sorry, the maximum number clients (%m) from your host are already connected." where %m is your set value. You can't permit more than the max client number. The message is displayed only with a FTP Client (not with any Internet Browser or Microsoft Explorer)
Masquerade Address option : you shouldn't need to enable this option except if you have an old router and it doesn't replace the "from" information of packets with its own public address (WAN IP). If you enable it, the server masquerade an IP address with your public IP. When you enable it, the FTP server name option will follow these rules :
Note: when masquerade option is enabled, you can use only the passive mode from a remote host !
To define the access, the FTP server uses 3 user's categories :
VirtualFTPUser
All users where their Home Directory is a sub directory of share
SambaUser
All users where their Home Directory is a share's name except for the protected public shares
PublicShareUser
All users created with the same name as the public shares when they are
protected
and you have the choice between 2 modes :
- First mode
Where all users are jailed in their Directory (Option "Jail all FtpUsers in their Home Directory" activated)- Second mode
Only the SambaUsers can escape from their Home Directory. All the others are jailed as at the first mode (Option "Some FtpUsers can escape if they are allowed to do it" activated)
7 rules are then applied to determine the FTP accesses :
Rule 0 : A user can reach its Home Directory only if FTP access is activated on the mother share !
Rule 1 : In first Login Mode, all users are jailed in their Home Directory
Rule 2 : A VirtualFtpUser can never escape from its Home Directory
Rule 3 : A SambaUser can escape from its Home Directory if samba accesses are defined on other shares for this user (only in second Mode Login)
Rule 4 : FTP access of Publics Shares are defined as FULL by default
Rule 5 : All SambaUsers can reach all unprotected public shares
Rule 6 : The PublicShareUsers can reach only their public share (in this case protected)
NB : With Microsoft Internet Explorer or Microsoft Explorer, the client won't be able to leave his Home Directory !
The application of these rules is described to the next table :
(*) only if the second login mode is activated |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
With this option, you can define how the server authorizes the clients to be logged into your server.
If you have opened Internet accesses to your server this option is very important and useful.
2 choices are
available :
- manage a white IP list (Option "allow only") : a client can only be
logged into your server if its host has an IP address in accordance with your
filter
- manage a black IP list (Option "Deny only") : a client can ever be
logged into your server if its host has an IP address in accordance with your
filter
IP Filter : string of IP addresses or masks of IP address separated by spaces like : 103.80.123.10 241.12. 80.91.123. 225. (note "." at the end of each mask)
With this example an host will be in accordance with the filter if its IP is equal to : 103.80.123.10 ; 241.12.yyy.zzz ; 80.91.123.zzz ; 225.xxx.yyy.zzz
Note 1 : if the "allow only" option is chosen, the IP filter must contain at least a mask of your network gateway or one address conformed to your local network. If no local address is found (or mask of your gateway), a default mask is added to your list.
Example : your gateway is : 192.168.0.1 and you have entered as filter : "103. 241.12. 80.91.123. 225.", with this filter no local host can be logged into the server. So the default mask "192.168.0." is then added. The filter must contain at least "192.168.0." or a list of "192.168.0.xxx"
You can authorize an specific hosts list of your local network
Note 2 : if the "Deny only" option is chosen, the IP filter don't must contain any mask of your network gateway but a list of IP address to your local network is permitted. If masks of your gateway are found, they are erased of your list.
Example : your gateway is : 192.168.0.1 and you have entered as filter : "192. 103. 192.168. 192.168.0. 225. 192.168.0.42", with this filter no local host can be logged into the server. So "192." ;"192.168." and "192.168.0."" are erased but "192.168.0.42" is kept.
You can forbid specific hosts of your local network.
Note 3 : If you have opened Internet accesses to your server, it's current to note 2 or 3 hack DOS attempts by week. We can see that in the FTP Log file with many attempts to log into your server with the user name "admin" for example. Do not panic ! The IP filter is there to counter these attacks : the hacker can't do never attempt to log into your server ! and you can read the follow message "Connection from xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] denied" into the FTP Log file (xxx.xxx.xxx.xxx it's the hacker's IP).
It is advised :
- In first step, the reliable method is to choose the “allow only” option : by default any Internet connection is denied.
- Ask for your friends to try to connect with the user name that you sent to them. They won't be able to connect to the server and several messages will be recorded in the FTP Log File.
- According to their IP addresses, you modify your filter with sufficient masks (not too restrictive! There are great chances that their addresses change with time) and regularly observe your FTP Log file to adjust your filter
Note 4 : If you want no retriction with Internet accesses you have to select 'Deny only' as login mode and keep the IP filter field empty. I advise strongly to change the FTP port in such settings. If you keep the default port, the FTP server is exposed to DoS and to brute-force attacks !
FTP Server Name :
configures the string that will be displayed to an user connecting to the server.
This option does not have great utility but it makes it possible to hide the
default name of the server. So, the hacker has more difficulty to discover
security bugs.
The characters "< > ?" are not authorized and erased if they are found.
The server name is displayed only with a FTP Client (not with any Internet Browser or Microsoft Explorer)
Important : this option has a specific behavior if you enable the Masquerade Address option.
Hide/Show the file's real owner : can be used to hide the true user owners of files in a directory listing (if you chose "hide option" all files as being owned by user 'ftp') and the client can't detect others possible login name
Hide/Show symbolic links : configures if the symlinks must be shown in directory listings
Be careful
: all
users are "chrooted" either in their Home Directory or in the parent
folder of the shares (usually /share/1000). So all symlinks with
absolute path will not work. Only the symlinks
with relative path built since the chroot can work. In practice, the
symlinks can be
used only by SambaUsers (same chroot):
Indeed, if you create the symlink using the command line : "ln -s
/sharename1/subdir /sharename2/link1". The symlink
"link1" will work if the "sambaUser2" can read or write in
the share "sharename1".
Welcome message : After authentication, a message is sent to the FTP Client. You can customize this message. Use the magic cookie "%u" which is replaced with the username specified by the client during login.
The welcome message is displayed only with a FTP Client (not with any Internet Browser or Microsoft Explorer)
Enter the full path of the additional settings file : "/sharename/subdir/.../name.ext" This option allows you to include another configuration file within the current configuration file.
This option must be only used by advanced user.
Many directives can lead an fatal error and the FTP server won't be able to start. (See the ProFTPD site). Several directives can't be use in the contexts "server", "global" or "virtualhost" because they were already declared in the current configuration file.
For example : you can't use any directive "<directory /share/1000/sharename>" in the context "server" because it exists one for each share but you can only do that with sub directories.
When you click on
the button “Default Settings”, the FTP Menu offers a default configuration to
you. Click on the button “Accept” to change the current configuration.
It is a classic configuration which authorizes only all computer of your local
network to be logged into the FTP server, all clients are jailed in their
Home Directory. It can't be used with Internet accesses.
VII - Connexion with TLS/SSL protocol
When you select "Connect with TLS / SSL protocol", some additional controls are displayed and 3 FTP servers are available.
Three servers :
The first is the standard FTP server without securing data transferred. It is accessible
only from your LAN with the following FTP address :
ftp://your-nas-name:ftpport (passive and active mode)
The second is a
FTPES server using the TLS/SSL security protocol. It is accessible with the
following FTP address :
ftp://your-DDNS:ftpesport
(passive and active mode from a remote host . From your local network, with only passive mode)
DDNS : your domain name declared in a Dynamic DNS service
PS : From your local network, this server is also available with the following address:
ftp://Your-NAS-Name:ftpesport (with only active mode)
Clients must use a TLS Explicit connection (not
implicit connection).
Since
version 15.1, the last is a FTPS server using an implicit connection as
some FTP client doesn't support the explicit connection.
With this last server, when a client tries to connect, login is not encrypted but only the password. If connection
successful, of course data exchange is also encrypted.
Button to edit the SSL certificate used by the server.
Textbox to the FTPES server port
Textbox to the FTPS server port
Checkbox to only allow connections using TLS/SSL encryption
Features affected when you select "Connect with TLS / SSL protocol" :
FTP Server Name : must contain the domain name of your FTP server (<=> The name that before you have registered in a dynamic DNS service)
The menu displays (at right side) if a certificate with the name of the server is available or not and when entering the server name. Click on "Edit TLS/SSL Certificat" to possibly change the certificate.
Note 1 (vs upper to 12) : if you have enabled the DDNS, the server name is by default the one set in the host name field (LAN Setup menu). The field is then disabled
Note 2: Before updating, the text is converted to lowercase and a validity test on the domain name is made :
If the input value is not a domain face, the default name "ftp-YourNASName.com" is used by the update.
If you have a valid name, the script tries to find the Internet IP address associated with the server name. If no IP address is found (ex : you have not yet registered it in a DDNS service), an alert is displayed and the TLS server is disabled !
You should enter again a correct server name for proper operation of the FTPES server.
FTP Port : Before updating, a validity test on the FTP port is made. If the FTP port is identical to the FTPES or SFTP servers port, the new configuration won't be saved.
FTPES Port : Do not use ports that are already in use or will be used by other services like:
20, 21 , 22, 139, 443, 445, 80, 3689, 8000, 8001, 8002, 8022, 8080, 9000, 9100, 9091, 49152
If you choose one of these ports then the value you entered will be changed to 2121. You can choose 21 as value but you have to change the FTP port if it uses this value.
You must set your Internet Box with this port (and not the FTP port)
TLS/SSL connexion required : If you enable this option, customers must connect required with a secure SSL connection. No connection without encryption transfer is permitted.
Think that some customers won't be able to connect if they are behind a dynamic firewall and their administrator doesn't allow this type of exchange.
IP Filter : The filter input is used without modification to the FTPS server. If local IP addresses are present, they are used by the FTP server.
Validity testing remains unchanged for the 2 servers.
SFTP refers to "Secure File Transfer Protocol", and is not related to FTP in any way. SFTP is based on the SSH2 protocol, which uses binary encoding of messages over a secure channel. Unlike FTP, SSH2 only uses a single TCP connection, and multiplexes multiple transfers or "channels" over that single connection. For this reason, many sites prefer SFTP to FTPES for secure transfer of data.
When you enable SFTP server, two additional controls are displayed :
one textbox to the SFTP server port
one textarea to the banner message displayed when the user get an access
SFTP Port : Do not use ports that are already in use or will be used by other services like:
21, 2121, 20 (FTP data port), 22, 139, 443, 445, 80, 3689, 8000, 8001, 8002, 8080, 9000, 9100, 9091, 49152
If you choose one of these ports, your configuration won't be saved.
Banner message : it's an optional field. You can keep it empty.
Note : if the sftp client used by the user doesn't support this feature, no banner message will be displayed.
Features affected when you enable SFTP server :
FTP Port : Before updating, a validity test on the FTP port is made. If the FTP port is identical to the FTPS or SFTP servers port, the default ports are used by the update : FTP : 21, FTPES : 2121 and SFTP : 8022
Option not supported by the SFTP server :
Hide/Show symbolic links : all symlinks are displayed
Note : According used sftp clients, access to the server may fail ! SFTP clients tested : Psftp (putty sftp), Filezilla, FireFTP, WinScp, CoreFtp LE, BitKinex
When the FTP server is enabled, all authentication's attempts and the opened (/closed) sessions are recorded in a system FTP Log file. Click on the header tab "FTP Log File" to show the log file (more information in the FTP_Log_help page)
When the size of the FTP Log is higher than 500 Ko, an alert message is displayed in the Current System Status field..
When the size of the FTP Log is higher than 1Mo, an alert message is displayed with FTP Menu opening and the file is erased when you click on the button "Accept" to validate new entered values.
X - How to do an internet access for my FTP Server
Many posts of persons who try to configure their Internet
Box to allow an Internet access to their FTP server, can be found on the WEB.
The information is often incomplete and sometimes totally false!
You will find below the main information to be known when you wish to have an
Internet connection.
FTP protocol : is a TCP based service exclusively (no UDP component !) and it utilizes two ports, a 'data' port (20 = cmdport -1) and a 'command' port (21) but depending on the mode the data port isn't always on port 20.
Two connection modes are available :
|
Active mode |
Passive mode |
|
The client initiates
connections and it connects from any unprivileged port to the FTP server's
command port (21). The exchanges of files are then do with this last connection |
The client initiates connections and it connects from any unprivileged port to the FTP server's command port (21). If the client is authorized to be logged into the FTP server, the client initiates data connection from any port to an unprivileged port specified by server (NB : in your passive ports range)
|
You understand why it is necessary to set the client computers firewall to authorize the server to create the data connection if you use the active mode and nothing is to make if you use the passive mode (the client initiates all the connections) .
The Internet Box redirects automatically all incoming connecting if the IP are local addresses and you have do nothing but with an Internet connection you must set the Box router :
| Standard Settings | Custom Settings | |||||
| Services | Protocol | External port | Internal port | External port | Internal port | Server NAS IP |
| FTP | TCP | 21 | 21 | your ftpport or ftpsport |
your ftpport or ftpsport |
192.168.x.yyy |
| FTP_DATA | TCP | 20 | 20 | ftpport -1 or ftpsport -1 |
your ftpport -1 or ftpsport - 1 |
192.168.x.yyy |
| FTP_PASV | TCP | Port1-Port2 | Port1-Port2 | Port1-Port2 | Port1-Port2 | 192.168.x.yyy |
Where Port1-Port2 is your passive ports range entered at the FTP Menu and 192.168.x.1 your network gateway
Usually, the Box firewall authorizes any output port and filters input ports except those which are forwarded and nothing is to make on the firewall.
You understand now why it is important not to forward all ports 1024-65535 from the Box (you have to allow many possibly dangerous ports in your firewalling rules !)
But with the passive ports range options, you can restrict the range for a number limited of ports.
The passive mode is useful only if clients connect since a computer situated behind a proxy (HTTP - FTP) server : for example since a compagny network (active mode always fail).
If your settings are correct you can connect to your server since your workplace !!!
The NAS IP is a local address and it can't be used for an Internet connection and the Box Internet address change after each restart.
So you must use an Dynamic DNS Service (allows you to create a hostname that points to your Box IP address), all Internet Box have this set and you can use several free service like dyndn.org or no-ip.com
NB : you can't test your FTP server connection since your local network. You can use the site (net2ftp.com or ftptest.net) to control if yours settings are correct