FileZilla FTP Server with TLS

Hello guys

Today we will see how to setup FileZilla FTP server with TLS. Well there are many documents explaining it, however, as usual I am going one step ahead and explain few elements those are missed by most of those posts.

Once installed (accept the defaults, letting FileZilla run as a Windows service) you can start configuring it for PASSIVE mode transfers and TLS.

As you could see, the installation sets port 21 as default listening port for FTP. If you choose to, can change it an available port. Usually you don’t have to do it.

If your FTP server/desktop machine has multiple IP addresses, you may assign a particular IP for the FTP Server under “IP Bindings”

Leaving it to default will not hurt you, usually.

Setting up Passive Mode can be bit tricky, especially when you are going to let users from internet to access your FTP server. Let us consider you have a router that is the gateway for all your computers in the network. So any communication that is leaving your network passes through this router. This is called a NAT network. Getting a FTP server to respond to a request from internet could be quite confusing for someone who doesn’t understand the NAT properly (I don’t, all the time)

Usually such a requirement is handled by forwarding the requests received by the router to one of the servers or computers hosting the FTP or other services.

Here for FileZilla, the router should forward port 21 to the server that is hosting the FTP server, to that the communication and transfer could happen. So basically, your router should have an entry like below. With the given example, FTP Server software is installed on a computer that has STATIC IP address 192.168.1.200, hence the below entry. Please make sure that all your computers/servers those host services have STATIC IP addresses.

Please note, based on the manufacturer, Applications & Gaming tab will be labelled differently. You need to check the router manual to find out where exactly you can locate “Single Port Forwarding”. If you are lucky enough, you may able to pick FTP from an available dropdown list, like the one I have. Else, just create one entry like the one you could see with this image for FTP.

Now you need to configure the ports for Passive mode, which most of the modern FTP clients will try to use for the transfer. I believe, without configuring the passive mode, FileZilla FTP server fails to establish connections.

Here you could see that I am using a custom port range for Passive mode. Most of the people who successfully configured FileZilla recommend using the port range between 50000-51000. You can try the ranges like 50000-50100 or like the one I have, which is approximately a 1000 ports.

Next couple of points are going to be vital for users from internet. I have a static IP address from ISP, hence for the area External IP address, I can use it safely. However, this may not be the case of most home users, as ISP provide them dynamic IP addresses which keep on change once in a pre-planned interval. So http://www.noip.com is your friend and I suggest you create a ddns.net hostname for yourself before proceeding. You can use their client software to keep update your host IP address against ddns.net hostname. You can use your hostname, eg: johwick3.ddns.net in the place of external IP address.

OR

You can try the “Retrieve external IP address from” option as well. I cannot guarantee the success rate.

The other important setting on this page is “Don’t use External IP for local connections”. You must not uncheck this box in case if your FTP server has external IP configured and expecting both local and external users to access the server.

Once set, you need to open the range of ports on your router. This time you need to access the page “Port range forwarding” and create an entry like the seen below.

This completes the initial level settings for the FTP server. Let us configure TLS in the next step. This involves creating a self signed certificate and secret key (secret key is not mandatory). Luckily FileZilla has built-in ability to create a self-signed certificate for you!

Once you are on the FTP over TLS settings page, you can use generate new certificate button to bring this window up. Fill in correct information & generate the certificate. FileZilla will automatically setup the certificate for you. “Save key and certificate to this file:” should be chosen wisely. Your certificate is accessed from this location, so make sure that you will generate the certificate in a location/folder which is not accidently prone to get deleted.

Now we will create a new user & setup few details for the testing.

In the above step, I have created a user with read only privileges and assigned a single directory access. As long as you want your users NOT to upload files to your FTP server, this setup is sufficient for a normal user. Please refer FileZilla documents for in-depth knowledge about creating groups and users.

Finally, we will configure Windows Firewall in order to establish the connection. Please note, I am against disabling firewall and other security suites those are installed/configured on any environment, unless for testing. You must NOT disable them permanently. If your browsing and other internet activities are limited to reputed websites and services, I can insure that you don’t need a commercial product to protect your Windows box. The built in Defender suite does a wonderful job protecting your computer. Follow the below images to create an incoming rule for the FTP traffic in the very server/computer on with you have install FileZilla FTP server.

Please note, there is no need to open the port 990 that is used for TLS. Unfortunately while I was trying everything, included the port in my setup. You only need to allow TCP Ports 21 & the range 50000-51000 (or the port range that you prefer to use)

That’s all take for setup. We can try to connect to our FTP server now!

Download and install FileZilla FTP Client/Or one of the other FTP clients available (You may not succeed to connect to FTP server using Windows built in command line FTP, as it doesn’t support TLS)

As you could see from the quick connections area, I have connected to FTP server from both local and internet & both attempts were successful.

I hope, if you are desperately looking for FileZilla FTP server setup guidelines, this post helps.

regards,

rajesh

Advertisements

Local DNS Server using DD-WRT | Buffalo Routers

A local DNS will help a developer to access and test the applications across local network having to worry about hostnames (Especially mobile devices, where updating host files may force one to root the devices)

This time we will see how a local DNS could be setup using relatively cheap WIFI routers running DD-WRT firmware

I am using a Buffalo router that acts as a WIFI access point at my home.

image

Make sure you are running the latest available firmware for the device to insure maximum stability. Once the firmware has been updated to the latest, Click on Services and you will be landed on Services page. Setting up the local DNS is most effective when you have all your “Computers” have static IP allocation (As seen with below image)

 

image

Don’t worry about the lease time parameters, as long your computers are having static IP addresses, these entries work as ‘A’ records, letting you to access the computers by their name, instead of IP addresses.

Set Used Domain as “LAN & WAN” & provide a meaningful name to “Lan Domain”. This name will be appended to your hostnames when you do a simple ping like commands. For example, when I try to ping “rajesh-pc” from command prompt, “rajesh-pc.my.home” will be automatically generated incase if you set up parameter “expand-hosts” with Additional DNSMasq options (Check below image)

 

 

image

Save the settings & apply. You are all set to start using the local DNS server. Whenever you have a new host, access the services page and create a static host entry (one time) & your last device is accessible using a name, instead of IP addresses.

 

Regards,

 

Batch file for FTP

Hi guys

We’ve a legacy application for our Bahrain operations and after a disastrous hardware failure we wanted to find a cost effective method to bring the database dumps to Kuwait for regular health checks.

Options in front of us were pretty limited. The business in Bahrain only had a basic internet connection(dial-up DSL) without static IP address, hence we were forced to workout something that is dependable. Finally we decided to FTP the dump file in compressed form after the dump export every Friday once after realizing that the total size of the compressed dump file was less than 100MB in size!

Here is the script file We’ve compiled after referring a number of blogs/tech forum visits. Please note, the methods we implement here uses passwords seen in clear text. Hence make sure that you take maximum attention while implementing our solution in your environments.

[code language=”text” gutter=”false”]
::http://blogs.msdn.com/b/oldnewthing/archive/2012/08/01/10334557.aspx
@echo off
SETLOCAL
::Get the latest dump file name, generated using exp command
for /f "tokens=*" %%a in (‘dir *.dmp /o:-d /b’) do set NEWEST=%%a&& goto :next

:next
REM echo The most recently created file is %NEWEST%
::http://stackoverflow.com/questions/15567809/batch-extract-path-and-filename-from-a-variable
FOR %%i IN ("%NEWEST%") DO (
REM ECHO filedrive=%%~di
REM ECHO filepath=%%~pi
SET ZIPNAME=%%~ni
REM ECHO fileextension=%%~xi
)

SET ZIPNAME=%ZIPNAME%.zip
::Creating ZIP file using Java Runtime
::Dump files could be huge and take hours to transfer in full size. So we will use Java RunTime Executable to create a zip file which
::Will be smaller in size
::Make sure you have JRE installed, and the installation path is set in the environment variables, if not call JRE using the full path
::eg: C:\java\jre
echo Creating Zip file for transfer, filename ""%ZIPNAME%""
::We will create the zip file without meta-info, hence the M switch is used
::jar -cfM %ZIPNAME% %NEWEST%
::Another option is to go with 7Zip, 3rd party utility that could create zip/7z files
::7z a %ZIPNAME% %NEWEST%
::Or using Windows built-in Zip utility
zip %ZIPNAME% %NEWEST%
::You can use IP address or fully qualified domain names for the FTP server
::If the FQDN is not registered, you can add an entry with your hosts file
::FTP accepts parameter files, ftp -s:parameter file, so we will create the parameter during the initial running
::Please note, the parameter file created is permanent & clear text format, hence make sure that adequate security measures are practiced
::to avoid getting sensitive details exposed.
echo open ftpservername(FQDN/IP)>ftp.txt
echo username>>ftp.txt
echo password>>ftp.txt
echo binary>>ftp.txt
echo put %ZIPNAME%>>ftp.txt
echo disconnect>>ftp.txt
echo quit>>ftp.txt

REM echo put filename2.dat >>ftp.txt
REM echo put filename3.dat >>ftp.txt
REM echo put filename4.dat >>ftp.txt
::We referred the following thread for making the batch file
::Google search keywords: pass parameter to ftp script
::http://stackoverflow.com/questions/5170627/is-it-possible-to-pass-a-variable-into-a-windows-ftp-script-file

ftp -s:ftp.txt
::Delete the zip file after transfer comples
del %ZIPNAME%

::Optionally you can use "exit" the command windows-ftp-script-file
::Exit
[/code]

and usually the ftp.txt should look like below

[code language=”text” gutter=”false”]
open ftp.myserver.com
username
password
binary
put exp_10032017.zip
disconnect
quit
[/code]

regards,

rajesh

D-link routers affected by DNS hijacking

D-link is a trusted cost effective router solution for homes and small offices, especially in the regions where cable internet is still an unreachable reality. Recently I changed my home DSL router, from a Linksys X1000 to DSL-2750U (India specific) and was pretty happy to see that the device stood robust, without a single hangup after being online for weeks. Further, the firmware of the device provided much more tweaks compared to Linksys x1000.

However, almost a month and half back, I have noticed that my internet connection (4MBPS DSL) started getting a lot slower, websites unreachable due to DNS timeouts.

To my utter surprise, I found that the DNS settings with router were changed with a DNS server from Saudi Arabia (Primary) & Google DNS server 8.8.8.8 for the secondary. I changed the DNS to static and fed in KEMS Zajil corporate DNS server entries & found, sometimes within a day or other times after couple of days, the router is once again back to the “automatically” changed DNS server entries. This made me google about DNS hijacking, specific to D-link routers & here is what I came across

I contacted D-link support, instead of replying my query they forwarded me a link to download a firmware (patched? new?) , which I thought should be one with the fix. I had no troubles for almost 3 weeks. Once again, I started experiencing no internet at all or host not found errors! this time I knew where exactly to look & I found my router with compromised DNS entries

DNS Entries

Obviously, this particular router firmware comes with TR-069, disabled. I ain’t at all sure whether, it is being exploited. Anyway, this time I didn’t bother to contact D-link and download another “firmware”, instead I quickly dusted out my old Linksys x1000 router, and configured it as a modem router, thus limiting the load on the device, which caused frequent hanging while used as Modem Router+ DHCP Server +  WIFI access point combo.

So far so good, I keep on checking the status page of the router to make sure that the DNS entries are not manipulated by the ISP for some reasons, or hijacked by…

So if you are feeling your DSL connection has gone all slow or you are constantly getting timed out DNS errors, cross check your D-link router’s DNS entries page.

Regards,

for windows7bugs

rajesh