Wednesday, June 08, 2011

Hosting vsftpd (FTPS) server behind Astaro Security Gateway

At work we're moving from an internal Microsoft Windows hardware file server to a Ubuntu 10.04 LTS virtual server housed within the University data center. To provide secure, remote access to our shared files I've setup a vsftpd 2.2.2 FTP server that requires SSL for login and data transfer. This server lives "behind" an Astaro Security Gateway for protection.

I had some trouble with the setup of this initially, namely I could make a connection from outside on port 21, however I wasn't able to setup the data connection successfully to list the directory and perform transfers.

After much searching peppered with plenty of trial and error I was able to finally configure this setup correctly. Here is how I did it.

Server setup

  • Ubuntu 10.04 LTS server
  • vsftpd 2.2.2
  • Self-signed SSL certificate

Generate a 5 year self-signed certificate using 2048 bits

sudo openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

Install the vsftpd server if you haven’t already

sudo apt-get install vsftpd

Configure the vsftpd server configuration file

sudo nano /etc/vsftpd.conf

Here we need to add the following lines at the end of the configuration file. Note that a key here is you define what your FTP PASV ports will be for data transfers. I’m using random values, so please select your own instead of just copying these:

    rsa_cert_file=/etc/ssl/certs/vsftpd.pem
    ssl_enable=YES
    force_local_logins_ssl=YES
    force_local_data_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    pasv_min_port=33423
    pasv_max_port=33500

Save the configuration file, then restart the vsftpd service

sudo /etc/init.d/vsftpd restart

Astaro Security Gateway v8.103 setup

In this example we’ll pretend the Astaro Security Gateway external interface has an IP of 1.1.1.1 and an additional IP address of 1.1.1.2 configured for just the traffic to go to the FTP server. You would configure the additional IP address for the external interface by going to:

  • Interfaces & Routing
  • Interfaces
  • Additional Addresses
  • New additional address…
  • Name = 1.1.1.2
  • On interface = External (WAN)
  • IPv4 Address = 1.1.1.2
  • Netmask = 255.0.0.0
  • Comment = my ftp server address
  • Save and make sure to enable the IP address by clicking on the green light to the left of the adapter graphic

Next we need to define a new service on the Astaro. This will be used to tell it what ports to expect the data connections on. We’ll be using the port range we specified earlier in the vsftpd.conf file. To setup this service, do the following:

  • Definitions
  • Services
  • New service definition…
  • Name = FTP-Data
  • Type of Definition = TCP
  • Destination port = 33423:33500
  • Source port = 1:65535
  • Comment = File Transfer Protocol Data
  • Save

OK, now we need to setup a definition for your internal FTP server that we’ll be exposing to the Internet. To do this, do the following:

  • Definitions
  • Networks
  • New network definition…
  • Name = ftp-server
  • Type = host
  • Interface = internal
  • IPv4 Address = 192.168.0.22
  • Comment = my internal ftp server
  • Save

Now that we’ve configured the system and service defintions we’ll actually create the rules to allow the inbound connections to the external IP address (1.1.1.2) to be passed to the internal IP address (192.168.0.22) using the FTP port (21) and respond back and allow data connections using the range we specified (33423 to 33500).

First we setup the destination NAT rule (DNAT) by doing the following:

  • Network Security
  • NAT
  • DNAT/SNAT
  • New NAT rule…
  • Traffic source = Any
  • Traffic service = FTP
  • Traffic destination = 1.1.1.2
  • NAT mode = DNAT (Destination)
  • Destination = ftp-server
  • Destination service = FTP
  • Save
  • New NAT rule…
  • Traffic source = Any
  • Traffic service = FTP-Data
  • Traffic destination = 1.1.1.2
  • NAT mode = DNAT (Destination)
  • Destination = ftp-server
  • Destination service = FTP-Data
  • Save

Make sure to enable both of these DNAT rules by clicking on the green light to the left of the DNAT rule number!

Lastly we’ll configure the packet filter rules to allow the traffic by doing the following:

  • Network Security
  • Packet Filter
  • New rule…
  • Source = Any
  • Service = FTP
  • Destination = ftp-server
  • Action = Allow
  • Save
  • New rule…
  • Source = Any
  • Service = FTP-Data
  • Destination = ftp-server
  • Action = Allow
  • Save

Again, make sure to enable both of these packet filter rules by clicking on the green light to the left of the packet filter rule number!

Client setup

On the two Mac systems we’re using the excellent Panic Transmit application. This allows us to access the share like a regular FTP server or mount the FTP server as a drive on the Mac (this is key for us). Create a new connection with the following parameters:

  • Protocol = FTP with TLS/SSL
  • Server = 1.1.1.2
  • User Name = whatever your Linux login account is
  • Password = whatever your Linux login password is
  • Port = 21
  • Use passive model = checked
  • Save

On the ten Windows systems we’re using NetDrive which allows us to mount the FTP server as a drive in Windows explorer (again, this is key for my users). Create a new connection with the following parameters:

  • Site name = 1.1.1.2
  • Site IP or URL = 1.1.1.2
  • Port = 21
  • Server Type = FTP
  • Drive = F
  • Account = whatever your Linux login account is
  • Password = whatever your Linux login password is
  • Save
  • Advanced
  • SSL = Force SSL for all communications
  • OK

Conclusion

That should have you setup and running now, able to access your internally hosted vsftpd server over SSL from external clients through the Astaro Security Gateway you have in front of the internal FTP server.

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)