# Connection refused on ftp server behind router

## DaggyStyle

Greetings,

I want to setup a ftp server so my dad can upload file to it.

I'm connected via modem router (dlink 6740U), when I find my global ip and try to connect to it via my computer I get this:

ftp: connect: Connection refused

here is my vsftp config:

```
listen=YES

local_enable=YES

anonymous_enable=NO

write_enable=YES

anon_root=/home/ftp

seccomp_sandbox=NO

vsftpd_log_file=/var/log/vsftpd.log
```

I've defined port forwarding in the router for port 21 but still it doesn't connect.

iptables is running but I don't see any related prints in the logs.

any ideas what can be the issue?

----------

## 1clue

Yes.

FTP is not friendly with firewalls.  For example, Windows FTP will not work behind a firewall/nat setup no matter what you do.

I switched to vsftpd because it allows both secure ftp and can be configured to be firewall-friendly.

In any case you need to know what sort of firewall you have, whether you have a DMZ or not, and a few other things.

There are lots of options, you might want something else.Last edited by 1clue on Mon Apr 21, 2014 7:13 pm; edited 1 time in total

----------

## DaggyStyle

 *1clue wrote:*   

> Yes.
> 
> FTP is not friendly with firewalls.  For example, Windows FTP will not work behind a firewall/nat setup no matter what you do.
> 
> I switched to vsftpd because it allows both secure ftp and can be configured to be firewall-friendly.
> ...

 

fw on the router?

----------

## 1clue

Like a home router?  If you don't have a public IP address and put the FTP server inside the DMZ you WILL need an ftp server that can handle the firewall setup.  If it's in a DMZ then you MIGHT need special setup.

The problem is that ftp has multiple ports, and connections initiated from either side.

----------

## DaggyStyle

so it isn't the right solution for me? if so, is there another way I can allow my dad to connect and upload files to me server?

I need something simple, I do have ssh server configured to accept only local connections and I'm not sure I want to open it to the net

----------

## 1clue

If you just want to have file transfers with your dad, then this ftp idea is a bag of angry cats.  It's not terrible but it's definitely not the easiest service to use in conjunction with a home router.

If he has the ability to use ssh/scp then that's incredibly easier and probably better overall.  Make an account for him on your box, tell your router to forward port 22 (for me it's in apps/gaming) and you're done.

If you would take my advice, you should expose ssh on some large port, over 5000.  Most popular ports are under 5000, so the lazier hackers only scan that high.  Using a nonstandard port will be just one more bit of protection for you.  You can do it right inside your router, forward from 6789 to your linux box, port 22.

I would also disable root access on your ssh server, and make sure strong passwords are used for every account on that box.

At that point it's ssh -p dad@yourbox (yourbox = the public IP address of your router) to get a command line, or

scp -P dadsFile dad@yourbox:/path/to/newFile to copy the file.

----------

## Hu

With some extra work, you could run two sshd on the system.  One serves the LAN and is permissive.  The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc.

----------

## DaggyStyle

 *1clue wrote:*   

> If you just want to have file transfers with your dad, then this ftp idea is a bag of angry cats.  It's not terrible but it's definitely not the easiest service to use in conjunction with a home router.
> 
> If he has the ability to use ssh/scp then that's incredibly easier and probably better overall.  Make an account for him on your box, tell your router to forward port 22 (for me it's in apps/gaming) and you're done.
> 
> If you would take my advice, you should expose ssh on some large port, over 5000.  Most popular ports are under 5000, so the lazier hackers only scan that high.  Using a nonstandard port will be just one more bit of protection for you.  You can do it right inside your router, forward from 6789 to your linux box, port 22.
> ...

 

my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures?

----------

## DaggyStyle

 *Hu wrote:*   

> With some extra work, you could run two sshd on the system.  One serves the LAN and is permissive.  The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc.

 

interesting, can you a provide a link? is it even worthwhile? does sftp requires ftp server?

----------

## 1clue

 *DaggyStyle wrote:*   

> my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures?

 

Yes.  Require a key in order to log in at all, you can say you MUST have a key AND you MUST have a password.

You could also require the host key in /etc/ssh/ssh_known_hosts, so your father's key must be there before he can login, if he has a static IP anyway.  I'm not sure about if he's mobile or dhcp if it might stop working.

Your best bet is to go through hte /etc/ssh/* files and actually understand them, you know your situation best and your best defense is to understand what's going on.  Turn off features you can live without, and turn on features that make you more secure.

----------

## DaggyStyle

 *1clue wrote:*   

>  *DaggyStyle wrote:*   my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures? 
> 
> Yes.  Require a key in order to log in at all, you can say you MUST have a key AND you MUST have a password.
> 
> You could also require the host key in /etc/ssh/ssh_known_hosts, so your father's key must be there before he can login, if he has a static IP anyway.  I'm not sure about if he's mobile or dhcp if it might stop working.
> ...

 

he is like me, dynamic ip.

I know that public key can allow passwd less login, can I use it for server handshake? e.g. if pub key supplied, ask for passwd, else return connection refused.

----------

## developer1

There are many company which will help you setting up ftp server....

----------

## DaggyStyle

 *developer1 wrote:*   

> There are many company which will help you setting up ftp server....

 

if I can do it, why should I pay others?

----------

## 1clue

Incorrect information, post deleted.Last edited by 1clue on Tue Apr 22, 2014 10:20 pm; edited 1 time in total

----------

## 1clue

Here you go:

man sshd_config and search on AuthenticationMethods.

Sorry I'm hacking this all up.  So you could set it to something like 'publickey,keyboard-interactive' (I think) to require a public key before even asking for a password.

I didn't test this, but you have as much info as I do right now.

----------

## Hu

 *DaggyStyle wrote:*   

>  *Hu wrote:*   With some extra work, you could run two sshd on the system.  One serves the LAN and is permissive.  The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc. 
> 
> interesting, can you a provide a link? is it even worthwhile? does sftp requires ftp server?

 In order: no, maybe, and no.  It may be worthwhile if you want stricter controls than can be achieved using the Match blocks in a standard sshd_config file.  SFTP is defined to be run over an ssh channel.  It provides ftp-like services, but uses sshd for authentication and confidentiality.

----------

## DaggyStyle

based on your suggestions and google I've came up with this sshd_config:

```
# inner lan ssh port

Port 11111

# outer lan sftp port

Port 11113

# protocol

Protocol 2

# chrooted sftp

Match Address !10.0.0.1/24, LocalPort 11113

   Subsystem sftp internal-sftp

   ChrootDirectory /mnt/share/Downloads

   AllowTCPForwarding no

   X11Forwarding no

   ForceCommand internal-sftp

   AuthenticationMethods publickey,password publickey,keyboard-interactive

   AllowUsers foo
```

from what I understand this will limit all non local lan connections that have passed authentication as user foo to sftp session limited to /mnt/share/Downloads and listen to connections on port 11111

now I have three questions:

do I have any error in file?

how can I instruct chrooted sftp to use a specific key file

based on the config above, I assume that user connecting as port 11113 will connect iff he is out of the lan and passes auth, what will happen if a user from within the lan will try to connect on port 11111?

Thanks

----------

## Hu

I see no obvious problems.  There is no need to force a specific key file.  It will only permit keys listed in the authorized_keys file for that user.  If you are concerned, you could place the authorized_keys file in a location that the user cannot modify it.  For question 3, why not try it and post back?  My guess is he will not match the shown Match block, and so will be bound only by server-wide policies.

----------

## DaggyStyle

here is my current (full) file:

```
#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

# inner lan ssh port

Port 11111

# outer lan sftp port

Port 11113

# protocol

Protocol 2

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# The default requires explicit activation of protocol 1

#Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Ciphers and keying

#RekeyLimit default none

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile   .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

PrintMotd no

PrintLastLog no

#TCPKeepAlive yes

#UseLogin no

UsePrivilegeSeparation sandbox      # Default for new installations.

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# here are the new patched ldap related tokens

# entries in your LDAP must have posixAccount & ldapPublicKey objectclass

#UseLPK yes

#LpkLdapConf /etc/ldap.conf

#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/

#LpkUserDN   ou=users,dc=phear,dc=org

#LpkGroupDN  ou=groups,dc=phear,dc=org

#LpkBindDN cn=Manager,dc=phear,dc=org

#LpkBindPw secret

#LpkServerGroup mail

#LpkFilter (hostAccess=master.phear.org)

#LpkForceTLS no

#LpkSearchTimelimit 3

#LpkBindTimelimit 3

#LpkPubKeyAttr sshPublicKey

# override default of no subsystems

Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options

# tcp receive buffer polling. disable in non autotuning kernels

#TcpRcvBufPoll yes

 

# disable hpn performance boosts

#HPNDisabled no

# buffer size for hpn to non-hpn connections

#HPNBufferSize 2048

# allow the use of the none cipher

#NoneEnabled no

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   PermitTTY no

#   ForceCommand cvs server

# chrooted sftp

Match Address !10.0.0.0/24, LocalPort 11113 # <== line 176

   ChrootDirectory /mnt/share/Downloads

   AllowTCPForwarding no

   X11Forwarding no

   ForceCommand internal-sftp

   AuthenticationMethods publickey,password publickey,keyboard-interactive

   AllowUsers foo

   AuthorizedKeysFile    /etc/ssh/sftp_authorized_keys

   ForceCommand /usr/lib/openssh/sftp-server

# Allow client to pass locale environment variables #367017

AcceptEnv LANG LC_*

```

connection from local lan via 11111 works wee but sftp via 11113, renders this error:

```
Apr 26 19:27:11 NCC-5001-D sshd[8095]: fatal: reprocess config line 176: Bad Match condition
```

I'm not sure what I'm doing wrong, any ideas?

----------

## DaggyStyle

this code seems to work for now:

```
#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

# inner lan ssh port

Port 11111

# outer lan sftp port

Port 11113

# protocol

Protocol 2

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# The default requires explicit activation of protocol 1

#Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Ciphers and keying

#RekeyLimit default none

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile   .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

PrintMotd no

PrintLastLog no

#TCPKeepAlive yes

#UseLogin no

UsePrivilegeSeparation sandbox      # Default for new installations.

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# here are the new patched ldap related tokens

# entries in your LDAP must have posixAccount & ldapPublicKey objectclass

#UseLPK yes

#LpkLdapConf /etc/ldap.conf

#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/

#LpkUserDN   ou=users,dc=phear,dc=org

#LpkGroupDN  ou=groups,dc=phear,dc=org

#LpkBindDN cn=Manager,dc=phear,dc=org

#LpkBindPw secret

#LpkServerGroup mail

#LpkFilter (hostAccess=master.phear.org)

#LpkForceTLS no

#LpkSearchTimelimit 3

#LpkBindTimelimit 3

#LpkPubKeyAttr sshPublicKey

# override default of no subsystems

Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options

# tcp receive buffer polling. disable in non autotuning kernels

#TcpRcvBufPoll yes

 

# disable hpn performance boosts

#HPNDisabled no

# buffer size for hpn to non-hpn connections

#HPNBufferSize 2048

# allow the use of the none cipher

#NoneEnabled no

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   PermitTTY no

#   ForceCommand cvs server

# chrooted sftp

Match LocalPort 11113 Address *,!10.0.0.0/24

   # session restrictions

   ChrootDirectory /mnt/share/Downloads

   AllowTCPForwarding no

   X11Forwarding no

   AllowUsers foo

   ForceCommand /usr/lib/openssh/sftp-server

   # session authentication

   AuthenticationMethods publickey,password publickey,keyboard-interactive

   RSAAuthentication yes

   PubkeyAuthentication yes

# Allow client to pass locale environment variables #367017

AcceptEnv LANG LC_*

```

----------

## 1clue

If your remote user is on Windows then maybe cygwin would be advised.  Or putty.  Both setups allow nonstandard ports.

----------

## DaggyStyle

 *1clue wrote:*   

> If your remote user is on Windows then maybe cygwin would be advised.  Or putty.  Both setups allow nonstandard ports.

 

putty is the program I use when needed

----------

