0

I have an IIS which has some FTP sites hosted which use multiple port numbers for FTP. Some of the client computers connect to this FTP server in a specific port, say one FTP site would be using port 21, another one may be 2025. The client use FTP client like Filezilla to connect and it use PASV mode to connect. Now that the entire system is in AWS, I dont want to expose ports 1024 - 65535 to entire public internet, which PASV mode will connect. I restricted this ports and tried manually connecting with Filezilla to this FTP server using Active mode, which I fail. As this is a security vulnerability, I dont want to open all these ports to public. And since my clients doesnt have static IP, opening the ports to specific IP is also impossible.

I think I would need a way to connect either using Active mode which will establish connection and data port as same or any other permanent solution. Also, my another requirement around the same use case is that its better if I can expose only one port like FTP, and then based on the credential or the path being accessed, internally the requests go to relevant FTP sites or ports or use SFTP protocol which is also not supporting (I mean unable to connect) at the moment. Not sure whether both of these are acheivable. Any help would really be appreciated.

Castaglia
  • 3,239
  • 3
  • 19
  • 40
serverstackqns
  • 722
  • 2
  • 16
  • 39
  • Why are you even trying to use the Active mode? – Martin Prikryl Apr 02 '20 at 18:57
  • Those passive mode port range has been part of Microsoft's introduction documentation, https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7#step-1-configure-the-passive-port-range-for-the-ftp-service Active mode almost never has its position in an internet setup. – Lex Li Apr 02 '20 at 22:18
  • @LexLi - but I don't want to expose these random ports from 1024 - 65535 to the whole internet, when my customer IP addresses are random. Any workaround for this situation? – serverstackqns Apr 03 '20 at 02:09
  • @MartinPrikryl - The intention is that those whole broad range of ports should not be opened to entire public, when there's no static IP addresses for my customers. I am just thinking active mode as a solution. Not sure whether that will work or not. I am seeking some workaround for this, as I think this can be a common scenario which someone might have faced. – serverstackqns Apr 03 '20 at 02:11
  • 1
    Did you even carefully think of what that article suggests? Unfortunately you cannot use active mode, as exposing ports from FTP client side is almost impossible. To use passive mode, set a small enough range of ports (like 100-500 ports based on traffic estimate) there. Ideally, you should retire FTP and use an HTTP based file sharing system instead, as FTP is really not a protocol for modern usage. – Lex Li Apr 03 '20 at 02:16
  • @LexLi, Yes I understand, but this is what the system the application has built on and it's unfortunate that my client cant go away with it at least at this point of time. But yes, I tried exposing 500 ports or 1000 ports starting from 1025, but then also FTP wasnt able to connect. I have opened these ports in firewall, IIS and AWS security group, with no luck of connecting. Any thoughts here? – serverstackqns Apr 03 '20 at 03:47
  • 1
    On IIS side, remember to restart the FTP service for changes to take effect (or simply reboot the server). If connections still fail, use tools like Wireshark on both sides to analyze the packets. – Lex Li Apr 03 '20 at 04:03
  • When you use the Active mode, then all your clients will have to open the ports. That's a way worse exposure then the Passive mode. – Martin Prikryl Apr 03 '20 at 06:02
  • @LexLi, I will check that out once again. But please correct me if I am wrong here: 1) if I have 400 customers who connect to FTP (may not be simultaneously), then I dont need to factor 400 ports opened. 2) And also I guess if 2 FTP clients use same port at the same time, then anyone client's request will be kept on hold until the port is available for this request (maybe u can consider like 2 clients using port 2000 for data and port 21 for connection establishment). – serverstackqns Apr 03 '20 at 06:17
  • See [How many data channel ports do I need for an FTPS server running behind NAT?](https://serverfault.com/q/709984/168875) + Clients do not pick the data connection port. The server assigns them the port. – Martin Prikryl Apr 03 '20 at 06:32

0 Answers0