[opensuse] FTP access via SSH tunnel
Hi, I've several oS10.2 boxes running pure-ftpd. they're sat behind a firewall that only allows access to the FTP service from certain IP addresses. What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. So ssh -L 21:FTP-Machine:21 user@bastion to create the tunnel. then ftp to localhost should connect you. I've read several how-to's which suggest the above will work fine, and although I can connect I can't actually do anything. ayane:/etc/ssh # ftp localhost Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 10 allowed. 220-This is a private system - No anonymous login Name (localhost:root): matts 331 User matts OK. Password required Password: 230-User matts has group access to: users 230-This server supports FXP transfers 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Extended Passive mode OK (|||43818|) 425 Can't create the data socket: Invalid argument 200-FXP transfer: from xxx.xxx.xxx.xxx to 127.0.0.1 200 PORT command successful 425 Could not open data connection to port 11573: Connection refused ftp> I can't use sftp or something else due to the specific ftp client my users have, I can't alter the FW to allow access from my users IP's as they're on dynamic connections. Can someone suggest a way forward, would be quite useful to get this working. Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. I have not run ftp /or telnet in production for years.
... the ssh tunnel is ok, but you could try scp instead of ftp. In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix. But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO. -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I am interested in your comment about Network Address Translation not being happy with FTP. Every one of my private IP's has been through 2 translations, however this is done via hardware and my assumption is that you are referring to Suse's Firewall Masquerading option (software via SPF) Via Hardware I can happily Translate 100,000 concurrent sessions without issue. Perhaps we need to sometimes remember security starts at the plug in the wall and ends at the desktop not the other way around Just a thought Scott M Harris wrote:
On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines.
I have not run ftp /or telnet in production for years.
... the ssh tunnel is ok, but you could try scp instead of ftp.
In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.
But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.
I am interested in your comment about Network Address Translation not being happy with FTP. hi Scott-- its a linux NAT thing. It depends on your distro... and how much you know about NAT (configuration)... but basically there are some services
On Tuesday 17 April 2007 19:52, Registration Account wrote: that have not worked well (historically) with masquerading (the linux software implementation of NAT). Special modules were always required for instance to fix irc and ftp in order to work through ip_masq. Hardware NAT may not have this problem. The thing is that some firewalls/routers are really older (very much older) linux systems using ip_masq and ip_chains, and may not be setup properly with the fix modules for ftp and irc. So, its something to look into. -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 18 April 2007 03:29, M Harris wrote:
On Tuesday 17 April 2007 19:52, Registration Account wrote:
I am interested in your comment about Network Address Translation not being happy with FTP.
hi Scott-- its a linux NAT thing. It depends on your distro... and how much you know about NAT (configuration)... but basically there are some services that have not worked well (historically) with masquerading (the linux software implementation of NAT). Special modules were always required for instance to fix irc and ftp in order to work through ip_masq. Hardware NAT may not have this problem. The thing is that some firewalls/routers are really older (very much older) linux systems using ip_masq and ip_chains, and may not be setup properly with the fix modules for ftp and irc. So, its something to look into.
-- Kind regards,
M Harris <>< Tell your users to use passive mode... This uses the current (working) connection to transfer the data.
Jerry P.S. I have my clients install winscp3. It's free and simple to use, therefore they manage to use scp.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I totally understand your dilemma and your desire to find a software, Linux solution. I mentioned this OT situation as perhaps we are expecting too much from any software. The fact that Suse can Maintain a well structured and stable SFP Firewall is to be well appreciated. I made the comments regarding Hardware, as I feel we expect far too much of software to handle what is essentially a Hardware issue and one this is very easily solved and dealt with by Hardware. Perhaps our search for a software solution is not the most expeditious and most practicable solution for addressing both Network Address Translation and maintenance of VPN tunnels. Hardware solution which can maintain both, like the unit I use, contain an x86 processor and 64Meg of RAM and operate on a Unix Operating System. I appreciate the challenge of allowing software to perform the above duties for us and perhaps we are trying to re-invent the wheel where for many many years we have had really god stable hardware devices available. I also think that we have been sold the wrong end of the plug to resolve security issues and to maintain other duties like SPI, NAT, VPN; by many many software companies. Fundamentally I think using software to address comms issues and security is flawed. I think there is great merit to the idea that security starts at the plug in the wall and ends at the desktop - because for years - and MS (SP2) has had a great influence in our thoughts - that comms and security issues be dealt with before we had over comms to a Workstation and Desktop. It a bit like trying to catch the bull after we have left the gate wide open for it to get out. I appreciate your healthy discussion and reply. Kind Regards Scott 8-) M Harris wrote:
On Tuesday 17 April 2007 19:52, Registration Account wrote:
I am interested in your comment about Network Address Translation not being happy with FTP.
hi Scott-- its a linux NAT thing. It depends on your distro... and how much you know about NAT (configuration)... but basically there are some services that have not worked well (historically) with masquerading (the linux software implementation of NAT). Special modules were always required for instance to fix irc and ftp in order to work through ip_masq. Hardware NAT may not have this problem. The thing is that some firewalls/routers are really older (very much older) linux systems using ip_masq and ip_chains, and may not be setup properly with the fix modules for ftp and irc. So, its something to look into.
M Harris wrote:
On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. I have not run ftp /or telnet in production for years.
... the ssh tunnel is ok, but you could try scp instead of ftp.
In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.
But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.
True SCP is preferable but I have users running a Win32 program that only uses FTP so I can't use SFTP or SCP or anything else here. All machines are on the internet, no NAT'ing or internal networks here. What I don't understand is that if I use ftp -A localhost -p xxxxx it still tries the passive mode rather than forcing active. Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthew Stringer wrote:
True SCP is preferable but I have users running a Win32 program that only uses FTP so I can't use SFTP or SCP or anything else here. All machines are on the internet, no NAT'ing or internal networks here.
Any chance you can get them to use WinSCP? It's a fairly user-friendly Windows SCP/SFTP/FTP client. http://winscp.net/eng/index.php -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/18/07, David Brodbeck
Matthew Stringer wrote:
True SCP is preferable but I have users running a Win32 program that only uses FTP so I can't use SFTP or SCP or anything else here. All machines are on the internet, no NAT'ing or internal networks here.
Any chance you can get them to use WinSCP? It's a fairly user-friendly Windows SCP/SFTP/FTP client. http://winscp.net/eng/index.php
First -- Can't you see the text that you quoted from the OP? His users have *some win32 app* that uses FTP -- my guess is he means that the win32 app has an ftp process built into it.. Second -- I prefer to point people to filezilla, as it is published under the GPL - winscp is not: http://sourceforge.net/projects/filezilla/ works great, easy to use -- all the advantages of winscp and GPL, too Peter -- "Do not be idolatrous or bound to any doctrine, theory or ideology, even Buddhist ones. All systems of thought are guiding means, not absolute truth." Thich Nhat Hanh, Vietnamese monk. http://www.seaox.com/thich.html www.the-brights.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/18/07, Peter Van Lone
Second -- I prefer to point people to filezilla, as it is published under the GPL - winscp is not:
well shit ... I have to retract my comment. I was certain that winscp was a closed source product ... at least that is what I have believed for a couple years, now. But, I just checked, and I find: "License WinSCP is free, open-source software, and is distributed under the GNU General Public License (GPL). [More" I am really sorry. I still also like filezilla, but I have to take back all the things I've said about winscp. Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Peter Van Lone wrote:
On 4/18/07, Peter Van Lone
erroneously and egregiously wrote: Second -- I prefer to point people to filezilla, as it is published under the GPL - winscp is not:
well shit ...
I have to retract my comment. I was certain that winscp was a closed source product ... at least that is what I have believed for a couple years, now.
But, I just checked, and I find:
"License
WinSCP is free, open-source software, and is distributed under the GNU General Public License (GPL). [More"
I am really sorry. I still also like filezilla, but I have to take back all the things I've said about winscp.
Peter Bit surprised no-one has mentioned PuTTY a rather useful SFTP and SSH set of tools, also opensource, multi-plaform (although I have yet to get the Symbian variant to work on my 9500 :-)). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bit surprised no-one has mentioned PuTTY a rather useful SFTP and SSH set of tools, also opensource, multi-plaform (although I have yet to get the Symbian variant to work on my 9500 :-)). I used PuTTY extensively about five years ago while still with IBM. I used a W200 desktop as my primary workstation, and maintained my linux servers in
On Thursday 19 April 2007 02:48, G.T.Smith wrote: the basement via the PuTTY ssh client from windoze... it worked very well indeed... and boy am I glad those days are behind me... and in case anybody is wondering, yes there is life after IBM, and yes there is life after windoze. Windoze F R E E yesssssssss! ( i dont need no putty no mo , cause i aint got no windowzzzzzzzz ) :-)))) -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tue, 17 Apr 2007, by harrismh777@earthlink.net:
On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. I have not run ftp /or telnet in production for years.
... the ssh tunnel is ok, but you could try scp instead of ftp.
In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.
But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.
If scp, or sFTP would only support virtual user. I'd like to offer users on the FTP server I maintain scp/sFTP, but setting up chroot/scponly is just too much hassle compared to the simple vsftp virtual user setup. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.18 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I feel it is important to recognise the Suse Firewall for what it is. It is by the most part a Statefull Packet Filter with options to open specific ports which a source packet does not originate, hence the allowed services we open by means of the "Firewall" are an exclusion of that source Port(s); for which a normal SPF would deny. I trust you are all aware that the Suse Firewall prime consideration is Statefull Packet Management not just opening and closing port access. If you are having issues with the Suse Firewall, perhaps the focus needs to be placed on the efficiency of the SPF first and foremost. Kind Regards Scott Matthew Stringer wrote:
Hi,
I've several oS10.2 boxes running pure-ftpd. they're sat behind a firewall that only allows access to the FTP service from certain IP addresses.
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines.
So ssh -L 21:FTP-Machine:21 user@bastion to create the tunnel.
then ftp to localhost should connect you.
I've read several how-to's which suggest the above will work fine, and although I can connect I can't actually do anything.
ayane:/etc/ssh # ftp localhost Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 10 allowed. 220-This is a private system - No anonymous login Name (localhost:root): matts 331 User matts OK. Password required Password: 230-User matts has group access to: users 230-This server supports FXP transfers 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Extended Passive mode OK (|||43818|) 425 Can't create the data socket: Invalid argument 200-FXP transfer: from xxx.xxx.xxx.xxx to 127.0.0.1 200 PORT command successful 425 Could not open data connection to port 11573: Connection refused ftp>
I can't use sftp or something else due to the specific ftp client my users have, I can't alter the FW to allow access from my users IP's as they're on dynamic connections.
Can someone suggest a way forward, would be quite useful to get this working.
Matthew
participants (8)
-
David Brodbeck
-
G.T.Smith
-
Jerome R. Westrick
-
M Harris
-
Matthew Stringer
-
Peter Van Lone
-
Registration Account
-
Theo v. Werkhoven