10.5 Server FTP not letting windows users connect

Question

10.5 Server FTP not letting windows users connect

I recently setup a 10.5 server, and can not for the life of me make the FTP services play nice with Windows users. It worked briefly when I first set it up and had the firewall off, but has since gone all to **!

AFP works fine. And connecting via FTP from a Mac using Cyberduck works even better than AFP in my opinion. But FTP from a PC is a nightmare!! At this point I have the firewall disabled for testing, and still no go. I am trying to connect from my own XP system using Filezilla, and I am getting the errors that outside users were complaining about, "Time Out" errors when trying to connect.

I have tried active and passive settings from Filezilla, with no luck at all.

Is this supposed to work? I am working with a lot of PC users who are used to Filezilla just "working" without needing to change any settings on their end.

Should I be using Pure FTPd Manager or something?

I am using Airport Extreme Base Station as the router connected to the Modem. All FTP ports are forwarded to the Server in the airport settings. There are 2 network switches between the Airport Extreme Base Station, could this be part of the problem?

Thanks in advance for any suggestions.

*This is an identical post to a posting I made in the networking forum. Sorry for the duplicate posting, not sure which was the correct forum.*

Posted on Jul 4, 2009 1:57 PM

Reply

Answer 1

Jul 4, 2009 4:05 PM in response to Jason Wolford

Is the PC you're getting errors with on the same LAN as the server (i.e. are they both behind the same Airport Extreme)? There are some pretty nasty issues getting FTP to work through firewalls and NAT routers (which your Airport Extreme is probably acting as)... Passive mode FTP was invented to help get the protocol past client-side firewalls, but it actually makes things worse as far as server-side firewalls and NATs are concerned.

Reply

Answer 2

MrHoffman

Level 10

146,413 points

Jul 4, 2009 4:50 PM in response to Jason Wolford

ftp is an old protocol, and tough to work with.

Have a read of [Configuring FTP Services On Mac OS X|http://labs.hoffmanlabs.com/node/942] and [Why You Don't Want FTP; Firewalls And Ephemeral Ports|http://labs.hoffmanlabs.com/node/530], and work from there.

If there are two firewalls in use in the network path (which is typical and common), you'll either have to open the ephemeral port range on one (or both), upgrade to a more expensive firewall (and one that knows the details of how ftp works), or (my preference) switch from ftp to sftp.

sftp is similar to ftp in three characters, but is otherwise significantly different in implementation and security.

Reply

Answer 3

Jul 4, 2009 5:23 PM in response to Jason Wolford

Thank you for the replies guys, and one from a fellow Seattlite no less!

Gordon,
Yes, I am seeing timeout errors on the PC that is on the same LAN as the server, but so are people trying to get in from the outside using a PC. Cyberduck on the Mac seems to connect flawlessly from anywhere. NAT Port Mapping is not enabled on the Base Station, should it be?

Mr Hoffman,
The firewall at this point is disabled on the server, but I assume the Airport itself is also acting as a firewall. I've been told by others to go sftp, but I've not read up on in it in the 10.5 Server docs. I have looked for info on sftp in 10.4 server before upgrading, and did not find enough info on it to warrant spending time trying to make it work. I've been looking for docs like yours since I started wrestling with this. Glad I posted here and you responded. I will read your documents thoroughly once the Independence day BBQing is done!

Thanks again.

Reply

Answer 4

MrHoffman

Level 10

146,413 points

Jul 4, 2009 5:55 PM in response to Jason Wolford

Yes, I am seeing timeout errors on the PC that is on the same LAN as the server, but so are people trying to get in from the outside using a PC. Cyberduck on the Mac seems to connect flawlessly from anywhere. NAT Port Mapping is not enabled on the Base Station, should it be?

Partial connections and timeout errors with ftp usually indicate there is (still) a firewall here. Probably one running on the Windows box, or potentially on the Airport? Switch that off, or switch between PASV and ACTIVE and try that.

The firewall at this point is disabled on the server, but I assume the Airport itself is also acting as a firewall.

Airport can operate as a firewall, depending on how it's configured and wired. I run Airport regularly on networks I manage, though not as a firewall.

I've been told by others to go sftp, but I've not read up on in it in the 10.5 Server docs. I have looked for info on sftp in 10.4 server before upgrading, and did not find enough info on it to warrant spending time trying to make it work. I've been looking for docs like yours since I started wrestling with this. Glad I posted here and you responded. I will read your documents thoroughly once the Independence day BBQing is done!

With a typical box with an ssh and sftp on the client, and an ssh and sftp running on the server...

+sftp user@example.com+

password, then sftp commands

+ssh user@example.com+

password, then log in.

The sftp protocol "rides atop" the ssh protocol.

Port 22 (only) needs to be open through the server firewall. Note that you will get attacked on ssh; dictionary attacks against port 22 are common. There are ways to deal with that, such as moving the ssh server off of port 22, or (better) using a VPN or such.

It's also entirely feasible to do a no-password login with ssh and sftp, as well.

Reply

Answer 5

Jul 5, 2009 12:00 PM in response to MrHoffman

Thanks again for your reply Mr. Hoffman.
Setting sftp and ssh aside for a moment, the problem that I am seeing, timing out while trying to connect from a Windows machine within my network, is the same problem that Windows users are seeing when trying to connect from the outside my network. These are users with some experience using FTP, so the problem does not exist solely with the single PC, and it seems like a bit much to be asking users to change settings that work for other FTP servers. But if that's how it is, that's how it is..

As stated in the OP, I have tried toggling active/passive from the Windows FTP client. The issue persisted.

The kicker for me is that Mac users have no problems with FTP using Cyberduck.

To recap:

The host network goes;
cable modem->airport extreme base station with AFP/FTP ports forwarded to the server->gigabit switch->gigabit switch->10.5 server with firewall currently disabled.

-connections from FTP client on the Mac from inside or outside my network, 100% working
-connections from FTP client on Windows from inside or outside my network, worked briefly, now not at all. Time out errors regardless of active or passive settings.

This brings me back to my initial question. Does 10.5 Server FTP services require special settings to play nice with Windows users? Should I be using Pure FTPd Manager or something similar?

I am admittedly green in this department. But when AFP and FTP on the mac client side "just work" and Windows FTP clients are able to connect to other servers without error, but unable to connect to my FTP server, my guess would be that the problem resides with the 10.5 Server FTP services config (or within my network config).

But again, I am a total amateur in this area. I have not read your document page, so please don't feel obligated to reply until I have...

Reply

Answer 6

blankbot

Level 1

0 points

Jul 6, 2009 9:18 AM in response to Jason Wolford

Since filezilla is imho a non-really-working ftp client on windows platform I suggest you to try with flashfxp ( there is a 30 days trial ). This will help you narrow down the problem

I have that combo here ( 10.5 server and flashfxp on windows ) ftp access work flawlessly.

Reply

Answer 7

MrHoffman

Level 10

146,413 points

Jul 6, 2009 10:44 AM in response to blankbot

FWIW: I've had no issues with Filezilla when I've been using Microsoft Windows (and not then command-level ftp that's part of any Microsoft Windows version likely in use here). Filezilla has also had the added benefit of working (correctly) with some of the less common operating systems and ftp servers and file systems that I deal with, too. (Various of the other ftp clients and the command-level client tool aren't quite as compatible here.)

Reply

Answer 8

MrHoffman

Level 10

146,413 points

Jul 6, 2009 11:00 AM in response to Jason Wolford

ftp is a very old network protocol.

ftp predates the widespread use of firewalls.

ftp simply does not work like other (and more recent) protocols. Particularly around firewalls.

ftp "active" is incompatible with client-side firewalls, and ftp "passive" is incompatible with server-side firewalls, save for client-side or server-side ("smarter") firewalls that know how to sniff the ftp traffic and open the ephemeral port, or save for cases where the network security administrator has decided to open the ephemeral port range for access. And if there are multiple firewalls present, all bets are off.

My preference here is a dedicated firewall box, but you might get the Airport to work if you forward the entire ephemeral range and also use passive-mode ftp transfers.

As the cherry on top of this problem, ftp also transmits the username and password credentials in cleartext.

sftp is massively easier to deal with, if you have sftp clients all around.

Reply

Answer 9

Jul 6, 2009 11:41 PM in response to MrHoffman

Thanks again for the replies and info.

OK, it's working today.
Nothing has changed. I had turned on NAT and enabled the server machine as the default host from Airport Admin over the weekend, but there was no immediate change and it has not been rebooted...

I even turned the firewall back on and cycled the FTP services, and FTP is still working. I am baffled.

Mr Hoffman, I still need to read your documents. And I will have a close look at SFTP. I used it for a few months via Cyberduck on someone else's server and had no problems at all.

I just tried logging in via SFTP and did not realize that it is just a matter of changing protocol on the client end. It seems to be working fine as well on both Mac and PC. This seemed to be a good way to go until I realized that SSH is giving users access to the directory of the entire machine. If it was just me connecting, it would be fine, but there will be other users and inevitably friends of other users...

A few searches on this leads me to believe that there is no simple way around this... I suspect I'll need to shut off SSH and take my chances with plain old FTP.

Message was edited by: Jason Wolford

Reply

Answer 10

MrHoffman

Level 10

146,413 points

Jul 8, 2009 9:56 AM in response to Jason Wolford

ssh (and sftp) and ftp use login credentials, and (also) use standard mechanisms to control where the accessing client can read and write on the server; you're enabling access. (The ftp protocol publishes the credentials every time you use it from an untrusted network connection, which means you really don't know who's storing warz on your server. So if the credentials can log in...)

What can those accustomed to cifs/smb or afp or (to a certain extent) ftp is that these servers have added mechanisms (beyond the login) that control where you can land; they've got exported shares which restrict where the accessor can write. (If the user can log in via the same credentials, then they can potentially access further than an ftp share.)

For my usual use (with untrusted users), I typically have one area that users can write to, and preferably on a bastion host or DMZ on the network. Or I use ACLs to lock out access beyond the target area; usually volume-level entries where I can use those. Or both a bastion and ACLs. As for another approach here, there are also [instructions for building chroot and sftp|http://www.macgeekery.com/gspot/2006-11/chrooting ssh_andsftp].

Alternative approaches can involve WebDAV sharing.

Reply

Answer 11

Jul 10, 2009 7:24 AM in response to MrHoffman

Thank you yet again Mr Hoffman.
Your knowledge and helfpulness are much appreciated.

Reply

Answer 12

Jul 11, 2009 10:38 AM in response to Jason Wolford

This might help (had it on my harddrive - don't know/remember where I got it):

"I've been through this and hope my experience helps. If desired, check this site for a explanation of active and passive FTP http://slacksite.com/other/ftp.html. In short, passive is preferred as the client will not have to deal with firewall settings--any client, even a firewalled one, should be able to use your passive FTP server if you set it up right. The problem with passive ftp behind a firewall is that when a client connects to port 21 (which you have open of course), your server issues them a random high port number (>1023) to use for the data connection. Undoubtedly your firewall will not have that random port open. The trick is to tell Mac OS X's FTP service to use a specified, limited range of ports for passive connections, and then open those ports in your firewall.

1. [macosxserver:~] user% sudo pico /Library/FTPServer/Configuration/ftpaccess
2. put this at the bottom above the email option:

passive ports your_serverIP port rangestart port rangeend

I did this for my setup--
passive ports 192.168.x.x 65500 65534

3. save the changes to the ftpaccess file and close pico
4. open the ports you specified (mine are 65500-65534) in your firewall
5. restart the FTP service

On my 10.4.5 server, the modified settings stick even if I use Server Admin to further edit the FTP service."

"Should I be using Pure FTPd Manager or something?"

Positive things with Pure FTPd Manager is that you can have a whole separate user database (if you remove the PAM "db-connector") from users in your WGM databases and you can control the client ports (like above) and if you enter "-b" in the option field you get a login dialog if the connection is made from a web browser (you do get this dialog with Apples FTP too I belive).

Might be some disadvantages too.

Reply