Ports for FTPS (over SSL)

This depends on your mode (active or passive) and and few other factors. FTP itself is bad enough for any NAPT implementation, but it can be made to work trough NAPT with proxies. The proxy has to sniff the FTP command connection. FTP + SSL encrypts to command connection with SSL. This in turn requires the proxy to perform a man in the middle attack on the SSL handshake. This can be done if you have access to the servers private key or the CA that issued it. Have fun implementing this. If you just want to narrow the ports down on the server: forget it FTP is more secure with more ports to choose from as crazy as it may sound.
 
  • Thanks
Reactions: ccc
Can't someone configure their ftp server to use a specific UDP port range (if set to passive) and allow this range of ports to be accessible for this purpose?
 
mamalos said:
can't someone configure their ftp server to use a specific udp port range (if set to passive) and allow this range of ports to be accessible for this purpose?
Click to expand...

udp by ftp?
 
The wiki page for FTP over SSL suggests that it works just like normal FTP so for passive FTP you'll need port 21 inbound as well as the passive range (which are TCP not UDP).

Some FTP servers allow you to set the passive range so you can choose this range and only open the relevant ports on the firewall. The default FreeBSD server doesn't, it uses the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls, so that's the range you'd need open. You can change these values but I'd be wary of changing them too much as I have no idea what or how many services rely on using the ports specified here.

If you want secure FTP it's also worth looking at sftp using SSH. It will only need SSH open (if you're happy doing that) and on a standard FreeBSD install only needs a few tweaks to /etc/ssh/sshd_config (and maybe an 'sftp' group to put the users into).
 
You must log in or register to reply here.
Back
Top