I have managed to get FTPS (secure ftp) setup. FTPS is the same as FTP but the connection between the my book live and the computer is secured like when you shop online.
Before you begin you need to make sure FTP and SSH are enabled on your live book. Doing this is well documented here so I won’t go into it.
Using Putty or your favourite SSH client connect to your mybook and login.
Create a ssl certificate by entering the following command:
Fill in the details it asks, when connecting using secure ftp you will see this information you can check to make sure its the right drive you are connecting too.
3) Edit the ftp config file by typing nano /etc/vsftpd.conf
Go to the bottom of the file and enter the following (I have commented the document to explain what it is doing. The comments can be left in as its written in away the live book understands. By default (its a good thing) WD turn off annonymous ftp, the config here does not change that but if you ever turned it on you would be made to use encrpyption. Paste the config in from below:
Turn on SSL
ssl_enable=YES
Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
All non-anonymous logins are forced to use a secure SSL connection in order to
send and receive data on data connections.
force_local_data_ssl=YES
All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=NO
Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
Finally save the file and restart ftp by typing:
/etc/init.d/vsftpd restart
Notes on connecting through filezilla:
FileZilla will connect using port 990 when using explicit ftp. Simply change to port 21 and it will work:
What would be good is for VSFTP to accept encrypted and un-encrypted FTP connections. For example, I have a IP-Camera that can only initiate notmal FTP connection for forsing SFTP will prevent the IP-camera from sending snapshots to the NAS. Conections to port 21 can be kept within the network and port 990 for SFTP connections could be exposed to the Internet.
What would be the configuration to allow FTP connections on port 21 and SFTP conections on port 990 at the same time?
There is a difference between FTPS vs SFTP, NOT the same thing. Google people, google!
But in a few words, what you want seems to be, have FTP for the camera and SFTP for secure connections. Easy! Setup FTP and also SSH. Linux skills requied though.
There is a difference between FTPS vs SFTP, NOT the same thing. Google people, google!
But in a few words, what you want seems to be, have FTP for the camera and SFTP for secure connections. Easy! Setup FTP and also SSH. Linux skills requied though.
Actually they both operate on port 21. FileZilla always wants to use 990 by default so I change it to 21 so it works. You can work round this by mapping port 990 to port 21 to your my book using your router. That’s what I did so when I am out its less hassle. If you did it this way you could have what you said.
In answer to your question the configuration works by using ssl if you asked for it (you selected it in FileZilla for example) I know having ssl and non ssl may seem unusual as most have different ports (like http and https) but its the way the ftp extension standard is.
It’s not working very well. With FTP and FTPS enabled when a secure connection with FilzZilla is atempoted and TLS is being initialised, nothing happens and after about a minute FileZilla times out.
21:26:12 Status: Resolving address of [CUT]
21:26:30 Status: Connecting to [CUT]:21...
21:26:30 Status: Connection established, waiting for welcome message...
21:26:36 Response: 220 Squirrels are so happy that they don't know how miserable they are.
21:26:36 Command: AUTH TLS
21:26:38 Response: 234 Proceed with negotiation.
21:26:38 Status: Initializing TLS...
21:26:58 Error: Connection timed out
21:26:58 Error: Could not connect to server
Ok, will try mine with both turned on and post
my output / results. You do need to use explicit ssl in FileZilla and over port 21 while connecting inside the network.
Also if you are trying from the Internet you do need to forward ports 5000 - 5099.
I am uysing the explicit option. It wopuld be useful to have the choice of an un-encrypted connection and also encrypted at the same time. Obviously if the passwords are properly set then it would be close to impossible top use brute force attacks.
As to brute force, applying a delay on a wrong user name and password as well as restricting the number of connections from the same IP goes some way to slowing down brute force password guessing to a point where it becomes uneconomical to attempt such an attack.
Unfortunately WD’s default setting it to turn off those safety features of VSFTP which I turn on after each official upgrade.
Ok, well in that case I have tested fully the ftp and ftps on my setup. To do it I changed the following lines (I missed a change off on the previous post I think, sorry)
force_local_data_ssl=NO
force_local_login_ssl=NO
I can then connect ok over plain and explicit ssl. Here is my connection settings from filezilla within the lan:
Got it working. Thanks. Yes, had to set-up port forwarding for ports 5000 to 5099. How come for normal FTP this additional port forwarding is not required but for FTPS it is. I didn’t forward port 990.
ftpd_banner="Welcome to MyBookLive"
listen=yes
listen_port=21
accept_timeout=65
connect_timeout=65
data_connection_timeout=300
# max_clients=0
# max_per_ip=0
delay_failed_login=62
max_clients=6
max_per_ip=2
xferlog_enable=YES
hide_ids=YES
dirlist_enable=YES
download_enable=YES
use_localtime=YES
write_enable=YES
file_open_mode=0755
local_enable=YES
local_umask=02
local_max_rate=0
anon_root=/shares
check_shell=NO
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/user_list
vsftpd_log_file=/var/log/vsftpd.log
anonymous_enable=NO
anon_mkdir_write_enable=NO
anon_upload_enable=NO
anon_world_readable_only=YES
anon_other_write_enable=NO
no_anon_password=YES
anon_max_rate=0
anon_umask=077
# share_acl_enable=YES
pasv_enable=YES
# pasv_promiscuous=YES
pasv_promiscuous=NO
pasv_min_port=5000
pasv_max_port=5099
deny_file=Public
hide_file=Public
# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=NO
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=NO
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=NO
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
# Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=NO
# Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
Is there a way to get FileZilla to correctly shut-down an SSL session to avoid …
Connection terminated without SSL shutdown - buggy client?