Help w/ NAT for FTP

tlsail

If this has been covered, I apologize, I just haven't been able to find any info on the forum that relates to my problem.  Let me introduce myself, I have been around computers my whole life and am very familiar with their workings, however it wasn't until recently I delved into network security and FTP servers.

I was running a simple Netgear router that provided good protection from the outside, but lacked the control that I sought.  After much hunting I found pfsense.  I managed to get it to allow access to my http server and my ftp server, the problem is though I have noticed some people trying to brute force their way in.  This is where the problem lies.  I'm running FileZilla as I don't like the IIS ftp system.  When I view the log directly on Filezilla it only shows the local IP of the pfsense box, not the end user.  The people on the Filezilla forum are less then helpfull, their answer is "You're pfsense box is broken by design. Instead of being a simple NAT router, it acts as a complex, fragile reverse proxy with all its drawbacks."  An example of the log from Filezilla is:

(003186) 7/11/2007 15:00:41 PM - (not logged in) (192.168.1.1)> USER Administrator
(003186) 7/11/2007 15:00:41 PM - (not logged in) (192.168.1.1)> 331 Password required for administrator
(003186) 7/11/2007 15:00:47 PM - (not logged in) (192.168.1.1)> PASS ******
(003186) 7/11/2007 15:00:47 PM - (not logged in) (192.168.1.1)> 530 Login or password incorrect!
(003186) 7/11/2007 15:01:05 PM - (not logged in) (192.168.1.1)> USER Administrator
(003186) 7/11/2007 15:01:05 PM - (not logged in) (192.168.1.1)> 331 Password required for administrator
(003186) 7/11/2007 15:01:15 PM - (not logged in) (192.168.1.1)> PASS *****
(003186) 7/11/2007 15:01:15 PM - (not logged in) (192.168.1.1)> 530 Login or password incorrect!
(003186) 7/11/2007 15:01:36 PM - (not logged in) (192.168.1.1)> 421 Login time exceeded. Closing control connection.
(003186) 7/11/2007 15:01:36 PM - (not logged in) (192.168.1.1)> disconnected.

I would like to use FZ's auto-ban feature to prevent this type of attack on my system.  Does anybody have any suggestions?

I'm running pfsense 1.2-BETA-1.  Also, if you see something I can do to streamline the NAT and firewall rules, please chip in, this is what I had to do to get it to work, but I am a newbie at this sort of thing.  I'm posting screen captures of my settings for all to see.

bgbearcatfan

Hi,

I also run a filezilla server for ftp connections (about 2 years now?).

1. I used to experience these brute force attacks as well, but it always showed the correct public ip address.  The thing that is throwing me off is your third firewall rule.

Proto Source Port Dest. Port Gateway
TCP * * WAN ADDRESS 21 *

I'm obviously am a newb myself, but what is that rule in place for?  What happens when you disable that rule?

2. This may not be an option at all, but i got tired of seeing this happening on my box, so i changed the port filezilla listens to from the default 21, to a non standard port, and sense that change, i have had 0 attacks.  Obviously this makes things a bit more difficult as you have to change the client to use a different port as well, but it works great for me.  Just a suggestion.

tlsail

bgbearcatfan, thanks for the reply.  I started to wonder why that rule was there also.  I deleted all rules and started fresh, that third rule was auto generated by pfsense.  Filezilla still only sees the local pfsense ip and not the public ip of the client.  What settings did you use to see the public ip address of the client?  So far, the brute force attacks have stopped, but who knows how long that will be for.

Ideally I would use a different port for ftp then port 21, the problem is I deal with people that are less then smart with computers (the same kind that wonder why you need to plug the computer into power.)  Introducing theme to a decent FTP client would be problematic, I afraid their stuck using windows networking for their FTP client. :(

bgbearcatfan

Hi,

Are external clients able to succesfully connect to your ftp server (from outside your firewall)?

With filezilla, if you have the passive mode settings incorrectly configured, it will not allow external clients to connect, and will report the private ip address (as you are seeing in your logs), instead of the public ip address that external clients should be seeing.  Usually, if you set filezilla passive mode setting to "Retrieve external IP address from:  http://ip.filezilla-project.org/ip.php", that should make everything function correctly, both internal and external.

tlsail

Thanks, I think I got it.  I had to turn off the FTP helper application within pfsense.  As a result I also had to open up some ports for pasv to work properly.  Filezilla now sees public IPs.  I also configured filezilla using the retrieve from external source.  Intersting thing though, when I enter the address http://ip.filezilla-project.org/ip.php into a web browser, i get 127.0.0.1 which is the loopback IP address.  Be interesting to see if filezilla likes the setting.

This would be a nice feature to have implemented someday, ftp helper application forwards public IPs to ftp server.

Of course, my final testing will have to wait till i get home tonight, I've been using http://www.g6ftpserver.com/en/ftptest to test the system.  I'll post the results of my testing tonight.

Thanks again for your help.

bgbearcatfan

That's normal to get the 127.0.0.1

Their website was getting too many hits when it used to return the valid public ip address, so they changed the coding around so that when you view their site through a browser, it gives you the loopback, but filezilla will recieve the correct address.

tlsail

IT WORKS!!! ;D  Thanks for your help.

Nostradamus

Thanks :)

It's works here too :p

Thanks tlsail for your screenshots :)