FTP access times out, but pfSense has port 21 forwarded?
-
Hello, I'm testing FTP access, however timeouts happen when reaching the pfSense router.
If: WAN
Proto: TCP
Src. addr: *
Src. ports: *
Dest. addr: *
Dest. ports: 10000
NAT IP: 192.168.1.xxx
NAT Ports: 21 (FTP)I also tried:
If: WAN
Proto: TCP
Src. addr: *
Src. ports: *
Dest. addr: *
Dest. ports: 21
NAT IP: 192.168.1.xxx
NAT Ports: 21 (FTP) -
well dest * doesn't work.. You need your WAN address there.. pick it from the drop down wan address.
Pretty scarry letting know some 192.168.1.42 address – what you think someone is going to hack you with that rfc1918? That we all have on our own local networks and is not routable on the internet???
So you do understand there is no helper now.. You would need to forward the passive ports your going to use to your server if you want clients to be able to use passive to get to your vs just active.. Since they are prob behind nat is well active ftp could be an issue for them.
Out of curiosity - why are you using ftp vs sftp. Which is 1 port and actually secure...
-
So, I'll try to make SFTP work, rather than FTP. (Although I need to figure out 'jailing' the access to 1 directory as SFTP accesses all directories).
I don't know, just trying to reduce the chance of hackers by hiding some of the LAN IP.
I updated pfSense > Firewall > NAT > Port Forward to:
If: WAN
Proto: TCP
Src. addr: *
Src. ports: *
Dest. addr: WAN address
Dest. ports: 22
NAT IP: 192.168.1.xxx
NAT Ports: 22 (SSH)I tested via Shell$ ssh admin@domain.com
Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
admin@domain.com's password: (I enter correct password)
Permission denied, please try again. -
Erm… you need to get SSH/SFTP running on the machine which serves files. And stop hiding the RFC1918 IPs, it just prevents useful advise and 300000% useless regarding any hackers. WTH is 192.168.1.xxx? Sounds like pfSense box itself from the output you see.
P.S. Note: Any testing MUST be done from WAN. Not from LAN.
-
^ exactly as always spot on advice.. I have nothing else to add, other than please post screen shots of your rules going forward.. See at bottom is forward to 22, it is so much easier to see what is going on - maybe other rules that may cause problems, etc. etc..
there is no reason to hide 192.168.x.x, or 10.x.x.x or 172.16-31.x.x address space.. These are private ranges that everyone on the planet it is using, it no way what so ever compromises your security letting someone know that you forward 22 to a machine on your network with address 192.168.9.7 for example in my case.
Here is what it does do when you hide it, makes it so we really have no freaking clue to what your doing or attempting to do.. And clearly points out that your basic understanding is nil, because only users with no understanding of private or public ip addresses would hide private addresses.
-
Ok, point taken, thank you.
So, I think access is now working via the pfSense router.
I think the problem is my misunderstanding of FTP and SFTP.
FTP I believe accesses virtual hosts, such as:
Remote machine > OS > server software > website1 (domain1.com) > user1.
Remote machine > OS > server software > website1 (domain1.com) > user2.
Remote machine > OS > server software > website2 (domain2.com) > user1.
Remote machine > OS > server software > website2 (domain2.com) > user2.
FTP access still doesn't work.
Error: Server refused FTP over TLS, as per https://ftptest.net/.The server is running FTP.
However, SFTP I believe cannot access virtual hosts and can only access:
Remote machine > OS > server software IP address 192.168.1.165.
This would then show:
/root/home/domain1.com/public_html
/root/home/domain2.com/public_htmlSo, I believe I have to jail the directories, so a user can only see domain1.com/public_html and not see domain2.com.
SFTP access still doesn't work.
Error: ssh: Could not resolve hostname ftp.domain1.com: Name or service not known
Couldn't read packet: Connection reset by peerThe server is running SSH.
Shell output in remote machine/usr/log/secure (trying to access the remote server):
192.168.1.110 is the local machine trying to access the remote machine.
192.168.1.165 is the remote machine.
192.168.1.190 is the pfSense router.Sep 20 08:30:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:30:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 08:30:02 centos sshd[21621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:30:04 centos sshd[21621]: Failed password for root from 80.157.192.81 port 55559 ssh2 Sep 20 08:30:04 centos sshd[21622]: Received disconnect from 80.157.192.81: 11: Bye Bye Sep 20 08:30:07 centos sshd[21645]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2 Sep 20 08:30:09 centos sshd[21646]: Received disconnect from 80.157.192.81: 11: Bye Bye Sep 20 08:30:12 centos sshd[21649]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:30:14 centos sshd[21649]: Failed password for root from 80.157.192.81 port 60103 ssh2 Sep 20 08:30:14 centos sshd[21650]: Received disconnect from 80.157.192.81: 11: Bye Bye Sep 20 08:30:17 centos sshd[21651]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:30:19 centos sshd[21651]: Failed password for root from 80.157.192.81 port 34305 ssh2 Sep 20 08:35:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:35:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 08:40:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:40:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 08:40:13 centos sshd[21997]: Accepted publickey for root from 192.168.1.110 port 38661 ssh2 Sep 20 08:40:13 centos sshd[21997]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 20 08:45:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:45:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 08:50:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:50:02 centos su: pam_unix(su:session): session closed for user postgres Sep 20 08:50:51 centos sshd[22337]: Invalid user xiuzuan from 114.112.54.22 Sep 20 08:50:51 centos sshd[22338]: input_userauth_request: invalid user xiuzuan Sep 20 08:50:51 centos sshd[22337]: pam_unix(sshd:auth): check pass; user unknown Sep 20 08:50:51 centos sshd[22337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:50:51 centos sshd[22337]: pam_succeed_if(sshd:auth): error retrieving information about user xiuzuan Sep 20 08:50:53 centos sshd[22337]: Failed password for invalid user xiuzuan from 114.112.54.22 port 35542 ssh2 Sep 20 08:50:54 centos sshd[22338]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:50:57 centos sshd[22339]: Invalid user plesk from 114.112.54.22 Sep 20 08:50:57 centos sshd[22340]: input_userauth_request: invalid user plesk Sep 20 08:50:57 centos sshd[22339]: pam_unix(sshd:auth): check pass; user unknown Sep 20 08:50:57 centos sshd[22339]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:50:57 centos sshd[22339]: pam_succeed_if(sshd:auth): error retrieving information about user plesk Sep 20 08:50:59 centos sshd[22339]: Failed password for invalid user plesk from 114.112.54.22 port 38446 ssh2 Sep 20 08:50:59 centos sshd[22340]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:02 centos sshd[22341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:04 centos sshd[22341]: Failed password for root from 114.112.54.22 port 41704 ssh2 Sep 20 08:51:04 centos sshd[22342]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:06 centos sshd[22343]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:08 centos sshd[22343]: Failed password for root from 114.112.54.22 port 45053 ssh2 Sep 20 08:51:08 centos sshd[22344]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:11 centos sshd[22345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:12 centos sshd[22345]: Failed password for root from 114.112.54.22 port 47688 ssh2 Sep 20 08:51:13 centos sshd[22346]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:15 centos sshd[22347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:16 centos sshd[22347]: Failed password for root from 114.112.54.22 port 50373 ssh2 Sep 20 08:51:16 centos sshd[22348]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:21 centos sshd[22349]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:24 centos sshd[22349]: Failed password for root from 114.112.54.22 port 52796 ssh2 Sep 20 08:51:24 centos sshd[22350]: Received disconnect from 114.112.54.22: 11: Bye Bye Sep 20 08:51:26 centos sshd[22351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 08:51:28 centos sshd[22351]: Failed password for root from 114.112.54.22 port 57659 ssh2 Sep 20 08:51:37 centos sshd[21997]: Received disconnect from 192.168.1.110: 11: disconnected by user Sep 20 08:51:37 centos sshd[21997]: pam_unix(sshd:session): session closed for user root Sep 20 08:51:50 centos sshd[22419]: Accepted publickey for root from 192.168.1.110 port 38811 ssh2 Sep 20 08:51:50 centos sshd[22419]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 20 08:55:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 08:55:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 09:00:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 09:00:02 centos su: pam_unix(su:session): session closed for user postgres Sep 20 09:00:22 centos sshd[22711]: Invalid user admin from 192.168.1.190 Sep 20 09:00:22 centos sshd[22712]: input_userauth_request: invalid user admin Sep 20 09:00:49 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown Sep 20 09:00:49 centos sshd[22711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 09:00:49 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin Sep 20 09:00:51 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2 Sep 20 09:00:54 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown Sep 20 09:00:54 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin Sep 20 09:00:56 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2 Sep 20 09:00:58 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown Sep 20 09:00:58 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin Sep 20 09:01:00 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2 Sep 20 09:01:00 centos sshd[22712]: Connection closed by 192.168.1.190 Sep 20 09:01:00 centos sshd[22711]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1$ Sep 20 09:01:11 centos sshd[22805]: Invalid user admin from 192.168.1.190 Sep 20 09:01:11 centos sshd[22806]: input_userauth_request: invalid user admin Sep 20 09:01:34 centos sshd[22805]: pam_unix(sshd:auth): check pass; user unknown Sep 20 09:01:34 centos sshd[22805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$ Sep 20 09:01:34 centos sshd[22805]: pam_succeed_if(sshd:auth): error retrieving information about user admin Sep 20 09:01:35 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2 Sep 20 09:01:36 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2 Sep 20 09:01:37 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2 Sep 20 09:01:37 centos sshd[22806]: Connection closed by 192.168.1.190 Sep 20 09:05:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 09:05:01 centos su: pam_unix(su:session): session closed for user postgres Sep 20 09:10:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0) Sep 20 09:10:02 centos su: pam_unix(su:session): session closed for user postgres
-
Dude, don't get me wrong but which part of Any testing MUST be done from WAN. Not from LAN is hard to get? What are you "testing" from 192.168.1.190? >:(
Apparently random bots out there have about zero issues with connecting to your port-forwarded SSH:
Sep 20 08:30:04 centos sshd[21621]: Failed password for root from 80.157.192.81 port 55559 ssh2 Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2 Sep 20 08:30:14 centos sshd[21649]: Failed password for root from 80.157.192.81 port 60103 ssh2 Sep 20 08:30:19 centos sshd[21651]: Failed password for root from 80.157.192.81 port 34305 ssh2 Sep 20 08:50:51 centos sshd[22337]: Invalid user xiuzuan from 114.112.54.22 Sep 20 08:50:53 centos sshd[22337]: Failed password for invalid user xiuzuan from 114.112.54.22 port 35542 ssh2 Sep 20 08:50:57 centos sshd[22339]: Invalid user plesk from 114.112.54.22 Sep 20 08:50:57 centos sshd[22340]: input_userauth_request: invalid user plesk Sep 20 08:51:04 centos sshd[22341]: Failed password for root from 114.112.54.22 port 41704 ssh2 Sep 20 08:51:08 centos sshd[22343]: Failed password for root from 114.112.54.22 port 45053 ssh2 Sep 20 08:51:12 centos sshd[22345]: Failed password for root from 114.112.54.22 port 47688 ssh2 Sep 20 08:51:16 centos sshd[22347]: Failed password for root from 114.112.54.22 port 50373 ssh2 Sep 20 08:51:28 centos sshd[22351]: Failed password for root from 114.112.54.22 port 57659 ssh2
-
Oh, sorry, I forgot.
I tested FTP from outside the WAN and that failed.SFTP was tested on the LAN.
I'm trying to think of a good way to test SFTP from the WAN. I guess using a friend's computer might be the best way, unless there's a handy trick, like the FTP testing service. -
how about canyouseeme.org pretty simple way to test if a port is open from the outside..
But clearly as dok already pointed out
Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2That guy just tested from the outside and sure looks to be open..
-
OK, I tested Sftp from outside the WAN too, and no connection.
The local server's /var/log/secure shows no log in attempt.
I ran a verbose command on the log in attempts from the remote client, which seems useful, by showing the issue seems to be 2 authentication methods:
gssapi-keyex. No valid key exchange.
gssapi-with-mic. Unspecified GSS failure. No Kerberos credentials available.user@machine ~ $ ssh -v admin@domain.com OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to domain.com [xx.xxx.xxx.xx] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 7b:f5:0a:ff:55:33:3b:c3:10:28:6f:b3:9c:53:45:fc debug1: Host 'domain.com' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:3 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Next authentication method: publickey debug1: Trying private key: /home/user/.ssh/id_rsa debug1: Trying private key: /home/user/.ssh/id_dsa debug1: Trying private key: /home/user/.ssh/id_ecdsa debug1: Trying private key: /home/user/.ssh/id_ed25519 debug1: Next authentication method: password admin@domain.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. admin@domain.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. admin@domain.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
-
ssh root@domain.com, connects
ssh admin@domain.com, does not connect.
sftp root@domain.com, does not connect.
sftp admin@domain.com does not connect.Issue is security is weak on SFTP/SSH as logs into root, to show whole server and websites.
FTP is clear text, but only allows access to 1 website.
I think I need to sort out my Unix system administration, as the pfSense access seems fixed.
-
Not to spoil your party, but… you shouldn't run a server. You are many OSI layers above port forwarding. Your problems with totally basic SSH usage and authentication have nothing to do with pfSense.
WTH are you trying to log as non-existent user?
Failed password for invalid user admin
Move to CentOS forums.
-
"Issue is security is weak on SFTP/SSH as logs into root"
What??? Not even sure what to say here - agree with dok, this basic concept has nothing to do with pfsense operation. Clearly your port forward is working but you don't understand how to use what your forwarded.