SFTP being advertised over Bonjour from pfSense box?
-
Today I started getting the message that Cyberduck (an SFTP client) is detecting a SFTP server on my pfSense box (a SG-2220). This is a pretty vanilla pfsense install with just the following packages:
Avahi
avahi-app-0.6.31_5
aws-wizard
darkstat
ipsec-profile-wizard
pfBlockerNGShould I be concerned? I didn't think that pfSense had a built-in SFTP server. I double checked and SSH is not enabled on the router at this time.
The supposed SFTP address is sftp://pfsense.local
SFTP on the command line does not work but CyberDuck looks like it will.
When connecting with Cyberduck it does prompt for a username and password. I haven't supplied them though because this is weird… -
Maybe Avahi is advertising a service available on one of your other networks/interfaces?
Avahi can be used to allow Bonjour/mDNS to traverse subnets…
-
Doesn't SFTP use the same port as SSH (22/tcp)? Perhaps that's why the SFTP client is reporting that something is listening on 22/tcp.
-
Hmm… We only have one other VLAN and it currently doesn't have anyone on it. It is a secured Guest Network I haven't used yet. Our pfSense install is about a week old so this is new territory to me.
SSH is off. I had it enabled initially on port 2220 but it has since been turned off. SFTP should be port 21 anyhow.
I had installed the Avahi package because we run a 99% Mac network and I was under the impression it was required for service discovery. Reading up on it I am not sure it is required and what it is specifically for if the pfSense/*nix box is not running any services to advertise.
Attached is the screenshot from Cyberduck. That is the host name for the pfSense box... I'm hesitant to complete the connection with password because this seems so odd.
 -
SSH and SFTP (ssh based file transfer on port 22) are part of AVAHI's default configuration and it will advertise those even if the SSH server is not running.
-
SFTP should be port 21 anyhow.
SFTP = SSH + FTP… an SSH connection is established on port 22, then FTP traffic goes over that connection.
FTPS = FTP + SSL... an FTP connection is established on port 21 with an SSL encryption layer added.
-
FTP/S normally would be on 990, while sure it can use 21 if your running explict. 990 is normally Implicit while on 21 would be Explicit and is normally document as FTPES.. FTPS implies will be using encryption and uses port 990, FTPES normally means explicit and connects on 21 and upgrades its connection to be encrypted, etc.
But as stated ssh and or sftp (which is not the same as ftps or ftpes) would by default run on 22.
Unless it is specifically turned OFF, normally if SSH is running SFTP and SCP are available. So sure if by default Avahi advertises ssh, and cyberduck being a ftp, ftps, ftpes, sftp client I would see why it would say hey I hear sftp being advertised here.. Be it you actually have it on or off on pfsense might have nothing to do with it.
Simple enough to verify if ssh is running on pfsense.. simple netstat do you see it listening?
[2.3.2-RELEASE][root@pfsense.local.lan]/root: netstat -anL | grep .22
tcp4 0/0/128 *.22
tcp6 0/0/128 *.22
[2.3.2-RELEASE][root@pfsense.local.lan]/root: -
@virgiliomi:
SFTP = SSH + FTP… an SSH connection is established on port 22, then FTP traffic goes over that connection.
FTPS = FTP + SSL... an FTP connection is established on port 21 with an SSL encryption layer added.
Thanks for the clarification. Ay yi yi those poor dyslexic people…
Simple enough to verify if ssh is running on pfsense.. simple netstat do you see it listening?
Did this and found nothing out of the ordinary (my ssh port was changed to 2220):
[2.3.2-RELEASE][admin@pfSense.localshopbox]/root: netstat -anL | grep .22 tcp4 0/0/128 *.2220 tcp6 0/0/128 *.2220None of the other ports look odd either. It must be a false positive from Cyberduck. I'm just going to ignore it for now. I'll report here if anything changes.
Thanks everyone for the clarification and help. :)
-
It's not a false positive, the AVAHI service on your pfSense is really advertising SFTP even if you don't have the SSH service running. To turn it off you have to edit the AVAHI configuration.
