FTP access times out, but pfSense has port 21 forwarded?



  • Hello, I'm testing FTP access, however timeouts happen when reaching the pfSense router.

    If: WAN
    Proto: TCP
    Src. addr: *
    Src. ports: *
    Dest. addr: *
    Dest. ports: 10000
    NAT IP: 192.168.1.xxx
    NAT Ports: 21 (FTP)

    I also tried:
    If: WAN
    Proto: TCP
    Src. addr: *
    Src. ports: *
    Dest. addr: *
    Dest. ports: 21
    NAT IP: 192.168.1.xxx
    NAT Ports: 21 (FTP)


  • Rebel Alliance Global Moderator

    well dest * doesn't work.. You need your WAN address there.. pick it from the drop down wan address.

    Pretty scarry letting know some 192.168.1.42 address – what you think someone is going to hack you with that rfc1918?  That we all have on our own local networks and is not routable on the internet???

    So you do understand there is no helper now.. You would need to forward the passive ports your going to use to your server if you want clients to be able to use passive to get to your vs just active.. Since they are prob behind nat is well active ftp could be an issue for them.

    Out of curiosity - why are you using ftp vs sftp.  Which is 1 port and actually secure...



  • So, I'll try to make SFTP work, rather than FTP. (Although I need to figure out 'jailing' the access to 1 directory as SFTP accesses all directories).

    I don't know, just trying to reduce the chance of hackers by hiding some of the LAN IP.

    I updated pfSense > Firewall > NAT > Port Forward to:
    If: WAN
    Proto: TCP
    Src. addr: *
    Src. ports: *
    Dest. addr: WAN address
    Dest. ports: 22
    NAT IP: 192.168.1.xxx
    NAT Ports: 22 (SSH)

    I tested via Shell$ ssh admin@domain.com
    Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
    Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
    Password for admin@pfSense.localdomain: (I don't know what this is or what password?)
    admin@domain.com's password: (I enter correct password)
    Permission denied, please try again.


  • Banned

    Erm… you need to get SSH/SFTP running on the machine which serves files. And stop hiding the RFC1918 IPs, it just prevents useful advise and 300000% useless regarding any hackers. WTH is 192.168.1.xxx? Sounds like pfSense box itself from the output you see.

    P.S. Note: Any testing MUST be done from WAN. Not from LAN.


  • Rebel Alliance Global Moderator

    ^ exactly as always spot on advice.. I have nothing else to add, other than please post screen shots of your rules going forward..  See at bottom is forward to 22, it is so much easier to see what is going on - maybe other rules that may cause problems, etc. etc..

    there is no reason to hide 192.168.x.x, or 10.x.x.x or 172.16-31.x.x address space..  These are private ranges that everyone on the planet it is using, it no way what so ever compromises your security letting someone know that you forward 22 to a machine on your network with address 192.168.9.7 for example in my case.

    Here is what it does do when you hide it, makes it so we really have no freaking clue to what your doing or attempting to do.. And clearly points out that your basic understanding is nil, because only users with no understanding of private or public ip addresses would hide private addresses.




  • Ok, point taken, thank you.

    So, I think access is now working via the pfSense router.

    I think the problem is my misunderstanding of FTP and SFTP.
    FTP I believe accesses virtual hosts, such as:
    Remote machine > OS > server software > website1 (domain1.com) > user1.
    Remote machine > OS > server software > website1 (domain1.com) > user2.
    Remote machine > OS > server software > website2 (domain2.com) > user1.
    Remote machine > OS > server software > website2 (domain2.com) > user2.
    FTP access still doesn't work.
    Error: Server refused FTP over TLS, as per https://ftptest.net/.

    The server is running FTP.

    However, SFTP I believe cannot access virtual hosts and can only access:
    Remote machine > OS > server software IP address 192.168.1.165.
    This would then show:
    /root/home/domain1.com/public_html
    /root/home/domain2.com/public_html

    So, I believe I have to jail the directories, so a user can only see domain1.com/public_html and not see domain2.com.

    SFTP access still doesn't work.
    Error: ssh: Could not resolve hostname ftp.domain1.com: Name or service not known
    Couldn't read packet: Connection reset by peer

    The server is running SSH.

    Shell output in remote machine/usr/log/secure (trying to access the remote server):
    192.168.1.110 is the local machine trying to access the remote machine.
    192.168.1.165 is the remote machine.
    192.168.1.190 is the pfSense router.

    Sep 20 08:30:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:30:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 08:30:02 centos sshd[21621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:30:04 centos sshd[21621]: Failed password for root from 80.157.192.81 port 55559 ssh2
    Sep 20 08:30:04 centos sshd[21622]: Received disconnect from 80.157.192.81: 11: Bye Bye
    Sep 20 08:30:07 centos sshd[21645]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2
    Sep 20 08:30:09 centos sshd[21646]: Received disconnect from 80.157.192.81: 11: Bye Bye
    Sep 20 08:30:12 centos sshd[21649]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:30:14 centos sshd[21649]: Failed password for root from 80.157.192.81 port 60103 ssh2
    Sep 20 08:30:14 centos sshd[21650]: Received disconnect from 80.157.192.81: 11: Bye Bye
    Sep 20 08:30:17 centos sshd[21651]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:30:19 centos sshd[21651]: Failed password for root from 80.157.192.81 port 34305 ssh2
    Sep 20 08:35:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:35:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 08:40:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:40:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 08:40:13 centos sshd[21997]: Accepted publickey for root from 192.168.1.110 port 38661 ssh2
    Sep 20 08:40:13 centos sshd[21997]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Sep 20 08:45:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:45:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 08:50:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:50:02 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 08:50:51 centos sshd[22337]: Invalid user xiuzuan from 114.112.54.22
    Sep 20 08:50:51 centos sshd[22338]: input_userauth_request: invalid user xiuzuan
    Sep 20 08:50:51 centos sshd[22337]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 08:50:51 centos sshd[22337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:50:51 centos sshd[22337]: pam_succeed_if(sshd:auth): error retrieving information about user xiuzuan
    Sep 20 08:50:53 centos sshd[22337]: Failed password for invalid user xiuzuan from 114.112.54.22 port 35542 ssh2
    Sep 20 08:50:54 centos sshd[22338]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:50:57 centos sshd[22339]: Invalid user plesk from 114.112.54.22
    Sep 20 08:50:57 centos sshd[22340]: input_userauth_request: invalid user plesk
    Sep 20 08:50:57 centos sshd[22339]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 08:50:57 centos sshd[22339]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:50:57 centos sshd[22339]: pam_succeed_if(sshd:auth): error retrieving information about user plesk
    Sep 20 08:50:59 centos sshd[22339]: Failed password for invalid user plesk from 114.112.54.22 port 38446 ssh2
    Sep 20 08:50:59 centos sshd[22340]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:02 centos sshd[22341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:04 centos sshd[22341]: Failed password for root from 114.112.54.22 port 41704 ssh2
    Sep 20 08:51:04 centos sshd[22342]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:06 centos sshd[22343]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:08 centos sshd[22343]: Failed password for root from 114.112.54.22 port 45053 ssh2
    Sep 20 08:51:08 centos sshd[22344]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:11 centos sshd[22345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:12 centos sshd[22345]: Failed password for root from 114.112.54.22 port 47688 ssh2
    Sep 20 08:51:13 centos sshd[22346]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:15 centos sshd[22347]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:16 centos sshd[22347]: Failed password for root from 114.112.54.22 port 50373 ssh2
    Sep 20 08:51:16 centos sshd[22348]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:21 centos sshd[22349]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:24 centos sshd[22349]: Failed password for root from 114.112.54.22 port 52796 ssh2
    Sep 20 08:51:24 centos sshd[22350]: Received disconnect from 114.112.54.22: 11: Bye Bye
    Sep 20 08:51:26 centos sshd[22351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 08:51:28 centos sshd[22351]: Failed password for root from 114.112.54.22 port 57659 ssh2
    Sep 20 08:51:37 centos sshd[21997]: Received disconnect from 192.168.1.110: 11: disconnected by user
    Sep 20 08:51:37 centos sshd[21997]: pam_unix(sshd:session): session closed for user root
    Sep 20 08:51:50 centos sshd[22419]: Accepted publickey for root from 192.168.1.110 port 38811 ssh2
    Sep 20 08:51:50 centos sshd[22419]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Sep 20 08:55:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 08:55:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 09:00:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 09:00:02 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 09:00:22 centos sshd[22711]: Invalid user admin from 192.168.1.190
    Sep 20 09:00:22 centos sshd[22712]: input_userauth_request: invalid user admin
    Sep 20 09:00:49 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 09:00:49 centos sshd[22711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 09:00:49 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin
    Sep 20 09:00:51 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2
    Sep 20 09:00:54 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 09:00:54 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin
    Sep 20 09:00:56 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2
    Sep 20 09:00:58 centos sshd[22711]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 09:00:58 centos sshd[22711]: pam_succeed_if(sshd:auth): error retrieving information about user admin
    Sep 20 09:01:00 centos sshd[22711]: Failed password for invalid user admin from 192.168.1.190 port 1406 ssh2
    Sep 20 09:01:00 centos sshd[22712]: Connection closed by 192.168.1.190
    Sep 20 09:01:00 centos sshd[22711]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1$
    Sep 20 09:01:11 centos sshd[22805]: Invalid user admin from 192.168.1.190
    Sep 20 09:01:11 centos sshd[22806]: input_userauth_request: invalid user admin
    Sep 20 09:01:34 centos sshd[22805]: pam_unix(sshd:auth): check pass; user unknown
    Sep 20 09:01:34 centos sshd[22805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=$
    Sep 20 09:01:34 centos sshd[22805]: pam_succeed_if(sshd:auth): error retrieving information about user admin
    Sep 20 09:01:35 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2
    Sep 20 09:01:36 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2
    Sep 20 09:01:37 centos sshd[22805]: Failed password for invalid user admin from 192.168.1.190 port 25081 ssh2
    Sep 20 09:01:37 centos sshd[22806]: Connection closed by 192.168.1.190
    Sep 20 09:05:01 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 09:05:01 centos su: pam_unix(su:session): session closed for user postgres
    Sep 20 09:10:02 centos su: pam_unix(su:session): session opened for user postgres by (uid=0)
    Sep 20 09:10:02 centos su: pam_unix(su:session): session closed for user postgres
    
    

  • Banned

    Dude, don't get me wrong but which part of Any testing MUST be done from WAN. Not from LAN is hard to get? What are you "testing" from 192.168.1.190?  >:(

    Apparently random bots out there have about zero issues with connecting to your port-forwarded SSH:

    
    Sep 20 08:30:04 centos sshd[21621]: Failed password for root from 80.157.192.81 port 55559 ssh2
    Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2
    Sep 20 08:30:14 centos sshd[21649]: Failed password for root from 80.157.192.81 port 60103 ssh2
    Sep 20 08:30:19 centos sshd[21651]: Failed password for root from 80.157.192.81 port 34305 ssh2
    Sep 20 08:50:51 centos sshd[22337]: Invalid user xiuzuan from 114.112.54.22
    Sep 20 08:50:53 centos sshd[22337]: Failed password for invalid user xiuzuan from 114.112.54.22 port 35542 ssh2
    Sep 20 08:50:57 centos sshd[22339]: Invalid user plesk from 114.112.54.22
    Sep 20 08:50:57 centos sshd[22340]: input_userauth_request: invalid user plesk
    Sep 20 08:51:04 centos sshd[22341]: Failed password for root from 114.112.54.22 port 41704 ssh2
    Sep 20 08:51:08 centos sshd[22343]: Failed password for root from 114.112.54.22 port 45053 ssh2
    Sep 20 08:51:12 centos sshd[22345]: Failed password for root from 114.112.54.22 port 47688 ssh2
    Sep 20 08:51:16 centos sshd[22347]: Failed password for root from 114.112.54.22 port 50373 ssh2
    Sep 20 08:51:28 centos sshd[22351]: Failed password for root from 114.112.54.22 port 57659 ssh2
    
    


  • Oh, sorry, I forgot.
    I tested FTP from outside the WAN and that failed.

    SFTP was tested on the LAN.
    I'm trying to think of a good way to test SFTP from the WAN. I guess using a friend's computer might be the best way, unless there's a handy trick, like the FTP testing service.


  • Rebel Alliance Global Moderator

    how about canyouseeme.org pretty simple way to test if a port is open from the outside..

    But clearly as dok already pointed out
    Sep 20 08:30:09 centos sshd[21645]: Failed password for root from 80.157.192.81 port 57631 ssh2

    That guy just tested from the outside and sure looks to be open..



  • OK, I tested Sftp from outside the WAN too, and no connection.

    The local server's /var/log/secure shows no log in attempt.

    I ran a verbose command on the log in attempts from the remote client, which seems useful, by showing the issue seems to be 2 authentication methods:
    gssapi-keyex. No valid key exchange.
    gssapi-with-mic. Unspecified GSS failure. No Kerberos credentials available.

    user@machine ~ $ ssh -v admin@domain.com
    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to domain.com [xx.xxx.xxx.xx] port 22.
    debug1: Connection established.
    debug1: identity file /home/user/.ssh/id_rsa type -1
    debug1: identity file /home/user/.ssh/id_rsa-cert type -1
    debug1: identity file /home/user/.ssh/id_dsa type -1
    debug1: identity file /home/user/.ssh/id_dsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ecdsa type -1
    debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ed25519 type -1
    debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 7b:f5:0a:ff:55:33:3b:c3:10:28:6f:b3:9c:53:45:fc
    debug1: Host 'domain.com' is known and matches the RSA host key.
    debug1: Found key in /home/user/.ssh/known_hosts:3
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: Next authentication method: gssapi-keyex
    debug1: No valid Key exchange context
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure.  Minor code may provide more information
    No Kerberos credentials available
    
    debug1: Unspecified GSS failure.  Minor code may provide more information
    No Kerberos credentials available
    
    debug1: Unspecified GSS failure.  Minor code may provide more information
    
    debug1: Unspecified GSS failure.  Minor code may provide more information
    No Kerberos credentials available
    
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/user/.ssh/id_rsa
    debug1: Trying private key: /home/user/.ssh/id_dsa
    debug1: Trying private key: /home/user/.ssh/id_ecdsa
    debug1: Trying private key: /home/user/.ssh/id_ed25519
    debug1: Next authentication method: password
    admin@domain.com's password: 
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    Permission denied, please try again.
    admin@domain.com's password: 
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    Permission denied, please try again.
    admin@domain.com's password: 
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    
    


  • ssh root@domain.com, connects
    ssh admin@domain.com, does not connect.
    sftp root@domain.com, does not connect.
    sftp admin@domain.com does not connect.

    Issue is security is weak on SFTP/SSH as logs into root, to show whole server and websites.

    FTP is clear text, but only allows access to 1 website.

    I think I need to sort out my Unix system administration, as the pfSense access seems fixed.


  • Banned

    Not to spoil your party, but… you shouldn't run a server. You are many OSI layers above port forwarding. Your problems with totally basic SSH usage and authentication have nothing to do with pfSense.

    WTH are you trying to log as non-existent user?

    
    Failed password for invalid user admin
    
    

    Move to CentOS forums.


  • Rebel Alliance Global Moderator

    "Issue is security is weak on SFTP/SSH as logs into root"

    What??? Not even sure what to say here - agree with dok, this basic concept has nothing to do with pfsense operation.  Clearly your port forward is working but you don't understand how to use what your forwarded.