FTP

From Freenas
Jump to: navigation, search

FreeNAS® uses the proftpd FTP server to provide FTP services. Once the FTP service is configured and started, clients can browse and download data using a web browser or FTP client software. The advantage of FTP is that easy-to-use cross-platform utilities are available to manage uploads to and downloads from the FreeNAS® system. The disadvantage of FTP is that it is considered to be an insecure protocol, meaning that it should not be used to transfer sensitive files. If you are concerned about sensitive data, see the section on Encrypting FTP.

This section provides an overview of the FTP configuration options. It then provides examples for configuring anonymous FTP, specified user access within a chroot environment, encrypting FTP connections, and troubleshooting tips.

Contents

FTP Configuration Options

Figure 8.6a shows the configuration screen for Services → FTP. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by checking the box “Show advanced fields by default” in System → Settings → Advanced.

Figure 8.6a: Configuring FTP

Ftp1d.png

Table 8.6a summarizes the available options when configuring the FTP server:

Table 8.6a: FTP Configuration Options

Setting Type Description
Port integer port the FTP service listens on
Clients integer maximum number of simultaneous clients
Connections integer maximum number of connections per IP address where 0 means unlimited
Login Attempts integer maximum number of attempts before client is disconnected; increase this if users are prone to typos
Timeout integer maximum idle time, in seconds, before client is disconnected
Allow Root Login checkbox discouraged as increases security risk
Allow Anonymous Login checkbox enable anonymous FTP logins with access to the directory specified in Path
Path browse button root directory for anonymous FTP logins
Allow Local User Login checkbox required if Anonymous Login is disabled
Display Login string message displayed to local login users after authentication; not displayed to anonymous login users
File Permission checkboxes only available in Advanced Mode; sets default permissions for newly created files
Directory Permission checkboxes only available in Advanced Mode; sets default permissions for newly created directories
Enable FXP checkbox only available in Advanced Mode; enables File eXchange Protocol which is discouraged as it makes the server vulnerable to FTP bounce attacks
Allow Transfer Resumption checkbox allow clients to resume interrupted transfers
Always Chroot checkbox a local user is only allowed access to their home directory unless the user is a member of group wheel
Require IDENT Authentication checkbox only available in Advanced Mode; will result in timeouts if identd is not running on the client
Perform Reverse DNS Lookups checkbox perform reverse DNS lookups on client IPs; can cause long delays if reverse DNS is not configured
Masquerade address string public IP address or hostname; set if FTP clients can not connect through a NAT device
Minimum passive port integer only available in Advanced Mode; used by clients in PASV mode, default of 0 means any port above 1023
Maximum passive port integer only available in Advanced Mode; used by clients in PASV mode, default of 0 means any port above 1023
Local user upload bandwidth integer only available in Advanced Mode; Local user upload rate limit in kilobytes per second, 0 means unlimited.
Local user download bandwidth integer only available in Advanced Mode; in KB/s, default of 0 means unlimited
Advanced integer only available in Advanced Mode; in KB/s, default of 0 means unlimited
Anonymous user download bandwidth integer only available in Advanced Mode; in KB/s, default of 0 means unlimited
Enable TLS checkbox only available in Advanced Mode; enables encrypted connections; if not provided, an SSL certificate will automatically generate and will appear in the Certificate and private key box once you click "OK"
TLS policy drop-down menu only available in Advanced Mode; the selected policy defines whether the control channel, data channel, both channels, or neither channel, of an FTP session must occur over SSL/TLS; the policies are described here
TLS allow client renegotiations checkbox only available in Advanced Mode; checking this box is not recommended as it breaks several security measures; for this and the rest of the TLS fields, refer to mod_tls for more details
TLS allow dot login checkbox only available in Advanced Mode; if checked, the user's home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates; if not found, the user will be prompted for password authentication
TLS allow per user checkbox only available in Advanced Mode; if checked, the user's password may be sent unencrypted
TLS common name required checkbox only available in Advanced Mode; if checked, the common name in the certificate must match the FQDN of the host
TLS enable diagnostics checkbox only available in Advanced Mode; if checked when troubleshooting a connection, will log more verbosely
TLS export certificate data checkbox only available in Advanced Mode; if checked, exports the certificate environment variables
TLS no certificate request checkbox only available in Advanced Mode; try checking this box if the client can not connect and you suspect that the client software is not properly handling the server's certificate request
TLS no empty fragments checkbox only available in Advanced Mode; checking this box is not recommended as it bypasses a security mechanism
TLS no session reuse required checkbox only available in Advanced Mode; checking this box reduces the security of the connection so only do so if the client does not understand reused SSL sessions
TLS export standard vars checkbox only available in Advanced Mode; if checked, sets several environment variables
TLS use implicit SSL checkbox only available in Advanced Mode; if checked, will break clients that expect explicit connections
TLS DNS name required checkbox only available in Advanced Mode; if checked, the client's DNS name must resolve to its IP address and the cert must contain the same DNS name
TLS IP address required checkbox only available in Advanced Mode; if checked, the client's certificate must contain the IP address that matches the IP address of the client
Certificate and private key string only available in Advanced Mode; SSL certificate and private key used for TLS FTP connections
Auxiliary parameters string only available in Advanced Mode; additional parameters to place in proftpd.conf; see ProFTPd documentation for available options


The following example demonstrates the auxiliary parameters that will prevent all users from performing the FTP DELETE command:

 <Limit DELE>
  DenyAll
 </Limit>
 

Anonymous FTP

Anonymous FTP may be appropriate for a small network where the FreeNAS® system is not accessible from the Internet and everyone in your internal network needs easy access to the stored data. Anonymous FTP does not require you to create a user account for every user. In addition, passwords are not required so you don't have to manage changed passwords on the FreeNAS® system.

To configure anonymous FTP:

1. Give the built-in ftp user account permissions to the volume/dataset to be shared in Storage → Volumes as follows:

  • Owner(user): select the built-in ftp user from the drop-down menu
  • Owner(group): select the built-in ftp group from the drop-down menu
  • Mode: review that the permissions are appropriate for the share

NOTE: for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.

2. Configure anonymous FTP in Services → FTP by setting the following attributes:

  • check the box Allow Anonymous Login
  • Path: browse to the volume/dataset/directory to be shared

3. Start the FTP service in Control Services. Click the red OFF button next to FTP. After a second or so, it will change to a blue ON , indicating that the service has been enabled.

4. Test the connection from a client using a utility such as Filezilla.

In the example shown in Figure 8.6b, a user has input the following information into the Filezilla client:

  • IP address of the FreeNAS® server: 192.168.1.113
  • Username: anonymous
  • Password: the email address of the user

Figure 8.6b: Connecting Using Filezilla

Anon ftp2.png

The messages within the client indicate that the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site—this is the volume/dataset that was specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the FreeNAS® system).

Specified User Access in chroot

If you require your users to authenticate before accessing the data on the FreeNAS® system, you will need to either create a user account for each user or import existing user accounts using Active Directory or LDAP. If you then create a ZFS dataset for each user, you can chroot each user so that they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of the user's home directory is limited to the size of the quota.

To configure this scenario:

1. Create a ZFS dataset for each user in Storage → Volumes. Click an existing ZFS volume → Create ZFS Dataset and set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that will need access to the FTP service.

2. If you are not using AD or LDAP, create a user account for each user in Account → Users → Add User. For each user, browse to the dataset created for that user in the Home Directory field. Repeat this process to create a user account for every user that will need access to the FTP service, making sure to assign each user their own dataset.

3. Set the permissions for each dataset in Storage → Volumes → View Volumes. Click the Change Permissions button for a dataset to assign a user account as Owner of that dataset and to set the desired permissions for that user. Repeat for each dataset.

NOTE: for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.

4. Configure FTP in Services → FTP with the following attributes:

  • Path: browse to the parent volume containing the datasets
  • make sure the boxes for Allow Anonymous Login and Allow Root Login are unchecked
  • check the box Allow Local User Login
  • check the box Always Chroot

5. Start the FTP service in Control Services. Click the red OFF button next to FTP. After a second or so, it will change to a blue ON, indicating that the service has been enabled.

6. Test the connection from a client using a utility such as Filezilla.

To test this configuration in Filezilla, use the IP address of the FreeNAS® system, the Username of a user that has been associated with a dataset, and the Password for that user. The messages should indicate that the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site—this time it is not the entire volume but the dataset that was created for that user. The user should be able to transfer files between the local site (their system) and the remote site (their dataset on the FreeNAS® system).

Encrypting FTP

To configure any FTP scenario to use encrypted connections:

1. Enable TLS in Services → FTP. Check the box Enable TLS. Once you press OK, a certificate and key will automatically be generated for you and proftpd will restart and be configured to use that certificate. If you prefer to use your own certificate, delete the automatically generated one that appears in the Certificate and private key field and paste in your own certificate and key.

2. Train your users to specify secure FTP when accessing the FreeNAS® system. For example, in Filezilla input ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects over an encrypted connection, they should be presented with the certificate of the FreeNAS® system. Click OK to accept the certificate and negotiate an encrypted connection.

To force encrypted connections, add the following line to Auxiliary Parameters:

TLS Required on

Troubleshooting

The FTP service will not start if it can not resolve the system's hostname to an IP address using DNS. To see if the FTP service is running, open Shell and issue the command:

sockstat -4p 21

If there is nothing listening on port 21, proftpd isn't running. To see the error message that occurs when FreeNAS® tries to start the FTP service, go to System → Settings → Advanced, check the box “Show console messages in the footer” and click Save. Next, go to Services → Control Services and switch the FTP service off then back on in the GUI. Watch the console messages at the bottom of the browser for errors.

If the error refers to DNS, either create an entry in your local DNS server with the FreeNAS® system's hostname and IP address or add an entry for the IP address of the FreeNAS® system in the "Host name database" field of Network → Global Configuration.

Personal tools
Navigation