RISC OS Open: Forum: Port Forwarding Settings for FTPc

Mar 15, 2022 5:14pm

I need to be able to upload and download files using FTPc to and from, respectively, a NAS (network attached storage device) on the LAN remotely, that is, on the WAN. I had this set up on the previous NetGear router with “Start Port” 20 and “End Port” 21 which worked. Since changing to fibre optic from the cabinet (from telephone wires all the way), Phone Coop provided a new suitable router, Technicolor (sic) DGA4134, and I need to set up port forwarding again. In the configuration different terms are used for the two ports, WAN port and LAN port, which are currently both set at 21 and it works, but are these port numbers best? Does “Start Port” = WAN port and “End Port” = LAN port, or is it the other way round?

I have set the protocol to TCP/UDP, but could set it to just TCP.

Mar 15, 2022 8:18pm

Bryan (8467) 468 posts

Does “Start Port” = WAN port and “End Port” = LAN port, or is it the other way round?

Neither. Port Forwarding always forwards the ports unchanged. You need a clever router to change the port numbers on the way through and it will be called something else. My DrayTek will do it, but I never use it.

You want to forward both port numbers unchanged from the WAN to the LAN. You need two because one port is used for data and the other for control.

Start port just identifies the lower number of a range of ports which finishes with end port.

Some simple FTP Servers will work just using port 21, so only need port 21 forwarding.

Mar 15, 2022 8:49pm

David J. Ruck (33) 1635 posts

Right Bryan has explained how you do it, now I’ll explain why you shouldn’t. Port forwarding of a completely insecure protocol such as FTP through from WAN to LAN is utterly insane. That port will be probed and compromised in seconds.

If you’ve got old crap lying around which can only do unencrypted file transfers (and if we didn’t, we wouldn’t be here), you need to set up either a VPN or SSH tunnel between sites, so there is a secure encrypted link, over which you can run your insecure protocol.

Mar 15, 2022 11:14pm

Bryan (8467) 468 posts

Hmmmm,

Seconds is very much an exageration.

As to whether you should, it depends on what you have on the server. And, if it is a RISC OS server, the normal hacks just will not work. I have a server online and the hack attempts that come through ¹ are way off the mark.

And, if they do get through, they are going to be mightily dissapointed!

¹ 1 or 2 every couple of days

Mar 16, 2022 10:39am

David J. Ruck (33) 1635 posts

Believe me it is seconds, and its also not just what you have on the server, but also what someone else might use your system to distribute.

Mar 16, 2022 11:15am

Bryan (8467) 468 posts

Well. You stick with your theories.

And I will stick with my practical experience with RISCOS servers online for years.

Mar 16, 2022 11:31am

Alan Adams (2486) 1149 posts

And, if they do get through, they are going to be mightily dissapointed!

Until they connect to your Windows computer which also happens to be on your LAN – port forwarding exposes the entire network, not just the computer you intended it for.

Mar 16, 2022 11:32am

Alan Adams (2486) 1149 posts

Some simple FTP Servers will work just using port 21, so only need port 21 forwarding.

classic FTP uses ports 20 and 21. In order to use port 21 only, you may need to set “passive FTP”, which uses the same port for both.

Mar 16, 2022 12:53pm

David R. Lane (77) 766 posts

Just from my experience ….
I only once, years back, not seconds, found some suspicious looking files on my NAS and that was before all the shares were password protected (some were).

My NAS probably runs Linux, but I dare say the hackers already know that. I don’t have any sensitive files on my NAS.

I have both WAN and LAN set to using port 21 and it works, but would it be better to use 20 and 21, and which way round?

Mar 16, 2022 1:29pm

Bryan (8467) 468 posts

Until they ….

This thread has been taken way off topic now. So I’m out.

Mar 16, 2022 1:30pm

Rick Murray (539) 13840 posts

And I will stick with my practical experience with RISCOS servers online for years.

Okay, let’s talk practical experience. I have a BBS running on port 23.

You’re right, it’s not seconds. It is minutes.

I have a circular list of IP addresses. Sixteen of them. If something connects too frequently, or tries to log in with certain usernames (shell, system, etc) then it will be blacklisted and the connection dropped.
Using the available IPdb data, my server does a lookup of the country of origin. Russia, China, Israel, Pakistan, and a couple of other Stans are immediately dropped.

Even so, from time to time the server gets spammed so hard it has to start discarding connections (it is, by design, capable of handling eight concurrent). I ought to add an address to the blacklist if it’s using more than three ports at the same time.

With all of that, I see the linetask popping up on the icon bar frequently. Enough that in the time it has been online, it’s clocked up nearly half a million login attempts. There’s a good hundred or so attempts every single day. And that’s with the big ones (Russia, China) blacklisted.

WebJames does minimal logging, because that gets hammered quite a lot and I don’t care to fill my space with the logs. It’s amazing how much phpMyAdmin is searched for.

That is my experience running a server with RISC OS.

If you really think your server doesn’t get hit frequently, I suggest you check to see if your server has had the activity logging turned off.

Mar 16, 2022 1:39pm

Rick Murray (539) 13840 posts

port forwarding exposes the entire network, not just the computer you intended it for.

Thankfully this ought to be less of a worry with RISC OS. I’m not currently aware of anything that would grant an external connection the ability to run arbitrary code. Which, of course, doesn’t mean it can’t happen, but thankfully RISC OS is sufficiently different that it would be much easier to release a poisoned application than to try hacking it from afar.

But yes, once a machine is compromised, it can be used to access everything that it has access to. If it is running on your LAN and it can see your LAN (isn’t firewalled by itself) then all of that can be accessible. Do you have open shares, for instance?

Mar 16, 2022 3:52pm

Steve Pampling (1551) 8170 posts

I have both WAN and LAN set to using port 21 and it works, but would it be better to use 20 and 21, and which way round?

For a NAS/server etc exposed to the Internet the standard advice would be to use SFTP rather than the simpler and less secure FTP
Connection there would be on 22

Mar 16, 2022 4:45pm

David R. Lane (77) 766 posts

So does RISC OS have an SFTP application? All I can find is using Nettle with ANSI task connection in conjunction with SSH providing you have RComp’s secure sockets module; but this is a command line solution. See www.riscosopen.org/forum/forums/5/topics/1520 .

Mar 16, 2022 6:08pm

Steve Pampling (1551) 8170 posts

So does RISC OS have an SFTP application?

Probably only CURL

Mar 16, 2022 7:52pm

David J. Ruck (33) 1635 posts

For a NAS/server etc exposed to the Internet the standard advice would be to use SFTP rather than the simpler and less secure FTP
Connection there would be on 22

No, the best advice is to use a VPN. Dump absolute PoS routers supplied by your ISP straight in the bin (Technicolor being one of the worst), and get yourself a decent one. ASUS routers (or anything running OpenWRT firmware) can be set up to both OpenVPN servers and OpenVPN clients, so you can link different sites together at the router level even if you don’t have any computers capable of running OpenVPN. Once you’ve done this, you can run ancient insecure protocols between your machines in different places while being protected by strong encryption, and no messing with port forwarding.

Mar 16, 2022 8:33pm

Rick Murray (539) 13840 posts

Dump absolute PoS routers supplied by your ISP straight in the bin

Not always possible. Orange (France) uses some weird non-standard SIP ¹ and the router itself provides authentication.
So I can hook any router I like to my line, but only the Livebox will give me a phone line.

It may be that as more and more landlines become VoIP, this may become more of a problem?

¹ A while back somebody was trying to reverse engineer it. Orange sent a cease and desist, and while the law does permit for reverse engineering for interoperability, it’s not a surprise that he threw in the towel when the lawyers got involved.

Mar 16, 2022 8:34pm

Chris Gransden (337) 1207 posts

So does RISC OS have an SFTP application?

PuttyTools available via PackMan contains the psftp command.

Mar 16, 2022 10:19pm

Chris Mahoney (1684) 2165 posts

It may be that as more and more landlines become VoIP, this may become more of a problem?

Same sort of thing in NZ. Some ISPs do it the ‘right way’ and provide VoIP directly from the fibre ONT, but others like Vodafone give you a preconfigured router and don’t tell you any of the settings. Other ISPs are a middle ground where they give you a router but also tell you the settings.

Mar 17, 2022 7:44am

David J. Ruck (33) 1635 posts

You can always put the router in to modem mode (turn off DHCP, DNS and WiFi) and plug a decent router in to it which will provide all those features.

Port Forwarding Settings for FTPc

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Mar 15, 2022 5:14pm David R. Lane (77) 766 posts	I need to be able to upload and download files using FTPc to and from, respectively, a NAS (network attached storage device) on the LAN remotely, that is, on the WAN. I had this set up on the previous NetGear router with “Start Port” 20 and “End Port” 21 which worked. Since changing to fibre optic from the cabinet (from telephone wires all the way), Phone Coop provided a new suitable router, Technicolor (sic) DGA4134, and I need to set up port forwarding again. In the configuration different terms are used for the two ports, WAN port and LAN port, which are currently both set at 21 and it works, but are these port numbers best? Does “Start Port” = WAN port and “End Port” = LAN port, or is it the other way round? I have set the protocol to TCP/UDP, but could set it to just TCP.

Mar 15, 2022 8:18pm Bryan (8467) 468 posts	Does “Start Port” = WAN port and “End Port” = LAN port, or is it the other way round? Neither. Port Forwarding always forwards the ports unchanged. You need a clever router to change the port numbers on the way through and it will be called something else. My DrayTek will do it, but I never use it. You want to forward both port numbers unchanged from the WAN to the LAN. You need two because one port is used for data and the other for control. Start port just identifies the lower number of a range of ports which finishes with end port. Some simple FTP Servers will work just using port 21, so only need port 21 forwarding.

Mar 15, 2022 8:49pm David J. Ruck (33) 1635 posts	Right Bryan has explained how you do it, now I’ll explain why you shouldn’t. Port forwarding of a completely insecure protocol such as FTP through from WAN to LAN is utterly insane. That port will be probed and compromised in seconds. If you’ve got old crap lying around which can only do unencrypted file transfers (and if we didn’t, we wouldn’t be here), you need to set up either a VPN or SSH tunnel between sites, so there is a secure encrypted link, over which you can run your insecure protocol.

Mar 15, 2022 11:14pm Bryan (8467) 468 posts	Hmmmm, Seconds is very much an exageration. As to whether you should, it depends on what you have on the server. And, if it is a RISC OS server, the normal hacks just will not work. I have a server online and the hack attempts that come through ¹ are way off the mark. And, if they do get through, they are going to be mightily dissapointed! ¹ 1 or 2 every couple of days

Mar 16, 2022 10:39am David J. Ruck (33) 1635 posts	Believe me it is seconds, and its also not just what you have on the server, but also what someone else might use your system to distribute.

Mar 16, 2022 11:15am Bryan (8467) 468 posts	Well. You stick with your theories. And I will stick with my practical experience with RISCOS servers online for years.

Mar 16, 2022 11:31am Alan Adams (2486) 1149 posts	And, if they do get through, they are going to be mightily dissapointed! Until they connect to your Windows computer which also happens to be on your LAN – port forwarding exposes the entire network, not just the computer you intended it for.

Mar 16, 2022 11:32am Alan Adams (2486) 1149 posts	Some simple FTP Servers will work just using port 21, so only need port 21 forwarding. classic FTP uses ports 20 and 21. In order to use port 21 only, you may need to set “passive FTP”, which uses the same port for both.

Mar 16, 2022 12:53pm David R. Lane (77) 766 posts	Just from my experience …. I only once, years back, not seconds, found some suspicious looking files on my NAS and that was before all the shares were password protected (some were). My NAS probably runs Linux, but I dare say the hackers already know that. I don’t have any sensitive files on my NAS. I have both WAN and LAN set to using port 21 and it works, but would it be better to use 20 and 21, and which way round?

Mar 16, 2022 1:29pm Bryan (8467) 468 posts	Until they …. This thread has been taken way off topic now. So I’m out.

Mar 16, 2022 1:30pm Rick Murray (539) 13840 posts	And I will stick with my practical experience with RISCOS servers online for years. Okay, let’s talk practical experience. I have a BBS running on port 23. You’re right, it’s not seconds. It is minutes. I have a circular list of IP addresses. Sixteen of them. If something connects too frequently, or tries to log in with certain usernames (shell, system, etc) then it will be blacklisted and the connection dropped. Using the available IPdb data, my server does a lookup of the country of origin. Russia, China, Israel, Pakistan, and a couple of other Stans are immediately dropped. Even so, from time to time the server gets spammed so hard it has to start discarding connections (it is, by design, capable of handling eight concurrent). I ought to add an address to the blacklist if it’s using more than three ports at the same time. With all of that, I see the linetask popping up on the icon bar frequently. Enough that in the time it has been online, it’s clocked up nearly half a million login attempts. There’s a good hundred or so attempts every single day. And that’s with the big ones (Russia, China) blacklisted. WebJames does minimal logging, because that gets hammered quite a lot and I don’t care to fill my space with the logs. It’s amazing how much phpMyAdmin is searched for. That is my experience running a server with RISC OS. If you really think your server doesn’t get hit frequently, I suggest you check to see if your server has had the activity logging turned off.

Mar 16, 2022 1:39pm Rick Murray (539) 13840 posts	port forwarding exposes the entire network, not just the computer you intended it for. Thankfully this ought to be less of a worry with RISC OS. I’m not currently aware of anything that would grant an external connection the ability to run arbitrary code. Which, of course, doesn’t mean it can’t happen, but thankfully RISC OS is sufficiently different that it would be much easier to release a poisoned application than to try hacking it from afar. But yes, once a machine is compromised, it can be used to access everything that it has access to. If it is running on your LAN and it can see your LAN (isn’t firewalled by itself) then all of that can be accessible. Do you have open shares, for instance?

Mar 16, 2022 3:52pm Steve Pampling (1551) 8170 posts	I have both WAN and LAN set to using port 21 and it works, but would it be better to use 20 and 21, and which way round? For a NAS/server etc exposed to the Internet the standard advice would be to use SFTP rather than the simpler and less secure FTP Connection there would be on 22

Mar 16, 2022 4:45pm David R. Lane (77) 766 posts	So does RISC OS have an SFTP application? All I can find is using Nettle with ANSI task connection in conjunction with SSH providing you have RComp’s secure sockets module; but this is a command line solution. See www.riscosopen.org/forum/forums/5/topics/1520 .

Mar 16, 2022 6:08pm Steve Pampling (1551) 8170 posts	So does RISC OS have an SFTP application? Probably only CURL

Mar 16, 2022 7:52pm David J. Ruck (33) 1635 posts	For a NAS/server etc exposed to the Internet the standard advice would be to use SFTP rather than the simpler and less secure FTP Connection there would be on 22 No, the best advice is to use a VPN. Dump absolute PoS routers supplied by your ISP straight in the bin (Technicolor being one of the worst), and get yourself a decent one. ASUS routers (or anything running OpenWRT firmware) can be set up to both OpenVPN servers and OpenVPN clients, so you can link different sites together at the router level even if you don’t have any computers capable of running OpenVPN. Once you’ve done this, you can run ancient insecure protocols between your machines in different places while being protected by strong encryption, and no messing with port forwarding.

Mar 16, 2022 8:33pm Rick Murray (539) 13840 posts	Dump absolute PoS routers supplied by your ISP straight in the bin Not always possible. Orange (France) uses some weird non-standard SIP ¹ and the router itself provides authentication. So I can hook any router I like to my line, but only the Livebox will give me a phone line. It may be that as more and more landlines become VoIP, this may become more of a problem? ¹ A while back somebody was trying to reverse engineer it. Orange sent a cease and desist, and while the law does permit for reverse engineering for interoperability, it’s not a surprise that he threw in the towel when the lawyers got involved.

Mar 16, 2022 8:34pm Chris Gransden (337) 1207 posts	So does RISC OS have an SFTP application? PuttyTools available via PackMan contains the psftp command.

Mar 16, 2022 10:19pm Chris Mahoney (1684) 2165 posts	It may be that as more and more landlines become VoIP, this may become more of a problem? Same sort of thing in NZ. Some ISPs do it the ‘right way’ and provide VoIP directly from the fibre ONT, but others like Vodafone give you a preconfigured router and don’t tell you any of the settings. Other ISPs are a middle ground where they give you a router but also tell you the settings.

Mar 17, 2022 7:44am David J. Ruck (33) 1635 posts	You can always put the router in to modem mode (turn off DHCP, DNS and WiFi) and plug a decent router in to it which will provide all those features.