# Cloud FTP, FTPS, SFTP Configuration ##### Last updated on: March 15, 2024 This page provides configuration information for Cloud FTP, a server protocol for Access Anywhere supporting FTP, FTPS and SFTP. For user documentation see [[:cloudftp]] . ## Domain Name Setting the domain name during installation allows FTP and FTPS to be be accessed through the domain name. The services will be available at the following ports: ^Protocol ^ Port ^Notes^ |FTP | 21 |Passive mode enabled, TCP Ports 20001 - 20100| |FTP w/TLS | 21 |Same as FTP, with Self Signed Certificates (FTP Explicit)| |FTPS | 990 |Same as FTP w/TLS| |SFTP | 2200 |SSH File Transfer Protocol uses default RSA key| All firewall settings are already configured for the default basic configuration. ### Custom Domain Name To access the ftp server via a custom domain name instead of the one configured for the appliance create an A or CNAME DNS record pointing to the IP address or domain name of the appliance. Any fully-qualified domain name can be used. ### Custom Certificates FTP w/TLS and FTPS clients are not as strict as web browsers when using self signed certificates. Regardless, if a client needs to use a properly signed certificate the process is as follows: 1. Upload certificate public and private key to Access Anywhere, preferably in the following directories a. Private key in /etc/pki/tls/private/ b. Ordered List ItemPublic key in =/etc/pki/tls/certs/ 2. Update ftpserver.conf entries a. pathToSSLkey should point to the private key b. pathToSSLcert should point to the public certificate 3. Restart CloudFTP service ### FTP Passive Mode through NAT/PAT FTP Passive Mode requires that the FTP server sends the client the port and IP address of Access Anywhere. When Access Anywhere is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows: 1. Add the following entry to ftpserver.conf a. external\_ip\_for\_passive\_mode=xxx.xxx.xxx.xxx 2. Restart CloudFTP service ## Automatic Configuration of CloudFTP Services Each of the CloudFTP file transfer services requires configuration. For many customers the configuration created when CloudFTP is started the first time will be sufficient and no additional (manual) configuration will be required. Automatic configuration with little or no need for additional (manual) configuration will be sufficient in most cases when the following conditions are met: * FTP and SFTP (but not FTPS) are to be enabled. * The Access Anywhere node is attached directly to the network over which it will be accessed or, if a network device such as a firewall connects Access Anywhere host to the network over which it will be accessed, then Access Anywhere's address is NATed or PATed directly to an external address using a one-to-one mapping. * The Access Anywhere node has egress access to the public internet. * The default ports and ranges for FTP and SFTP are acceptable. To trigger automatic configuration, start CloudFTP for the first time by running the following as the root user: cd /var/www/smestorage/containers/cloudftp/ docker-compose up -d Cloud FTP file transfer services (FTP, FTPS, SFTP) are **disabled** by default for new installations and for upgrades. Upon starting Cloud FTP, FTP and SFTP will become enabled. Additional steps are required to enable FTPS. The Cloud FTP file transfer services, their default ports and their default states when CloudFTP has been started without additional configuration are: ^Protocol ^ Port ^ Default state ^ Notes ^ |FTP | 21 | Disabled | Passive mode enabled, TCP Ports 20000 - 20010 | |FTP w/TLS | 21 | Disabled | Same as FTP, with Self Signed Certificates (FTP Explicit) | |FTPS | 990 | Disabled | Same as FTP w/TLS | |SFTP | 2200 | Disabled | SSH File Transfer Protocol uses default RSA key | Access Anywhere's firewall is pre-configured to support use of these services over these ports. ## Stopping and Starting CloudFTP's File Transfer Services CloudFTP is managed by the root user. All commands must be run as root from the following directory: ``` /var/www/smestorage/containers/cloudftp ``` To start the file transfer services, run: ``` docker-compose up -d ``` Once CloudFTP has been started for the first time it will continue to run unless it it stopped manually and it will restart on reboots. Starting CloudFTP manually is only required when the service is being switched on for the first time and after it has been brought down manually. To stop the CloudFTP file transfer services, run: ``` docker-compose down ``` To restart the services, run: ``` docker-compose restart ``` ## Enabling and Disabling Individual File Transfer Services CloudFTP is a wrapper service that turns the FTP, FTPS and SFTP file transfer services on and off. You can explicitly control which of the three will be turned on by CloudFTP by setting the value of the: //disable\_// variable for each of the three services in the appropriate configuration file (configuration files are discussed in later sections). A value of '0' disables the file transfer service; a value of '1' enables it. Restart CloudFTP after changing the value of any of those variables to ensure that the service change takes effect. ## Adding or Changing Domain Names You can use Access Anywhere's domain name to access any or all of the file transfer services. You can also add different domain names or FQDNs for any or all of the file transfer services. For example, if your Access Anywhere i's domain name is: * example.com you might choose to add: * ftp.example.com for FTP and/or: * ftp_example.com for FTPS. To use a new domain name just add type A or CNAME record to DNS associating the new domain name with your Access Anywhere. Any valid domain name can be used; the file transfer services do not validate domain names. ## Manual Configuration If any of the criteria from the automatic configuration section above is not met, it will be necessary to manually update the configuration. ### FTP, FTP with TLS and FTPS Configuration #### FTP Configuration File To access the FTP configuration file, which is used to configure FTP, FTP with TLS and FTPS, log into Access Anywhere and elevate to root. The file ftpserver.conf contains many FTP, FTP w/TLS, and FTPS settings. It can be found at: /var/www/smestorage/containers/cloudftp/configs/ftpserver.conf Defaults: ^ Settings ^ Details ^ | ftp\_server\_ip=xxx.xxx.xxx.xxx |The listening IP address interface of the FTP services. Generally this is 0.0.0.0 | | port=21 |Port for FTP| | FTPISport=990 |Port for FTPS| |smeserver=|IP of Access Anywhere Web API (Defaults to containers host)| |countprocesses=20 |Limits the total number of connections| |ftp\_timeout=180 |Timeout in seconds for connections where there are no activity| |pathToSSLkey=/etc/pki/tls/private/localhost.key|Private key certificate. These are self-configured| |pathToSSLcert=/etc/pki/tls/certs/localhost.crt |Public key certificate. These are self-configured| |limitConnectionsForOneUser=5 |Limits the amount of connections one user can open| |min\_port=20000|Minimum port # for Passive Mode| |max\_port=20010|Maximum port # for Passive Mode| |max\_speed\_write\_to\_disk=0 |This reduces the writing to disk speed on upload. Specified in bytes per second| |max\_download\_speed=0 |Limits the download speed on read access. Specified in bytes per second.| |max\_upload\_speed=0 |Limits the upload speed. Specified in bytes per second.| |maximumlimitsizeupload=10737418240 |Limits the maximum file size for upload allowed. Specified in bytes.| |tmpfolder=/scratch/cloudftp |Upload location on disk. | |timeoutForAcceptingConnections=180 |Timeout of service when awaiting a data connection| |disable\_ftp=0 |Disables or enables the FTP ability| |disable\_ftps=1 |Disables or enables the FTPS ability| |ssl\_version=TLSv1.1+TLSv1.2 |Controls the supports SSL Versions| |ssl\_cipher\_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES| Controls the available Ciphers| |external\_ip\_for\_passive\_mode=1.2.3.4| The External IP address for clients to connect to for Passive mode| |debug=100 |Debug level| #### Log File Since the CloudFTP services log to stdout (standard-out), log files can be observed with: cd /var/www/smestorage/containers/cloudftp docker compose logs To see recent and future log messages: docker compose logs --tail=200 -f #### Setting the IP Address for FTP and FTPS The main element of automatic configuration is detection of the server's user facing (that is, public) IP address. This IP address is needed by CloudFTP to allow FTP clients to open Passive connections with the FTP or FTPS file transfer services. The automatic configuration process uses a public service to detect Access Anywhere's public IP address. It will run the following command. ``` dig +short myip.opendns.com @resolver1.opendns.com ``` This command will timeout or fail if it cannot reach Access Anywhere. Also, in certain configurations it can return an incorrect IP address. If it is necessary to set the Passive IP address manually, working as root edit the FTP server configuration file as follows: ``` vim /var/www/smestorage/containers/cloudftp/configs/ftpserver.conf ``` Find the line "external\_ip\_for\_passive\_mode" like follows and adjust the IP address ``` external_ip_for_passive_mode=1.2.3.4 ``` Save, and exit the file, and relaunch the CloudFTP services as follows: ``` cd /var/www/smestorage/containers/cloudftp docker-compose restart ``` #### Advanced FTP and FTPS Setup Systems publicly exposing FTP based protocols might need additional setup to meet security requirements. NAA common types of changes are detailed below; for help with other advanced changes contact [[support@nasuni.com | Support]]. ##### Custom Certificates FTP with TLS and FTPS clients are not as strict as web browsers when using self signed certificates. Regardless, if a client requires a properly signed certificate the process is as follows: Move the certificate and private key to the following locations: ``` /var/www/smestorage/containers/cloudftp/certs/localhost.crt (certificate) /var/www/smestorage/containers/cloudftp/certs/localhost.key (private key) ``` Then restart CloudFTP. ##### FTP Passive Mode through NAT/PAT FTP Passive Mode requires that the FTP server sends the client the port and IP address of Access Anywhere. When Access Anywhere is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows: 1. Update the following entry in /var/www/smestorage/containers/cloudftp/configs/ftpserver.conf a. external\_ip\_for\_passive\_mode=xxx.xxx.xxx.xxx 2. Restart the CloudFTP service ##### FTP/FTPS Port Number Changes FTP and FTPS are configured to run on the standard default ports listed above. These can be changed if required. To change the port numbers, edit the docker-compose yaml file: ``` vim /var/www/smestorage/containers/cloudftp/docker-compose.yml ``` Change the public ports to those that you require, for example to change the FTP port from 21 to 8821 find the ports section and edit both values corresponding to the new port number. ``` ports: - "8821:8821" - "990:990" - "20000-20010:20000-20010" ``` After saving the docker-compose.yml, edit the FTP server configuration file: ``` /var/www/smestorage/containers/cloudftp/configs/ftpserver.conf ``` to reflect the port as well, for example: ``` # Port where CloudFTP Should Be Listening port=8821 ``` Finally, restart the CloudFTP services and verify the configuration. **Note:** External firewalls, load balancers and/or NAT/PAT configurations may also need to be updated to pass traffic on the new port(s) to Access Anywhere. ##### FTP and FTPS Rate Limiting The rates at which FTP and FTPS write to disk, downloads data and upload data can be limited through configuration. Update the following entries in ftpserver.conf and restart CloudFTP service to enable rate limiting. Value are in bytes per second: ``` max_speed_write_to_disk=2097152 max_download_speed=3145728 max_upload_speed=3145728 ``` ##### FTP and FTPS User Connection Limiting The maximum number of concurrent FTP and FTPS connections allowed for each user can be limited through configuration. Update the following entry in ftpserver.conf and restart CloudFTP service to enable rate limiting. limitConnectionsForOneUser=5 See list further up in this page above for additional configuration settings. ### SFTP Configuration #### SFTP Configuration Files To access the sftp configuration files log into Access Anywhere and elevate to root. The file sftpserver.conf contains many SFTP settings. It can be found in: /var/www/smestorage/containers/cloudftp/configs/sftpserver.conf Defaults: ^Settings ^Details^ |ftp\_server\_ip=0.0.0.0|Interface addresses listening for sftp| |port=2200 |Default port for SFTP| |smeserver=|IP of Access Anywhere Web API (Defaults to containers host)| |pathToKey=./keys/ssh_host_rsa_key|RSA Private Key mapped to container| |pathToCert=./keys/ssh_host_rsa_key.pub|RSA Public Cert mapped to container| |tmpFolder=/scratch/cloudsftp|Scratch Folder| |countprocesses=30|Limit of total connections| |timeout=360|SFTP No Activity Timeout| |connection_time_limit=60|Max time for SFTP client to establish a connection| |maximumlimitsizeupload=10737418240|Max SFTP upload file size in bytes| |max\_speed\_write\_to\_disk=2097152|Limit speed of disk writes (0 - no limit) |max\_upload\_speed=3145728|Limit upload speed (0 - no limit)| |max\_download\_speed=3145728|Limit download speed (0 - no limit)| |limitConnectionsForOneUser=5|Connections per user| |SMALL\_FILE\_SIZE=1048576|Files below this size do not use scratch| |debugmode=0|Enable/disable debugging| |disable\_sftp=0|Enable/disable SFTP| |supported\_ciphers =|Limit supported ciphers (blank = all ciphers supported)| |supported\_macs = |Limit supported ciphers (blank = all ciphers supported)| #### Log File Since the CloudFTP services log to stdout (standard-out), log files can be observed with: ``` docker-compose logs cloudsftp ``` To obtain the last 200 log lines, run ``` docker-compose logs --tail=200 cloudsftp ``` #### SSH Keys The SFTP service self-generates SSH keys in order to serve the SFTP connection. In most cases there is no need to be concerned by this. If you would like to supply your own SSH keys, these can be dropped in at the following location: ``` /var/www/smestorage/containers/cloudftp/keys/ssh_host_rsa_key (private key) /var/www/smestorage/containers/cloudftp/keys/ssh_host_rsa_key.pub (public key) ``` Unique SSH Keys are generated on first startup, so you do not necessarily have to regenerate the keys. If you want to generate the keys, delete the existing keys from /var/www/smestorage/containers/cloudftp/keys/ and restart the CloudFTP service. New keys will be created in this location automatically. #### SFTP Default Port Number Change By default SFTP is set to use port 2200. This can be changed to another port, but to change SFTP to the its well known value of port 22, SSH must be moved to another port. ##### Changing the SSH Port As root user edit the following file: /etc/ssh/sshd_config Uncomment the line highlighted in yellow and change port number to a new number such as 2222 ``` # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ``` After saving the file run the following command to let SELinux know of the change. Substitute the selected port number for the text in yellow ( #PORTNUMBER) ``` semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ``` Changing port numbers also requires firewall changes to IP tables. Edit /etc/sysconfig/iptables Change the entry highlighted in yellow to the new SSH port.**TODO Yellow** Change the entry highlighted in red to the new SFTP port **TODO Red** ``` -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ``` Restart iptables and SSH with the following command: ``` systemctl restart iptables systemctl restart sshd ``` Before moving on, open a new ssh connection to Access Anywhere using the new port number. Ensure connectivity is functioning on the new port before closing the existing session or moving on. ##### Change SFTP Port Number Edit docker-compose.yml in /var/www/smestorage/containers/cloudftp/ Change line with SFTP port 2200 to the new value and save. ``` ports: - "2200:2200" ``` Next edit the SFTP config file in /var/www/smestorage/containers/cloudftp/configs/sftpserver.conf and update the port number there as well. Finally, restart CloudFTP services as described above and test service. External Firewalls, Load Balancers and/or NAT/PAT records may also need updating to direct traffic from the Internet to the new internal port number. #### SFTP Rate Limiting The rates at which SFTP writes to disk, downloads data and uploads data can be limited through configuration. Update the following entries in sftpserver.conf and restart CloudFTP service to enable rate limiting. Value are in bytes per second: ``` max_speed_write_to_disk=2097152 max_download_speed=3145728 max_upload_speed=3145728 ``` #### SFTP User Connection Limiting The maximum number of concurrent SFTP connections allowed for each user can be limited through configuration. Update the following entry in sftpserver.conf and restart CloudFTP service to enable rate limiting. ``` limitConnectionsForOneUser=5 ``` See list further up in this page above for additional configuration settings. #### Log Files The activity log for Cloud SFTP can be found at: /var/www/smestorage/ftpserver/sftpserver/log.txt ## Scratch Space Configuration FTP, FTPS and SFTP uploads all may sometimes require scratch space. Scratch space is needed if the uploaded client cannot or does not tell CloudFTP the size of the file that will be uploaded, for example when the client is a camera that is streaming a live recording. Many popular clients don't inform the server (CloudFTP in this case) of the size of the file that is being uploaded even when that information is available to them. Available scratch space should be large enough to accommodate the largest permitted upload file size multiplied by the number of permitted concurrent uploads (countprocesses * maximumlimitsizeupload). Scratch space is configured in the service configuration files like this: for SFTP (note the uppercase 'F'): ``` tmpFolder= ``` and like this for FTP and FTPS: ``` tmpfolder= ``` By default these are set to /scratch/cloudftp. To increase available disk space for scratch you can set the path to a different location or you can optionally mount a large volume at the default location.