FTP/SFTP Configuration

last updated: Nov. 12, 2019

The File Fabric Appliance and SaaS support a number of protocol gateways allowing applications to natively access the File Fabric using FTP/FTPS, SFTP or WebDAV. These are ideal for retrofitting existing applications for object storage.

This document covers the configuration of the appliance FTP/SFTP and FTPS gateways. For information on the configuration of clients see Cloud FTP.

Applies to:

  • Enterprise File Fabric Appliance

See also:

Setting the domain name during Appliance Installation allows FTP and FTPS to be be accessed through the domain name. To access the File Fabric using SFTP through CloudFTP when using a File Fabric version before v1906.04, you must first manually reset the value of the serversme variable in /var/www/smestorage/ftpserver/sftpserver/sftpserver.conf to the File Fabric's domain name.

Additionally, you may find that it is necessary to regenerate the File Fabric's SFTP RSA keys before using SFTP to access the File Fabric with CloudFTP. Instructions for doing that can be found later in this document.

In the example below, the domain name is perf.smestorage.com.

The services will be available at the following ports:

Protocol Port Notes
FTP 21 Passive mode enabled, TCP Ports 20001 - 20100
FTP w/TLS 21 Same as FTP, with Self Signed Certificates (FTP Explicit)
FTPS 990 Same as FTP w/TLS
SFTP 2200 SSH File Transfer Protocol uses default RSA key

All firewall settings are already configured for the default basic configuration.

The File Fabric's FTP/FTPS/SFTP service may not be enabled on installation. To ensure that it is turned on and enabled, log in as smeconfiguser then become root and enable and start the service:

su -
systemctl enable cloudftp
systemctl start cloudftp 

CloudFTP can be accessed using the File Fabric's FQDN. Some customers may choose to create an additional FQDN for use by FTP clients, for example ftp.myfilefabric.com.

Since version 1901, File Fabric license keys have been bound to the FQDNs by which the File Fabric is accessed. Before client programs can use the additional FQDN, you must obtain from SME Support a license key in which the FQDN has been encoded, and install that key on your File Fabric.

All Cloud FTP services (FTP/FTPS, SFTP) can be restarted when logging in as root via systemctl.

Log in as smeconfiguser then become root

su -
systemctl stop cloudftp
systemctl start cloudftp 
systemctl restart cloudftp 

Systems publicly exposing FTP based protocols might need additional setup to meet the needs of security administrators. Common changes are detailed below, for advanced changes contact SME Support.

FTP configuration files

To access the ftp configuration files log into the File Fabric as smeconfiguser and elevate to root using the command:

su -

The file ftpserver.conf contains all FTP, FTP w/TLS, and FTPS settings. It can be found at:

/var/www/smestorage/ftpserver/ftpserver.conf

Defaults:

Settings Details
ftp_server_ip=xxx.xxx.xxx.xxx IP address of File Fabric
ftp_server_host=perf.smestorage.com FQDN of File Fabric
port=21 Default port for FTP
FTPISport=990 Default port for FTPS
serversme=perf.smestorage.com FQDN of File Fabric
debug=100 Debug level
countprocesses=20 Max processes
ftp_timeout=180 Timeout in seconds
min_port=20001Minimum port # for Passive Mode
max_port=20100Maximum port # for Passive Mode
pathToSSLkey=/etc/pki/tls/private/localhost.keyPrivate key certificate
pathToSSLcert=/etc/pki/tls/certs/localhost.crt Public key certificate

Changing Domain Name

To access the ftp server via a custom domain name instead of the one configured for the appliance create an A or CNAME DNS record pointing to the IP address or domain name of the appliance. Any fully-qualified domain name can be used - the File Fabric FTP services do not validate.

Custom Certificates

FTP w/TLS and FTPS clients are not as strict as web browsers when using self signed certificates. Regardless, if a client needs to use a properly signed certificate the process is as follows:

  1. Upload certificate public and private key to File Fabric, preferably in the following directories

    a. Private key in /etc/pki/tls/private/
    b. Ordered List ItemPublic key in =/etc/pki/tls/certs/

  2. Update ftpserver.conf entries
    a. pathToSSLkey should point to the private key
    b. pathToSSLcert should point to the public certificate
  3. Restart CloudFTP service

FTP Passive Mode through NAT/PAT

FTP Passive Mode requires that the FTP server sends the client the port and IP address of File Fabric. When File Fabric is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows:

  1. Add the following entry to ftpserver.conf

    a. external_ip_for_passive_mode=xxx.xxx.xxx.xxx

  2. Restart CloudFTP service

FTP Passive Mode port # changes

FTP Passive Mode ports are defaulted to TCP 20001 – 20100

Changing these port numbers in ftpserver.conf also requires firewall changes to IP tables.

After changing min_port & max_port, restart CloudFTP service.

Then alter /etc/sysconfig/iptables

Change the range highlighted in yellow to the new port range: TODO yellow

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Restart IPtables with the following command:

systemctl restart iptables

FTP / FTPS port # changes

FTP is defaulted to TCP port 21 and FTPS is defaulted to port 990
Changing these port numbers in ftpserver.conf also requires firewall changes to IP tables.
After changing port or FTPISport, restart CloudFTP service. Then alter /etc/sysconfig/iptables
Change the range highlighted in yellow to the new port range:TODO Yellow

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Restart IPtables with the following command:

systemctl restart iptables

FTP / FTPS Rate Limiting

FTP & FTPS can be rate limited both to disk and via networking bandwidth. Add the following entries to ftpserver.conf and restart CloudFTP service to enable rate limiting. Value are in bytes per second:

max_speed_write_to_disk=2097152
max_download_speed=3145728
max_upload_speed=3145728

FTP / FTPS Scratch Space

FTP & FTPS sometimes require scratch space. Scratch space is need for example during an FTP stream from a camera or device that is recording live and does not yet know the size of the file. As such scratch space must be larger than the largest filesize that will be permitted.

Scratch space defaults to the temp folder in /var/www/smestorage/tmp but can be changed by adding the following entry to ftpserver.conf and restarting the service.

tmpfolder=/path/to/target/

Systems publicly exposing SFTP based protocols might need additional setup to meet the needs of security administrations. Common changes are detailed below, for advanced changes contact SME Support.

SFTP configuration files

To access the ftp configuration files log into the File Fabric as smeconfiguser and elevate to root using the command:

su -

The file sftpserver.conf contains all SFTP settings. It can be found in: /var/www/smestorage/ftpserver/sftpserver/

Defaults:

Settings Details
ftp_server_ip=0.0.0.0Interface addresses listening for sftp
port=2200 Default port for SFTP
serversme=perf.smestorage.comFQDN of File Fabric
pathToKey=/etc/pki/tls/private/localhost.keyRSA Private Key
pathToCert=/etc/pki/tls/certs/localhost.crtRSA Public Cert
tmpFolder=./tmpScratch Folder
logFile=./log.txtLog File
countprocesses=30Max processes
timeout=360SFTP Timeout
maximumlimitsizeupload=10737418240Max SFTP upload in bytes
limitConnectionsForOneUser=5Connections per user
SMALL_FILE_SIZE=1048576Small file in bytes
memcache_ip=127.0.0.1Memcache server
memcache_port=11211Memcache port
debugmode=0Enable/disable debugging
disable_sftp=0Enable/disable SFTP

SFTP custom FQDN

To access the SFTP server via a custom FQDN instead of the system FQDN nothing needs to be done other than registering A or CNAME DNS records to point to the IP address of the File Fabric. The File Fabric SFTP service does not check the FQDN and thus any FQDN can be used.

Regenerate SFTP RSA Keys

It is recommended to generate new secure keys for the SFTP server.

As the root user

cd /var/www/smestorage/ftpserver/sftpserver/
ssh-keygen -t rsa -f "./ssh_host_rsa_key"    #(don't enter any passphrase)
chown smestorage:smestorage ssh_host_*

This will generate 2 files sshhostrsakey and sshhostrsakey.pub Edit sftpserver.conf file and change the 2 lines as below:

pathToKey=ssh_host_rsa_key
pathToCert=ssh_host_rsa_key.pub

SFTP default port # change

SFTP is set to 2200. This can be changed to another port, but if the desire is to change SFTP to the default port of 22, SSH must be moved to another port.

Change SSH port

As root user edit the following file: /etc/ssh/sshd_config Uncomment the line highlighted in yellow and change port number to a new number such as 2222 TODO Yellow

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

After saving the file run the following command to let SELinux know of the change. Substitute the selected port number for the text in yellow ( #PORTNUMBER) TODO Yellow

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 

Changing port numbers also requires firewall changes to IP tables. Edit /etc/sysconfig/iptables

Change the entry highlighted in yellow to the new SSH port.TODO Yellow
Change the entry highlighted in red to the new SFTP port TODO Red

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Restart IPtables and SSH with the following command:

systemctl restart iptables
systemctl restart sshd

Before moving on, open a new ssh connection to the file fabric using the new port number. Ensure connectivity is functioning on the new port before closing the existing session or moving on.

Change SFTP port

Edit sftpserver.conf in /var/www/smestorage/ftpserver/sftpserver
Change line port=2200 to the new value and save.
Restart CloudFTP service

SFTP Rate Limiting

FTP & FTPS can be rate limited both to disk and via networking bandwidth. Add the following entries to ftpserver.conf and restart CloudFTP service to enable rate limiting. Value are in bytes per second:

max_speed_write_to_disk=2097152    
max_download_speed=3145728  
max_upload_speed=3145728

SFTP Scratch Space

SFTP sometimes require scratch space. Scratch space is need for example during an SFTP stream from a camera or device that is recording live and does not yet know the size of the file. As such scratch space must be larger than the largest upload size in bytes that will be permitted.

Scratch space defaults to the temp folder in /var/www/smestorage/tmp but can be changed by adding the following entry to sftpserver.conf and restarting the CloudFTP service.

tmpfolder=/path/to/target/