Monday, May 10, 2010

freeFTPD

File Transfer GraffitiImage by Micah68 via Flickr

I've been using FileZilla FTP server for some time now and have been happy for the performance.

Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients.

I decided I could simply enable FTPS, the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article.

With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH (secure shell) protocol.

It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my tips below to ensure a good working server, with the freeFTPd starting reliably as a service.

GUI vs Service

  • The SERVER is the state used when starting FTP and SFTP via the GUI.
  • The SERVICE is when FTP and SFTP is started as a Windows Service.

The GUI does not reflect the current state of the service. It will only correctly report the state of the server if you used the GUI to start it. Your best bet is to use cmd, and netstat -an to check the state.

Apply Configuration Changes Often

The best tip is while you are using the GUI to configure the service, click Apply often, and ESPECIALLY after you start the service.

Evidently the last state the server was in is the one the service will restore it to. So if you had the FTP service stopped, configured home dir's for users, etc, etc, and clicked APPLY and THEN started the service, do not expect your FTP server to be started for you when your server reboots.

Don't Rely on Windows Service

For some reason unknown to me or others, the freeFTPd service doesn't start reliably upon windows restart for some of us.

Instead, set this service to start Manually instead of Automatic, and use something like the following in a batch file to start your service a bit late, and let you know if it failed if you've got IIS SMTP service installed somewhere.

@ECHO OFF

:: //////////////////////////////////////////////
::
:: Set the log file location
@SET _LOG="C:\Program Files\freeFTPd\ftpstartup.log"

ECHO ------------------------------------------------ >> %_LOG%
ECHO -- START %DATE% - %TIME% -- >> %_LOG%
ECHO ------------------------------------------------ >> %_LOG%

:: //////////////////////////////////////////////
::
:: Write the sleep operation to the log and sleep
ECHO Sleeping 30 seconds >> %_LOG%
SLEEP 30

:: //////////////////////////////////////////////
::
:: Start the service and log it
ECHO Starting service >> %_LOG%
NET START freeFTPDService >> %_LOG%

:: //////////////////////////////////////////////
::
:: Look for the services listening on our ports
ECHO Looking for FTP Listener... >> %_LOG%

netstat -anp TCP | findstr /R /C:"[ ]*TCP[ ]*10.0.0.12:21[ ]*"
IF %ERRORLEVEL% NEQ 0 (@SET _ERR=%ERRORLEVEL% & @SET _MSG=FTP SERVICE NOT LISTENING ON PORT 21. & GOTO FAILED) ELSE (ECHO FTP Operational. >> %_LOG%)

netstat -anp TCP | findstr /R /C:"[ ]*TCP[ ]*10.0.0.12:22[ ]*"
IF %ERRORLEVEL% NEQ 0 (@SET _ERR=%ERRORLEVEL% & @SET _MSG=SFTP SERVICE NOT LISTENING ON PORT 22. & GOTO FAILED) ELSE (ECHO SFTP Operational. >> %_LOG%)
GOTO END

:: //////////////////////////////////////////////
::
:: If this fails, log it and send a notification
:FAILED
ECHO #### %_MSG% >> %_LOG%
GOTO SENDMAIL

:SENDMAIL
:: //////////////////////////////////////////////
::
:: Set the temp file location
SET _TEMPMAIL=%TEMP%\TEMPMAIL.%RANDOM%.TXT

:: //////////////////////////////////////////////
::
:: Echo the basic headers to the temp file

ECHO TO: "Croson, John" ^<mine@DOMAIN.COM^> > %_TEMPMAIL%
ECHO CC: "Demarais, David" ^<his@DOMAIN.COM^>,"Hayssen, Jill" ^<hers@DOMAIN.COM^> >> %_TEMPMAIL%
ECHO FROM: "IHBS Administrator" ^<ADMIN@DOMAIN.TLD^> >> %_TEMPMAIL%
ECHO SUBJECT: SERVICE FAILURE >> %_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Echo the blank line that separates the header from the body text

ECHO.>>%_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Echo the body text to the temp file

ECHO %_MSG% >> %_TEMPMAIL%
ECHO Check %_LOG% for details.>> %_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Move the temp file to the mail pickup directory

MOVE %_TEMPMAIL% C:\INETPUB\MAILROOT\PICKUP
EXIT

:END

From start run, open mmc, add/remove snap-in, and add the Group Policy Object Editor for the local computer. Go to Local Computer Policy --> Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown). Open the startup script and add the file you saved above. Apply the setting.

Keep an eye on this log to make sure your service starts. You may have to tweak the sleep time to get this to work. This works well for me on a Windows 2000 Server SP4.

Mapped Drives

I've configured two users. One I can get to use a mapped drive on the server (H), and the other I cannot (Z). Might be the letter, but I was able to work around that by using UNC (\\server\folder). Your mileage WILL vary.

Hope this helps someone else scratching their head as hard as I was!

Reblog this post [with Zemanta]

10 comments:

Boon said...

Thanks a lot, your script works perfectly! One question, do u know how to configure the freeftpd (via sftp) to use private key authentication instead? Thanks.

John Croson said...

No I don't, but there appears to be 80 or more posts on that very subject with some limited success.

http://www.freesshd.com/index.php?ctt=forum&action=view&topic=1102011017&p=0

Good luck!

Boon said...

Thanks, yes quite disappointed as the developer mentioned it will be ready in 2007. No problem, will look for alternative solution.

Hillel said...

As per the forum on the developers website, just change the service parameters to run under the Administrator account and not the system account and the issue will be resolved.

[quote]I changed the service to logon as administrator and not system and that seems to be working after a reboot and different windows logons.[/quote]

Finally a fix for this nuisance of a problem. Amazing how such a simple thing can drive someone nuts for a year!

Anonymous said...

I have been fighting with this also trying to run as a service.

The issue is that two separate program instances open, and then their settings get screwed up.

When the program is ran as a service it looks here for config:
C:\Program Files\freeFTPd\freeFTPdservice.cfg

When you open the GUI as a USER and hit Save & Apply... your config goes to your /users/ folder i.e. here:
C:\Users\jferreira\AppData\Local\VirtualStore\Program Files\freeFTPd\freeFTPdservice.cfg

Service tries to start... uses the WRONG cfg file and it never works.

Open the GUI... save you settings... go find the config file in your /users/ directory (you may have to search for it).

Copy this file into C:\Program Files\freeFTPd\ and restart. It will work !!!

I think this has something to do with a Server 2003\2008 environment.

Anonymous said...

I've been fighting with FreeFTPd for weeks on Win2008Server. The instructiobs above to do with copying the cfg file into program files worked a treat :-)

Thank You very much!

Dan

Anonymous said...

No problem writing to your network drives? I can map the drive okay and I can change directories and list them all I want. And I can write to the network drive from explorer. But I can't write when I ftp in. Any ideas?
Thanks in advance.

John Croson said...

Have you made sure the account that starts the service has access? If so, then your ftp user doesn't, check their permissions.

Opus600 said...

I had the same problem getting the service to work when no user was logged in. While trying many of the fixes suggest here and on other sites, I found something that works for my setup. I am running Windows Server 2008R2.

The service starts using the last saved config from the GUI. That includes whether the services are started or not. Remember, the GUI does not see that the Windows service is running and will come up with both listeners in a stopped state. From what I can tell, if you save the config with either in the Stopped state the restart the Windows service, it will start them in the SAME state they were in when you saved the config.

All I had to do to fix the problem was this:
1) Open the GUI, make changes, then MAKE SURE THE SERVERS ARE STARTED.
2) AFTER servers are started, hit the Apply button in the GUI several times. (For some reason, if I hit it only once, it didn't appear to save every time.)
3) Close the GUI and find the icon in the tray and make sure you quit out of it also.
4) Restart the Windows service.

To test it, open a command window and enter netstat -an. Look for the server listening on port 22. If you do this before the steps above, nothing is listening on port 22. After the above steps, I see it listening on port 22.

I can log off and it still works. I also did a reboot of the server and it came up in the listening state.

This worked for me, but from the comments I've read, every Windows Server edition seems to be different.

Hopefully, this will help others that have pulled their hair out looking for a fix like me!

Anonymous said...

Hello,

I have one question about freeFTPd... When you configure FTP using FTP+SSL, ¿how could I configure the port range? I don't see any option about this.

If it is not possible, ¿what port range use freeFTPd by default to FTP using FTP+SSL?

I need to know this information to open correctly the firewalls.

It's a bit urgent. Thank you very much.

Regards.