FTP in OpenWRT, Take 2

Gin1AK-tion1 · November 30, 2023, 7:48pm

The goal here is to setup a read only anonymous FTP server. Kind of like how when you go to a hotel/motel and you see this brochure box that you can grab brochures from.

It looks like the FTP client is connecting to the VSFTPD 3.0.5-2 server, but I keep getting this error message in the FTP client

Status:	Resolving address of gakinaction.ddns.net
Status:	Connecting to 173.28.125.229:21...
Status:	Connection established, waiting for welcome message...
Response:	220 (vsFTPd 3.0.5)
Command:	AUTH TLS
Response:	530 Please login with USER and PASS.
Command:	AUTH SSL
Response:	530 Please login with USER and PASS.
Status:	Insecure server, it does not support FTP over TLS.
Command:	USER anonymous
Response:	500 OOPS: cannot change directory:/home/ftp

Here is my vsftpd.conf file

background=YES
listen=YES
anonymous_enable=YES
anon_root=/mnt/sda1/FTP/Basmaff
no_anon_password=YES
local_enable=NO
write_enable=NO
local_umask=022
check_shell=NO
local_root=/mnt/sda1/FTP/Basmaff
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

I also made sure the entire drive has read and write on it. Like I applied the power of "chmod ugo+rwx /mnt/sda1"

I also do not have such a folder called "home" in it.

In case anyone is curious, this is me using OpenWRT on my main router now. Just trying to setup the FTP server.

frollic · November 30, 2023, 8:32pm

You already have a web server on your router, why not use it ?

psherman · November 30, 2023, 8:41pm

I was going to say the same thing as @frollic. FTP is not universal anymore - most phones do not have it and some operating systems have dropped support for plain ftp (because it is not secure).

Web browsers, otoh, are universal.

Keep in mind that the openwrt default web server is not suitable for exposure to potential adversarial environments (such as the internet or an environment with potential hostile actors). If you will be exposing this, consider installing a hardened web server.

Gin1AK-tion1 · December 1, 2023, 4:02am

I will look into that then. But what im now wondering about is the web browser part. I know that port 80 is the default for a web server but wouldnt I end up going to the web server instead of the webgui?

I mean, the FTP server is more for sharing CFE and firmware to anyone that needs it. Like im sure they would be going to a computer instead of a phone to download said files.

fakemanhk · December 1, 2023, 5:11am

There is a REVERSE PROXY thing to handle the web server part.

You can still have a webpage to share files, and FTP protocol is so unsecure that like Chrome browser already dropped support, so you want people to download a FTP client or just browse your website to get software?

Look at the firmware selector in OpenWrt page, you can download from any client.

psherman · December 1, 2023, 5:45am

What files are you planning on serving? (I'm asking from a practical standpoint, not trying to challenge you or question the legality or anything else). And to whom? local users or the internet? If local, are they trusted users/devices, or might there be some that are less than friendly (even your friendly/trusted people may have devices that have been infected with malware)

Are we talking about sharing or serving... to elaborate about the distinction I'm making here...

the openwrt downloads page^[1] can be seen as sharing files that are downloaded and then installed. Often they are downloaded to a computer (or even a mobile device), but they can be directly downloaded to a router. After it is downloaded, it can then be installed.
a computer running a tftp server or client can serve a file that is either get by the bootloader within a router or put by the client to the router's bootloader for a tftp flash process. tftp, depsite the similarity in the name, is quite different than ftp in terms of the low level functions and how it is used to load firmware onto a device. It's a simpler protocol than ftp and isn't intended as a general purpose tool for sharing files.

FWIW, MacOS no longer has ftp built-in (sftp is there, though). I haven't looked for any plain ftp apps, but I wouldn't want to install such an app unless it was absolutely critical for my needs. But I have multiple browsers available all the time.

I've actually run complete upgrades of an OpenWrt router (with a fairly complex extroot + VPN configuration) entirely from my iPhone with an ethernet adapter. So yeah, I prefer doing this on a computer, but I can do it on a phone.

There are ways to configure the web server to do different things. It would even be possible to run two web servers on different ports.

downloads.openwrt.org is a web page, but the mechanism doesn't matter for this ↩︎

Gin1AK-tion1 · December 1, 2023, 6:03am

A while back, there was this user named "Barryware" that started this project on the dd-wrt forums called "CFE Collection Project". Users would upload there CFE to the forums and he would collect them. But then he decided it was time for his leave so I took up the offer to host those files.

If anyone ran into a CFE problem with their router, they could go to the server that had their routers CFE and flash it to their router.

I did at one point host for a while but then started hosting them on and off. And so im now trying to fully commit to hosting them although someone seems to have made a copy of my FTP server. But I still choose to host because I think having some redundancy helps when it comes to these sorts of things.

frollic · December 1, 2023, 6:08am

You can get a file list as on a FTP using a web server, AFAIK, but DLds will be HTTP/HTTPS.

Gin1AK-tion1 · December 1, 2023, 6:20am

thats fine. as long as they have an easy way of getting them. Would like to think hosting the webserver on my router would be easier than an FTP. I will report back later on how its going.

psherman · December 1, 2023, 6:22am

Ok... so you're serving to the internet as a whole? In that case:

I stronlgy recommend that you do not run ftp exposed to the internet... full stop.
Don't even think of running FTP on your router. Don't forget this is your first line of defense from the internet to your network.
Don't expose a lightweight webserver to the internet, either. It needs to be a propely hardened server.
You'll need enough storage space to make this work, and you want storage technology that is not prone to rapid wear from write operations (flash storage reliability depends on the application space -- for example, an SSD is much more robust than a router's built-in memory). If you're running this on an embedded device, you'll run the risk of wearing out the storage with users writing to your system... this should be on a proper SSD.
Consider hosting this on a computer behind your router. A small low power device is probably fine, but this generally doesn't belong on a router.
you could also consider hosting this on a VPS or really any other hosting service rather than self-hosting these files.

Gin1AK-tion1 · December 1, 2023, 8:19am

Already established that a while ago.
I will look into a hardened server, but now im already considering if i should continue to host these files.
I have a 3tb external drive hooked up to the routers usb 3.0 port.
I have a hard time wrapping my head around this. This would be a web server being hosted on sand in my home. Like even if its on another box, its still behind the router that is port forwarding the web server that I want exposed to the internet. For anyone's curiosity, its a Linksys WRT32x with a swap partition on the external drive.

"A small low power device" im already thinking of having another router running custom firmware reconfigured to work as a web server. Unless you meant to say "low power x86 server".

6.Since you mention this, I am thinking of using the instance I already have running on Amazon Web Services. at the time, I just jumped the gun and assumed that it would cost more for a custom DNS name and figured it would be more fun hosting it myself. But this was back when I was younger and naive. Having another moment of re-evaluating my poor networking choices right now just thinking about this.

Gin1AK-tion1 · December 1, 2023, 8:39am

Another question though. What about hosting an web server on Windows Server 2019? I mean thats whats running on my instance in AWS.

slh · December 1, 2023, 8:44am

Just mentioning two potential alternatives:

some very simple commercial webhosting/ webspace, just enable directory browsing and you're set (as long as you're fine with anonymous reading, but do all the uploading yourself). This can be found for 5-10 bucks a year, maybe even including a top level domain.
host it yourself, if you go this route:
- split out a DMZ VLAN off your router
- run some kind of minimal general purpose linux (e.g. Debian, etc.) with apache or nginx as server.
  why general purpose linux?
  because it gives you timely in-place upgrades for all the necessary packages
  - while I'm not at all up to date with contemporary SBCs, a decade ago, the Allwinner 'sunxi' A10/ A20 based SBCs would have been an ideal option
  - technically the various RPi (probably down to v1) would qualify, but they're ~~probably~~ overpriced for this
  - there are probably other cheap alternatives, as long as they can easily run an -unmodified(!)- general purpose linux (in order to get updates)
  - quite a few used thin-clients may also be very nice platforms for this, which might give you x86_64 and a ~5 watts power budget for decent prices
  - you don't need much performance here, just enough to run a general purpose linux distribution (and yes, all the various webcrawlers and other bots will hit you, hard, that is something you need to keep in the back of your mind), the keywords here are:
    - cheap
    - low power consumption
    - dedicated box
    - capable to run a general purpose linux (or xBSD, should you prefer that)

alexatkinuk · December 1, 2023, 11:58am

The issue is if your router is compromised, they have access to everything the router does so not only is your entire LAN at risk, they also have direct access to do bad things with your Internet connection.

By having it hosted on its own box behind the router, only that one port is exposed and if you put it on its own subnet via the router, it wont even be able to see your main LAN and your router can be informed to not respond to the WebUI from that subnet too.

So you've dramatically reduced the attack vectors while also reducing the damage that could be done if it was compromised.

frollic · December 1, 2023, 12:18pm

+1 for a VPS.

If you want to host it at home, buy a Dockstar or Pogoplug, they're often <$10 used, on ebay.

slh · December 2, 2023, 2:44am

(I wouldn't go toooo old, personally I'd draw the line at baytrail or newer, but for this purpose a lot is possible)

maurer · December 2, 2023, 8:01am

Oracle cloud infra has a very generous free tier with up to 200gb storage and up to 4 instaces with public IPs plus 10TB internet traffic.
The only downside is that you need a credit/debit card to sign up and no free windows OSs