block access ftp from wan permanently

[nonosch]

hello,

i found on this forum that it's possible to block access to the ftp server from wan, with firewall rules.

https://www.snbforums.com/threads/how-to-block-ftp-access-from-wan-on-rt-n66u.15250/

iptables -I INPUT -p tcp --destination-port 21 -j DROP
iptables -I INPUT -p tcp --destination-port 21 --source `nvram get lan_ipaddr`/`nvram get lan_netmask` -j ACCEPT


it's work good, but after a reboot it's neccessary to do it again

is there a way, on official firmware, to make this rules permanent ?

Or is there another way to proceed ?

final question : is it very bad this access from wan ?

ps : i know that's a recurrent question

 

[ColinTaylor]

final question : is it very bad this access from wan ?

FTP is totally insecure by design. All information, including user names and passwords, are sent in plain text over the link. You must assume that everything sent over FTP is being seen by other people.

 

[nonosch]

FTP is totally insecure by design. All information, including user names and passwords, are sent in plain text over the link. You must assume that everything sent over FTP is being seen by other people.

In fact i don't use ftp from wan.

the only use is for lan access from ip camera to send capture to the routeur, with an "user" account who has only access to the ftp's folder

so the only problem i have is the possibility to access from wan.

in fact i don't know if it is easy for someone to "force" this opening

 

[ColinTaylor]

in fact i don't know if it is easy for someone to "force" this opening

Ignoring the possibility on someone "sniffing" the traffic; in terms of trying to "hack" into the ftp server - Asus uses vsftpd which AFAIK is very secure (that's what the vs stands for ), whether Asus have implemented it properly I don't know.

 

[nonosch]

Ignoring the possibility on someone "sniffing" the traffic; in terms of trying to "hack" into the ftp server - Asus uses vsftpd which AFAIK is very secure (that's what the vs stands for ).

ok, in fact if i don't use external access everything could be fine

thanks for your clear answer (one more time ).

 

[RMerlin]

Ignoring the possibility on someone "sniffing" the traffic; in terms of trying to "hack" into the ftp server - Asus uses vsftpd which AFAIK is very secure (that's what the vs stands for ), whether Asus have implemented it properly I don't know.

Asus' implementation does not support TLS, therefore it's not secure.

 

[ColinTaylor]

Asus' implementation does not support TLS, therefore it's not secure.

It depends on what you mean by "secure". That was the distinction I was making in posts #2 and #4. *** It's secure provided you don't use it , or you're using it for hosting information you accept could be accessible by anybody. Still, it's far more preferable to have the option to disable it completely from the WAN side (as in your firmware).

*** EDIT: Perhaps I should have said "your router should be secure from being hacked via the FTP server". This of course assumes that you don't have any other services exposed to the WAN that use the same user names and passwords as the FTP server .

 

[nonosch]

It depends on what you mean by "secure". That was the distinction I was making in posts #2 and #4. It's secure provided you don't use it , or you're using it for hosting information you accept could be accessible by anybody. Still, it's far more preferable to have the option to disable it completely from the WAN side (as in your firmware).

So, in the official firmware, there is no way to make the firewall's rules persistent ?
, it could be interesting if the router is, like the gt-ac5300, not supported by the merlin's firmware

 

[RMerlin]

*** EDIT: Perhaps I should have said "your router should be secure from being hacked via the FTP server". This of course assumes that you don't have any other services exposed to the WAN that use the same user names and passwords as the FTP server .

Considering that the vsftpd version used by Asus is many years old, I wouldn't fully trust it not to be exploitable either.

 

[ColinTaylor]

Considering that the vsftpd version used by Asus is many years old, I wouldn't fully trust it not to be exploitable either.

True. Although I don't recall seeing any vulnerabilities reported with any of the versions. But it's a shame they don't use the current version.

 

[nonosch]

True. Although I don't recall seeing any vulnerabilities reported with any of the versions. But it's a shame they don't use the current version.

In fact the actuel version use by Asus has a Cve score of 4.0. (vulnerable at DoS).
It seems the be "only" known vulnerability.
in my case i don't use "root" login for ftp and this is the only service expose to wan and don't use external acces from wan to ftp

 

[ColinTaylor]

Maybe it's time to start using Merlin's firmware?

 

[nonosch]

Maybe it's time to start using Merlin's firmware?

you re right, i used it with pleasure on my rt-ac86u but i think that Asus Gt-ac5300 has no Merlin's firmware so i have to make some choices

 

[RMerlin]

you re right, i used it with pleasure on my rt-ac86u but i think that Asus Gt-ac5300 has no Merlin's firmware so i have to make some choices

Go with Entware, and install a more up-to-date FTP server.

 

[nonosch]

Go with Entware, and install a more up-to-date FTP server.

Will see this, or finally take another router compatible with your firmware


thanks for your advices