How to set up ClearOS as a FTP site with TLS Security
By default, ClearOS with the FTP Server app from the marketplace is already running in secure mode for FTP over TLS. This guide will help you implement it in that mode and it is considered best practices to run FTP with security as both the content and the username/password are transmitted over the internet in plain text.
This is called FTP
/S in the computer industry and is not to be confused with SFTP.
Make sure that the FTP Server is installed and running. Also, make sure to install the Flexshare app.
Add Firewall Rule. Choose the 'Standard Service' type labeled 'FTPS'. this will open two ports (989 and 990).
In addition to this, you will likely need to add passive FTP ports so that you can connect to the FTP server in a more dynamic way which is more amenable to modern firewalls. This is a service on the Incoming Firewall rules list.
Be sure to remove the default port 20 and 21 ports for non-secure if you are trying to enforce secure only FTP.
Setting up the Flexshare
Go through the normal procedures of setting up a group that will have rights to an FTP Share and a user that is a member of that group. In this demonstration, the user is called 'guestftp' and the group is called 'fs-ftpshare'. Next, create a flexshare share for this group. In the example, I call it ftpshare. Make the group have access to this share.
Your FTP Client
The heavy lifting is configuring your FTP client to work with TLS on port 990. While there are many FTP clients, we will show and example of how to configure Filezilla for use with ClearOS FTP/S. You can apply the logic here to your own client software or simply download Filezilla using the link at the bottom of this howto.
The fastest way to get connected is to normally use the Quickconnect feature. This will not work however because ClearOS uses a robust structure in order to be able to support private flexshares and home directories. You will need to make a manual connection instead of using Quickconnect. Quickconnect will connect but will fail to list the directories. This is by design. Click the site manager in the upper left hand corner:
Supply the following information:
- The host IP address or hostname of the server (you can even use ClearOS Dynamic DNS
to supply a hostname that will always work).
- Require implicit FTP
- Login Type
In the Advanced section, supply the following:
You will be prompted to accept a certificate. You can tick the checkbox to remember this certificate so that it doesn't prompt you again.
At this point you should be connected and be able to see the contents of your Flexshare.
Troubleshooting FTP Client
Because of the way that FTP works, you should be able to separate whether your problem is happening on the command channel or the data channel.
- Connects and shows the data:
- Connects fails to list the directory contents:
- Fails to connect or list the directory:
Things to check if the connection is failing:
Data Channel Issues
- Test FTP
on the inside of the firewall to determine if the problem is firewall or router related
- Make sure that the path to the directory is properly specified in your FTP
settings for the default directory path.
- Try opening up passive FTP