Glub Tech Secure FTP Wrapper v3.0: What is Secure FTP Wrapper? =========================== Secure FTP Wrapper acts as a secure proxy between a Secure FTP client and generic FTP server. Simply put, it makes your existing FTP server SSL savvy. The wrapper is both RFC 2228 and RFC 4217 compliant and offers both types of SSL connection options: explicit and implicit, which means more client compatibility. And since the wrapper is written in Java, it runs on almost any platform. Requirements ============ 1. An existing FTP server. 2. Java 2 Runtime, version 1.4+ Setup: ====== Setup is rather easy, just a few questions and you're on your way. Find the script named "setup.bat" or "setup.sh" (depending on your system), and run it. You will be presented with 5 options. 0. Display server information 1. Create a new server 2. Edit an existing server 3. Delete an existing server 4. Manage SSL certificates. 5. Exit Option "0" will print out the current configuration(s) of the wrapper. If you have only one configuration it will display it, otherwise you will need to select the appropriate configuration you wish to view. Option "1" will allow you to create a new configuration. Following this path you will be presented with the following: Enter the server's name [hostname|IP]: You can choose to keep the default by hitting . This value is nothing more than a name for your configuration. It can be named anything. Enter the licensing code []: You must enter a valid license code, which should be emailed to you. If you haven't received this code, check your spam folder to make sure it hasn't been incorrectly filtered there. If your license is a site license you will be asked the following: otherwise the wrapper's IP will be set within the license. Next you will be asked: Enter the IP address of the FTP server [Default IP Address]: You will need to enter the IP address of your FTP server. Ideally the wrapper will be placed on the same machine as the server. Hit for the default option. - Enter the FTP server's port [21]: Normally an FTP server listens on port 21. If you intend to enable only implicit connections, you can leave this setting alone. But, if you will want to enable explicit connections we recommend you move your FTP server to a non-standard, unused port (e.g. port 24). Read the documentation for your FTP server to determine how to do this. Do you want to enable implicit SSL support? [y]: By default this option is enabled. While this option is no longer specified in RFC 2228, it will allow for more client support and it is also less intrusive to setup in your current environment. - Enter the port to run on [990]: By default implicit FTP is designated to run on port 990. Unless you have a specific reason, we recommend you stay with this option. Do you want to enable explicit SSL support? [n]: By default this option is disabled. If you decide to enable explicit SSL support make sure the port is either: different then the FTP server's port (if on the same machine), or move the wrapper onto a different machine/IP address as the FTP server. Just make sure the port chosen is unused. If you choose "y", you will see: - Enter the port to run on [21]: By default we set this to be port 21 (the standard port for FTP). We do this to make it easier for your clients. Default options are usually best for your customers. If you are not using a Personal license, you will be prompted for: Are you behind a firewall? [n]: If your wrapper is behind a firewall, say "y" . - Enter the public facing IP address of the FTP server: This should be the address of the publicly facing IP. That is, the IP address your customers will connect to. Do you want to set a range of ports for data connections? [y]: Most likely you will want to set a range of ports for passive data connections. This will give you the chance to set a range in your firewall to allow data connections into the wrapper/server. We recommend setting at least a range of 50 ports for low volume servers. Ideally upwards of 500 ports should be set aside. The reason for this is because every new data connection will use a new port. A data connection consists of one uploaded/downloaded file or one directory listing. After approximately two minutes the port should be free for reuse. - Enter the starting port [0]: - Enter the ending port [0]: Find a range of ports that area available on this machine, say 3000-3500. Always encrypt control/command channel during login? [y]: This option is only valid if the explicit SSL is set. Implicit SSL connections automatically start encrypted. Explicit SSL connections start naked and become encrypted. Setting "n" to this will allow unencrypted connections leaving the chance for a password to be seen. But, this will allow for complete backwards compatibility. We recommend, however, you set this to "y". This is not an option for the Personal license (it is forced to "y"). Encrypt data channel? [y|n|a] [y]: This option will allow for 3 possibilities. "y" allows the client to determine if the data transferred will be encrypted or in the clear, "n" forces the data to be in the clear, and "a" forces the data transferred to always be encrypted. We recommend "y" to allow the client to determine when the data is encrypted. Most clients encrypt the data by default. This is not an option for the Personal license (it is forced to "y"). Set advanced options? [n]: This option is available to all except the Personal license. Prevent passive port theft? [y]: Port theft is when the control connection comes from one IP address and the data connection comes from a different IP address. We recommend you set this to "y" (a forced option for Personal license). Do you want to filter connections? [n]: This option allows you to set ACLs for connections. If you want to determine who connects or who doesn't connect to your server enter "y". Do you want to specify allowable IPs? [n]: If you say "y" the IPs listed in the following file will be the only ones allowed to connect. All others will be rejected. If you say "y": - Enter the 'allow' file location []: Enter the path to a file that you will use to specify these allowed IPs. Otherwise you will see: - Enter the 'deny' file location []: Same thing goes here, except the IPs entered here will be the only ones rejected. All others will be allowed to connect. A note about the format of these files. They are very simple. It's one IP per line. They are also editable during the runtime of the program. If the program sees a change in the file the changes will be automatically propagated without having to restart. Enter a welcome banner [Glub Tech Secure FTP Wrapper]: By default when a client connects they will be greeted by this message. This value is forced for the Personal license. Use syslog for logging [n]: By default the logging is not to syslog, but if you want to use syslog, you can enter "y". If you do you will be prompted with: - Enter the syslog host: Enter the server name that will receive your syslog calls. - Enter the syslog facility: This should be one of the following: KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, or LOCAL7 If you choose the default and log to a local file, you will be prompted with the following: Enter the log location [/path/to/logfile.log]: Enter the location where you want the connections to be logged. By default we log very little, just successful and unsuccessful attempts. There is a way to get more information, but it requires editing the configuration.xml file directly. Search for in the file. The higher the number, the more verbose the information. This is all that is needed to setup the configuration. Now back to the other options. Option "2" will allow you to edit an existing configuration. Option "3" will allow you to delete an existing configuration. Option "4" will allow you to configure the server-side SSL certificate. If you choose to add a new configuration and do not choose to manage the SSL certificates an automatically generated certificate will be created for you. Otherwise you will be prompted with these options: Do you want to generate a certificate? [y]: If you choose "y", you will be prompted to enter the following information: Enter the hostname [profile-name]: Enter the public facing name of the FTP server/wrapper (mandatory). Enter your company's name []: Enter your department []: Enter your city []: Enter your state []: Enter your country []: These are optional, but recommended to be filled in. Enter number of days cert is valid [1025]: This specifies how many days the certificate will be valid. If you choose "n", you will be prompted to enter the following information: Absolute path to Private key []: Enter the path to a PEM, PKCS8, or PKCS12 encoded private key. Absolute path to Public cert []: Enter the path to a PEM or DER encoded public certificate. Absolute path to the CA cert []: If the certificate was signed by a certificate of authority, enter the path to the CA's public certificate. If the CA signing certificate is more than one in the chain, enter a space-delimited set of paths of all of the signing certs from lowest in authority to highest. Running the Wrapper: ==================== After the configuration has been created, you can now run the wrapper. To run the wrapper find the "ftpswrap.sh" or "ftpswrap.bat" script files and run them. On Windows the best way to run the wrapper, however, is from the Services control panel. If you are running the wrapper on: mips-irix, ppc-macosx, x86-macosx, sparc-solaris, x86-solaris, or x86-linux, you have the option to change the owner of the process. On a Unix system (including Mac OS X) the wrapper must start running as root to claim access to ports lower than 1024. But, you can edit the ftpswrap.sh file and add -Dglub.user= -Dglub.group= after $JAVA (at the bottom of the file), where uid and gid are the numbers associated with that user/group. MS Windows does not understand such things and the wrapper will run as whatever user starts it. This option is merely a precaution. In the rare case that the Java runtime is exploited it will limit the damage an attacker could do. Stopping the Wrapper: ===================== On Windows we recommend stopping the wrapper from the Services control panel. On the other systems you will have to issue a "kill" signal. More Information: ================= For more information we recommend that you visit our website at: http://wrapper.glub.com