OS X Server FTP server

Question

I'm running an OS X Server with the following services turned on: Web, MySQL, DNS, AFP, Firewall. I'd like to also start FTP, and I did this, but I can't seem to make it work properly. I'm sure there is a way, but I can't find a way to make it work for me.

What I've done so far: - activated the FTP service - opened port 20-21 in the Firewall - forwarded ports 20-21 from the router to the Server

I use Coda to connect to my FTPs (as I do a lot of web development). When I type in this server's address + credentials it tries to connect for about 2-3 minutes before actually succeeding, and when it does it lists the following directories: "Public" (with a shortcut icon), "Users" (with a shortcut icon) and a file named "???" which it tries to open right away. Doing [cmd + k] in Finder also results in a 2-3 minutes waiting.

Also, I have no idea where to create new users for the FTP (just for the FTP) and how to give them permissions to specific directories (without useless ones like "Users" or "Public").

I've come to the conclusion that the built-in FTP server might not be the best option for me, but I have no idea what I should try. Using a separate app is not the ideal scenario for me as I'm trying to avoid keeping extra apps open on my server.

Don't use FTP except for anonymous downloads. It is insecure! — , Apr 25 '11 at 08:00

score 1 · Answer 1 · answered Apr 25 '11 at 13:00

1

I would recommend using SFTP (SSH File Transfer Protocol). FTP is a very insecure protocol. Coda supports SFTP, and if you have SSH set up, you already have SFTP set up in most cases

answered Apr 25 '11 at 13:00

Dan McClain

6,563
1
21
24

score 1 · Answer 2 · answered Apr 25 '11 at 17:28

I'll add my votes to everyone else's to use something better than FTP. In addition to its security problems (plaintext passwords!), it has a lot of trouble with firewalls and network address translating (NAT) routers. In general, active-mode FTP will work with NAT and/or firewalls on the server end, and passive-mode FTP will work with NAT and/or firewalls on the client side, and if you have NAT and/or firewalls on both ends (very common these days) FTP probably won't work in any mode.

Actually, that's a bit of an overstatement, since some NAT routers are smart enough to rewrite FTP connections on the fly to avoid problems (naturally, this feature tends not to be documented anywhere, so you can't tell if your router does without trying it), and it's usually possible to jigger a server-side packet-filtering firewall to keep it from causing trouble...

To rig the server firewall, see Apple's KB #HT4000 for instructions to set the server's passive port range and set the firewall to let those ports through (note: the suggested port range is rather large. It's entirely reasonable to use a smaller range, just as long as the FTP service and firewall are configured for the same range).

If your router doesn't support FTP rewriting, you might be able to fake it with some additional configuration: configure your router to port-forward the entire passive port range to the server (you'll definitely want to use a smaller port range if you're doing this). Then figure out your public IP address (the address on the WAN side of your router), and the range of addresses on your internal network (in CIDR notation), and add appropriate "passive address" directives to /Library/FTPServer/Configuration/ftpaccess. For instance, if your router's public IP was 203.0.113.117, internal range is 192.168.1.0/24, and the server's internal address was 192.168.1.10, it'd look like this:

passive address 192.168.1.10 192.168.1.0/24
passive address 203.0.113.117 0.0.0.0/0

Finally, if you want to allow uploads to the FTP server, you'll need to add "upload" directives for the folders you want to allow uploads to (by default, they're only allowed to /Library/FTPServer/FTPRoot/uploads, which doesn't exist unless you create it).

BTW, while the implementation details (e.g. ftpaccess directives) above are specific to the wuftpd server Apple uses, the NAT and firewall issues (and possible solutions) are going to be the same for any other FTP server you might want to use. Basically, the FTP protocol itself is not designed to work with modern network setups, and there's not much the implementation can to do fix/mitigate this.

score 0 · Answer 3 · answered Apr 25 '11 at 10:36

0

FTP is definitelly service which you don't want to run. If you really need it, install ProFTPd instead of built-in wuftpd service. It allows to have separate account from the other OSX services, virtual hosts etc

answered Apr 25 '11 at 10:36

BobC

432
4
9

OS X Server FTP server

3 Answers3