DD-WRT:ProFTPd Server

Using the ProFTPd Server
DD-WRT, by default on either mini-usb or MEGA builds, includes an FTP daemon known as ProFTPd. While it does not allow for very many configurable options via the DD-WRT Web-GUI, there are some good things to know before you go hosting the contents of a drive to either the LAN or the outside WAN.

Of the few configurable options, the one that is most important is setting the permission parameters. By default the "Allow Write" is disabled. If you wish to upload information, media, etc. from either your home LAN, or a remote location, then you must enable this. The next step is to set the users and passwords into the available box below. It is wise to note that when this is done, your "root" username for super-user should be placed on the first line, followed by other user-names and passwords. The format is as following:

root P@ssw0rd guest P@ssw0rd username P@ssw0rd

...and so on.

To allow for WAN access, it is wise to set up an account for a Dynamic DNS server. Once you have done this, it is time to discuss the other options.

Allowing WAN FTP Access
By default, port 21 (FTP protocol) is blocked by DD-WRT's firewall. To allow this service through the firewall, you must add some Iptables commands to your Web-GUI shell box under Administration -> Commands.

By opening port 21 to the world, there is always going to be an inherent risk of an attacker probing the open port, and then attempting to crack your password. This risk however can be thwarted by setting strong passwords (more than 8 characters, with random characters, i.e !@#$%^&* ) and by adding some clever commands via Iptables. Lets discuss them and show what they do.

When inserting Iptables rules, it is important to remember that the bottom line, or rule, is the first to be executed. The top line is the last.

A basic command for allowing WAN FTP access is as follows:

iptables -I INPUT 1 -p tcp --dport 21 -j logaccept

The above command dictates that TCP Port 21 will be allowed through the INPUT (Internet) chain and will Log all activity to the routers Kernel.

This command, however, is not very secure as anyone with a port scanner and a password generator can attempt to "guess" your user-name(s) and password(s). The following rules will provide a much safer alternative:

wanf=`nvram get wan_iface` iptables -I INPUT 2 -i $wanf -p tcp --dport 21 -j logdrop iptables -I INPUT 2 -i $wanf -p tcp -m state --state NEW --dport 21 -m limit --limit 3/minute --limit-burst 2 -j logaccept

The above commands are much more effective as the --limit and --limit-burst parameters have been added. The example dictates that if a remote user/attacker attempts to hack your FTP server, they will only get 2 attempts (--limit-burst 2) to connect before the Kernel logs those two packets, after which the 3 per minute syntax is implemented, meaning only 3 attempts at "guessing" your user-name(s) and password(s) will be allowed every minute. If they fail 3 times, the firewall will temporarily "Ban" their IP for 1 minute. This renders most password bots useless, however there are some pretty determined hackers out there that can discover this and adapt their software to match the limit rule. You can change the --limit rule to either Seconds, Minutes, Hours, or Days. The --limit burst value may also be changed.

Allow Anonymous Access
If you wish to share the contents of your FTP with anyone in the world without them having to know your user name and password, and in a Read-Only format, then you must enable this option. You also must specify a location (or Folder) on the drive that contains the information you wish to share. It must be specified using a forward slash ( / ) followed by the location (i.e /Public). By allowing anonymous access to your IP address, or domain name that you set up with Dynamic DNS, the inherent security risk will be more evident, so choose wisely!