FONC
FTP Over Normal Connections
Why?
FTP is old as dirt, and as a result there is a plethora of clients and
servers written for it. However, FTP was written in a time when security
was not considered the same way it is now. One of the best and easiest
ways to secure a connection between a server and a client is by using a
SSH tunnel. However, because of the way FTP handles its data connections
a simple SSH tunnel will not work. FONC normalizes the connections so
that simple SSH tunnels can secure both control AND data transfers in
passive AND active modes.
* The other why *
I may get flames by people saying you can do this with X Y and Z just
as easy. However after an hour on google, I decided I had myself a nice
project to exercise my java. Furthermore, I wanted to give
sourceforge a whirl around the block.
So, I hope others may find it useful, and even contribute if there happens
to be a bug or two ;)
How?
Simple users guide:
The following assumes that you have a SSH server and an FTP server on
machine A, and that you have root permissions to setup FONC on that
machine. Machine A must also have java 1.4 or greater. Machine B
must be able to connect to the SSH server running on machine A
(if you’re using FONC then the SSH port may be the only port open
on A for security!). To do this machine B needs a SSH client.
Most linux machines come with openssh already installed.
Putty works well for windoze. Machine B must also have an FTP
client (most do, even Windoze!) and java 1.4 or greater.
Download the latest FONC release zip file, and unzip. Run the following
on machine A:
java −jar server.jar
(Note: init scripts can be setup so that the FONC server is started on boot.)
Run this on machine B:
java −jar client.jar
Now a tunnel from B to A must be established. There are 2 ports that
must be forwarded, 3020 and 3021.
On *nix using ssh:
ssh −L3020:127.0.0.1:3020 −L3021:127.0.0.1:3021 uid@A
or with putty:
putty.exe −L 3020:127.0.0.1:3020 −L 3021:127.0.0.1:3021 uid@A
Note: uid must be a valid user on machine A.
Using you favorite FTP client connect to 127.0.0.1 and log in with a
valid user id for machine A, and FTP away!!
Advanced users guide:
Both the FONC server and client can accept configuration files:
java −jar client.jar fonc.conf
java −jar server.jar fonc.conf
If the file does not exist yet, it will be written with default values.
It can be edited for subsequent runs.
By passing a second command−line argument a log file of the control
messages can be generated.
java −jar client.jar fonc.conf fonc.log
Client Configuration Options:
# The IP of the FONC server. Note this defaults to localhost because
# it is assumed that there is a ssh tunnel forwarding to the remote
# fonc server.
FONCServerIP=127.0.0.1
# The data port of the FONC server.
FONCServerDataPort=3020
# This is the port response IP for Port commands.
PortCommandIP=127,0,0,1
# For active connections this is the IP FONC
# should connect to. We assume the same machine.
FTPClientIP=127.0.0.1
# This is the port response IP for EPort commands.
EPortCommandIP=127.0.0.1
# The port the FONC client should listen to for
# FTP client connections.
FTPEmulatorServerPort=21
# The FONC control port.
FONCServerControlPort=3021
Server Configurations Options:
# The FONC data port
DataPort=3020
# The port command IP response.
PortCommandIP=127,0,0,1
# The eport command IP response.
EPortCommandIP=127.0.0.1
# The IP of the FTP server.
FTPServerIP=127.0.0.1
# The FONC control port
ControlPort=3021
# The FTP server port.
FTPServerPort=21
How does it work?
The FONC server acts like a local FTP client to the FTP server. The
FONC client acts like a local FTP server for the FTP client. Both
client and server can connect to ports opened on the FTP counterpart
and open ports for the FTP counterpart to connect to. FONC knows when
to open a port and when to connect to a port by capturing PORT and
PASV (including extended versions) commands on the control connection.
It will then modify the command so that the FTP counterpart will
connect to FONC instead.
The FONC client always connects to the FONC server on constant ports
(3020 for data and 3021 for control, by default). Upon initial
connection the client sends a random number down both connections.
The FONC server then associates matching connections by those numbers.
This allows for multiple FONC connections to the FONC server. The
client makes a new connection to the server every time a new FTP client
connects. When either the FTP server or client breaks the data
connection to FONC, it sends a CLOSE command to the other side. Once
the close command criteria has been met (the number of bytes passed on
the data port), the data connection on the far side is then broken. The
data connection between the FONC client and the FONC server is NOT
closed when FTP data connections are, it only closes when the session
does.