CISE Help & Resources
Using Port Forwarding to Secure FTP
Port Forwarding is a technique which can be used to take an insecure protocol and make it secure. As an example, we'll secure the FTP protocol, but almost any insecure protocol can be similarily secured.
FTP is a simple file transfer protocol that, while very popular and useful, is vulnerable to sniffer attacks. FTP requires that you log in using a username and password which is sent over the network in plain text. In other words, any host along the way can peek at the packets and extract the username and password from them. Not only is it possible to do this, but it is quite easy. Numerous tools exist for watching packets on the net which makes this a fairly trivial task.
Fortunately, it is possible to use Port Fowarding to help secure FTP and other protocols. When you log in with SSH, you can specify that you want to create a secure channel from your machine to the remote machine for a particular service such as FTP or HTTP.
The general idea behind creating a secure channel is to choose a local port and have it forward data over an encrypted channel to the server where it is decrypted and passed to the application in question.
Here's a simple diagram of a normal ftp session:
Here, the FTP client connects directly to the FTPD port on the server as normal. In an ssh-secured (using port 5555) session:
the ftp client connects to a local temporary port (5555 in this example) which connects to the SSHD port on the server. The 5555 to SSHD connection is a special function of the SSH protocol which allows SSH to act as a proxy for some other protocol. Whever goes across this connection is encrypted on the client side and then decrypted on the server side. The decrypted information is then given to the FTPD port. In this way, a service (such as FTP) which is not normally secure can be made secure by using an SSH proxy. All information (including username and password information) is sent over the net encrypted.
To make use of this, two things have to be done:
- An SSH link needs to be established between the local host and the remote host. SSH has to be told what remote port to use, and that the connection will serve as a proxy for the FTPD port on the remote host.
- The client software (FTP) needs to connect to the local SSH port instead of the FTPD port on the server.
Below is an example of how to do this with TTSSH (a similar thing can be done with PuTTY) and WS_FTP for Windows. More details on the mechanics of creating a secure channel can be found at the CISE SSH Help Page.
Setting up a Secure FTP Session using ttssh and WS_FTP
First, run ttssh normally. You will get the initial screen that looks like this:
Click Cancel, and go to the Setup Menu and select SSH Forwarding.
Which pops up the following dialog box:
Select Add, resulting in another dialog box:
At this point, you want to do the following things:
- Select a random local port, preferably between 2000 to 65000, for forwarding to the remote machine
- Enter the name of the remote machine to which you wish to FTP -- You must be able to log into this machine using SSH!
- Select the port on which the remote service runs. For FTP, this is port 21.
- Click OK
Now, open an new connection:
And log into the host you specified like so:
Once you get the remote shell, you're set. Now here's how you set up WS_FTP to take advantage of the new encrypted channel. Instructions for getting and installing WS_FTP are here.
First start up WS_FTP, click Connect, and go to the Advanced Menu, and enter in the Remote Port to be the same one you select for local forwarding (the "Remote" machine in this case is actually your PC) . Also, be sure to select "Passive transfers", or the session will fail:
Next, go to the General Menu and Enter the hostname as localhost, and your login name as the User ID, then click Connect.
You will then be prompted for a password. Notice at the bottom that although you FTP'd to a port on your local machine, you're connecting to the remote host:
And voila, you're in over an encrypted channel:
