17 Jun 2011

FTP access for Windows instances on AWS EC2

The Amazon AWS platform is firewalled using their superbly simple 'Security Group' method and as such is inherently secure from default, an obvious advantage however it can catch you out if you're not on top of the technology. 
One of the more common stumbling blocks, and an obvious show stopper for any web server, is that of FTP access for Microsoft based instances (Server 2003 and/or Server 2008). Across regular VPS offerings it's a simple procedure to install a 3rd party FTP server (i.e FileZilla or perhaps Cerberus) and configure secure access for uploading website files and data, however there are forums full of queries from tired sysadmins sat scratching their heads wondering why they're apparently connected but can't get a folder listing from their EC2 instance. In this post I'll show you how to get things hooked up.

There are two types of FTP, well, three, but we're not going to discuss SFTP in this example. At base level you have Passive and Active connections, both are listed as using port 21, known as the 'Command' port (Active mode also uses Port 20), however both connections also utilise a random privileged port above 1023 tagged for 'Data Connection'. If all port ranges aren't catered for in the AWS security group you won't get a connection and this is why there is no pre-set 'FTP' security group entry listed. Settings are flexible and for security reasons it's expected you'll configure your own specifics.

In our example below using the Cerberus FTP server we've chosen 11000 to 12000, which is quite a broad range. Anything over 1025 would suffice (for example 1025-1125 would be adequate).

Next, you need to match the chosen port allocation in your AWS security group. Below is an example range for a base web server configured for FTP (Passive) using the specified port range(s). Note RDP (Port 3389 - Remote Desktop) and HTTP (Port 80 - Web access). You can (and should) lockdown IP's to your FTP upload sources.

And you would think that was it? Well not quite, depending on how you have your Windows firewall configured. Obviously you'll need to match the opened ports there too. Microsoft Server 2008 won't allow you to specify a range of ports via the GUI, it's just Windows being its typically annoying self, but there is a workaround via the CLI (Otherwise known as the DOS prompt for those of us at a certain age).

Here's the command line string to open the port range as specified in this example, be sure to make note of the upper/lowercase syntax + spaces/no spaces where applicable  - 

FOR /L %IN (11000,1,12000) DO netsh firewall add portopening TCP %I "Passive FTP"%I

If you have a large range of ports it will take some time to run through them as it opens them all one by one. When it's finished you should be good to go.

Cirronix develop and support dynamic EC2 server platforms across both Microsoft and Linux. If you would like to find out more about the great range of services on offer from AWS why not give us a call.

No comments:

Post a Comment