Disable FTP

ChrisMunson · May 19, 2022, 9:52pm

I have one of my Raspberry Shakes in my office at work. I just got an email from our campus IT, who is concerned that it appears to have an open FTP port. Is there a way I can turn off/disable this port, and will that have any adverse effects on the functionality?

Thank you.

Stormchaser · May 20, 2022, 9:12am

Hello Chris,

This is the list of all the ports that the Shake can be related to: Firewall issues? — Instructions on Setting Up Your Raspberry Shake

Could you ask the campus IT to pinpoint which port is the one they have detected? The first four are essential for the unit, so if you close them, it will not work and/or transmit data anymore (depending on which port it is).

PhilipPeake · May 20, 2022, 3:54pm

My guess is that they are running a network security tool which looks for problematic open ports on every machine on their networks. In general, FTP is regarded as “problematic”.

R-Shake is using vsFTP, which, if correctly configured, is much more secure than more traditional FTP servers, but network security generally dislike any FTP servers, and so question any instance of an open port 21.

vsFTPd is running within a docker container, so it’s not obvious how it is configured or what is is used for?

If it’s not essential, it looks like it could be blocked using iptables:

 Chain DOCKER (1 references)
 target     prot opt source               destination         
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10100
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10099
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10098
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10097
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10096
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10095
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10094
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10093
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10092
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10091
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:10090
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http
 ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:ftp
 ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:18006
 ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:18002
 ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:18000
 ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:16032

BlackDiamond · January 23, 2023, 9:15pm

You may be interested in this similar discussion around what I found for FTP. Securing the Raspberry Shake and reducing the power consumption - #10 by BlackDiamond

It’s always safer to stop using it than to block it. It saves resources. It’s hard to use FTP these days, and it’s better to use scp.