CODEWITHSUNDEEP
phpamazon-web-servicesfirewallamazon-amiaws-security-group
Akshit Arora
Akshit Arora

Reputation: 458

Unable to run FTP commands from AWS AMI

I want to connect to an FTP using PHP to upload the reports generated. As per the remote server, the FTP needs to be in ACTIVE mode.

this is my code:

ini_set('display_errors', '1');
error_reporting(E_ALL);

$conn_id = ftp_connect('myftpserver.com', 21);

if($conn_id)
{
    // login with username and password
    $login_result = ftp_login($conn_id, 'mysuer', 'password');

    $passive = ftp_pasv($conn_id,FALSE);

    echo "is active?<br/>";
    var_dump($passive);

    echo 'Login Result:';
    var_dump($login_result);

    $files_list = ftp_nlist($conn_id, '/MyFolder/');

    echo "<br/>files list ";

    var_dump($files_list);
}
else
{
    var_dump('Unable to connect to FTP Server');
}

When I am running it from the local machine or a normal shared server, I am able fetch the list, but I am unable to run the script from my AWS AMI instance. For testing purpose, I have even opened all inbound traffic too. Still no luck. Also, the point is that if I try with some other ftp details, I am able to get the response of ftp_nlist. But not for this one. I tried it on 3 AWS instances till yet. Yielded the same result.

All I can say is that this is somewhere the issue at my server security group/firewall. But unable to figure it out. Please help.

The response I get from the server:

is active
bool(true) 
Login Result:bool(true)
files list bool(false)

Upvotes: 2

Views: 935

Answers (1)

John Hanley
John Hanley

Reputation: 81454

Using FTP Active Mode is problematic with AWS Security Groups.

For active mode to work, you will have to open all inbound ports above 1023. If your client supports restricting the range, do so. You will also need to open both port 20 and port 21 inbound and outbound.

The problem is that the FTP client selects a port that it will listen on. Then the FTP client informs the FTP Server of this port number. The FTP Server then connects to this port. This goes against normal AWS Security Group designs meaning only allow specific ports to be open. You can verify this by opening all ports temporarily, test your FTP client and then closing all the ports.

Active Mode is not secure for the FTP client. Passive Mode is not secure for the FTP server (but the better choice).

NOTE: Rotate your FTP credentials often. Your login and password is sent in the clear and are not encrypted.

FTP is a legacy technology, which is still very popular, that should be stored away in the attic.

Upvotes: 3

Related Questions