In light of recent security issues with FTP, and since it seems there are a few users who do need FTP support on their LAN (some backup software seem to prefer FTP over SMB it seems), here's a way to configure vsftpd so it will only listen to your LAN IP.
The following requires Asuswrt-Merlin 374.38 or newer.
1) Make sure JFFS is enabled and properly mounted (check under Tools -> Sysinfo), as well as telnet or SSH
2) Connect over SSH/telnet, and paste the following code:
After that, FTP should no longer be accessible over WAN.
You could also alternatively modify the firewall rules to prevent WAN access to port 21 while still allowing LAN access (I believe the correct rules were recently posted on the forums), but I like this method that will actually limit vsftpd's scope.
If Asus doesn't implement an option to enable FTP access only from LAN, I will most likely go ahead and implement it myself in a future release.
The following requires Asuswrt-Merlin 374.38 or newer.
1) Make sure JFFS is enabled and properly mounted (check under Tools -> Sysinfo), as well as telnet or SSH
2) Connect over SSH/telnet, and paste the following code:
Code:
cat << EOF > /jffs/scripts/vsftpd.postconf
#!/bin/sh
LANIP=\$(nvram get lan_ipaddr)
echo "listen address=$LANIP" >>/etc/vsftpd.conf
EOF
chmod a+rx /jffs/scripts/vsftpd.postconf
service restart_nasappsAfter that, FTP should no longer be accessible over WAN.
You could also alternatively modify the firewall rules to prevent WAN access to port 21 while still allowing LAN access (I believe the correct rules were recently posted on the forums), but I like this method that will actually limit vsftpd's scope.
If Asus doesn't implement an option to enable FTP access only from LAN, I will most likely go ahead and implement it myself in a future release.
