Secure Connect Gateway - Disable FTP Port 21

Summary: If the customer security team advises disabling Port 21, which is used for File Transfer Protocol (FTP), it is due to security concerns. Port 21 transmits data in plain text, making it susceptible to interception and attacks. Disabling this port helps prevent unauthorized access and data breaches, thereby enhancing the protection of sensitive information. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

  1. If the service must be disabled temporarily:
docker exec -it esrsde-app bash
wd status esrshttpdftp

If it is running, use the following command to stop it:

wd stop esrshttpdftp

 

NOTE: If the gateway reboots, the FTP service is enabled again.

 

  1. If the service must be disabled permanently: Removing port 21 and 4021 on a running container:
  2. If we are still in the docker command shell from the steps above we must issue the exit command to return to the bash prompt.
  3. Now we must find the port id of the container we must edit using the command: 
docker ps --no-trunc
  1. Now we must stop the container so we can change it using the command below.
docker stop esrsde-app
  1. Now go to the folder: cd /var/lib/docker/containers/<Full port id form step 2>
  2. Create a backup of files that we are to edit:
    1. cp config.v2.json config.v2.json.bak
    2. cp hostconfig.json hostconfig.json.bak
  3. Modify file config.v2.json removing entry "4021/tcp":{} 
    1. A new entry should look like: "ExposedPorts":{"4443/tcp":{},"5400/tcp":{ },
  4. Modify the file hostconfig.json removing entry "4021/tcp":[{"HostIp":"","HostPort":"21"}],
    1. A new entry should look like: "PortBindings":{"4443(....and so forth)
  5. systemctl restart docker
  6. docker start esrsde-app
    1. If the container will not start you have most likely missed a bracket or quote in one of your files. Compare the backup files to the new edited files to verify everything is correct.
  7. Verify that ports are not mapped by performing command: docker ps

To disable from SCG host level -
If the customer is on SCG, remove the port 21 references from the SuSEfirewall2-srs-custom file.

  1. cd /etc/sysconfig/scripts/

Create a backup copy before modifying:  

cp SuSEfirewall2-srs-custom SuSEfirewall2-srs-custom.bak
  1. Now we edit the SuSEfirewall2-srs-custom file and comment out the line containing --dport 21 ending in 4021 using # this should now look like: 
    #-A SCG-DOCKER -p tcp -m tcp --dport 21 -j DNAT --to-destination [${srsIpAddr}]:4021
  2. After that restart the esrsve.service using below command 
    systemctl restart esrsve.service

Affected Products

Secure Connect Gateway - Virtual Edition
Article Properties
Article Number: 000227892
Article Type: How To
Last Modified: 03 Feb 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.