Symptom:

When trying to install the GoAnywhere MFT server or Gateway using a non-root user (security best-practice) you cannot bind ports under 1024 for the services (such as 21, 22 or 990).


Cause:

Linux has a security hardening that allows only a root user the ability to bind ports under 1024. This is a hard-set security limitation.


Solution:

The only was to allow the system to install and operate is by not using the low ports for the installation and picking higher number for it. For example:

  • 21 -> 10021
  • 22 -> 10022
  • 443 -> 10443
  • 990 -> 10990

This will allow you to complete the install.


NOTE: Port 22 in Linux is also by default used by the SSH daemon. You will need to change the SSH port to bind it for GA SFTP.


After that there are 3 options on how you want to continue working:

  1. Use the uncommon ports - Nice from a security point as it will help with port-scanning but will require you to always tell end customers that you are using a non-standard port.
  2. Use an NLB to route to expose standard ports - If there is load-balancer, we can use that to expose the low port (22) and route that to our high port (10022) on the infrastructure level. The user will not know the difference.
  3. Use iptables or firewalld to port-forward traffic - We can use the built-in Linux firewall to do some basic port-forwarding the same was as option 2 with NLB, only this time on the server itself. A basic command for it will look something like this:
    firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=10022