LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Setting up secure FTP (trying vsftpd on RHEL 4) (http://www.linuxquestions.org/questions/linux-general-1/setting-up-secure-ftp-trying-vsftpd-on-rhel-4-a-492902/)

Xera 10-16-2006 01:41 PM

Setting up secure FTP (trying vsftpd on RHEL 4)
 
I'm trying to setup an FTP server that only I can connect to. I've disabled anonymous logins, but cannot connect at all from my Windoze workstation - I get the following error "ftp: connect :Unknown error number". I'm looking to either restrict this by login, or by IP, or both.

I'm using RHEL 4, and it looks like vsftpd will do what I want. I can connect to ftp from the machine running vsftpd with no problems. I've tried looking through the man pages and the posts on here, but haven't found anything that helps. I'm wondering if there's another service I need to enable or if something is blocking remote access. To start: here is what's in my vsftpd.conf:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Drax946 10-16-2006 03:31 PM

I'm running Debian Etch with vsftpd. I've just glanced at the vsftpd.conf file you posted thus far, but thought of something which might help. I have an entry in my /etc/hosts.allow file to allow all local machines to have access to all services:

/etc/hosts.allow

ALL: LOCAL 192.168.1.

I'll look a bit more, but this might fix the problem.

Xera 10-16-2006 04:04 PM

Still getting that odd error
 
I made the change to my /etc/hosts.allow file, and am still getting the wierd error from my Windows workstation. (it is able to FTP to a different box in the same subnet.) I am assuming of course that I change the subnet to the one that I'm using vs. 192.168.1 :)

Thanks for the suggestion, though.

Drax946 10-16-2006 06:32 PM

I happened to have another PC that didn't have vsftpd installed on it. After just pulling down the package I could login from a WinXP SP2 PC using anonymous. After a few changes to the vsftpd.conf file:

anonymous_enabled=NO
local_enable=YES
write_enable=YES

and a restart of vsftpd I was able to login from the same WinXP PC with a user. I removed the lines from /etc/hosts.allow and that didn't seem to make any difference as you had mentioned.

I did notice a few lines in your vsftpd.conf which aren't in mine:

user_list_enable=YES
tcp_wrappers=YES

From reading the manpage it looks like the tcp_wrappers may be stopping you. You may want to give commenting that line out a try with a restart on vsftpd.

jcliburn 10-16-2006 07:08 PM

See if this post helps.

http://www.linuxquestions.org/questi...62#post2463162

Xera 10-24-2006 05:13 PM

Still no luck
 
Well, I took a look at the post that was suggested, and added the 3 lines to my vsftpd.conf:
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

I also entered the following at the command line
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 11001:11010 -j ACCEPT

Then restarted the vsftpd service... no change

I tried the modprobe ip_conntrack_ftp command, and then REM'd out the tcp_wrappers line in the vsftpd.conf, and restarted the service again - no change.

Honestly I'm stabbing in the dark here. I've barely got a fingernails hold on what exactly I'm doing. Did I miss any steps or do something incorrectly?

Thanks again for any help you can give...
:newbie:
Xera

jcliburn 10-24-2006 08:18 PM

Please post the output of the following commands executed on your ftp server.

uname -r
netstat -ptuna
cat /etc/sysconfig/iptables (redact any sensitive stuff if you wish)
cat /etc/vsftpd/vsftpd.conf (again)


Also, please cut and paste the entire ftp connection attempt from the client, including all error output.

IBall 10-24-2006 08:30 PM

Can I suggest you try SSH?

SSH comes with SFTP which has similar commands to FTP, but is much more secure than FTP. FTP does everything in plain text, whereas SSH encrypts all your data. I have some info on SSH Here.

I think Putty will connect to SSH from Windows, otherwise try WinSCP.

I hope this helps
--Ian

Xera 11-06-2006 09:30 PM

Quote:

Originally Posted by jcliburn
Please post the output of the following commands executed on your ftp server.

uname -r
netstat -ptuna
cat /etc/sysconfig/iptables (redact any sensitive stuff if you wish)
cat /etc/vsftpd/vsftpd.conf (again)


Also, please cut and paste the entire ftp connection attempt from the client, including all error output.

uname -r
2.6.9-42.0.3.ELsmp

netstat -ptuna
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
tcp 0 0 0.0.0.0:867 0.0.0.0:* LIST EN 2381/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 2361/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LIST EN 2576/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST EN 2520/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN 2596/sendmail: acce
tcp 0 0 72.240.1.170:32802 64.233.163.104:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 72.240.1.170:32793 64.233.163.104:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 72.240.1.170:32789 72.14.203.99:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 :::80 :::* LIST EN 3892/httpd
tcp 0 0 :::22 :::* LIST EN 2551/sshd
tcp 0 0 :::443 :::* LIST EN 3892/httpd
udp 0 0 0.0.0.0:861 0.0.0.0:* 2381/rpc.statd
udp 0 0 0.0.0.0:864 0.0.0.0:* 2381/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2361/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2520/cupsd

cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

cat /etc/vsftpd/vsftpd.conf (with all the comments deleted for space)
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=No unauthorized use! Your IP is being tracked.
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
#tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

Unfortunately, there is no error log when I try to FTP(using MS CMD line FTP or CoffeeCup FTP). On the command line it will time out with the error ftp: connect :Unknown error number. CoffeeCup just keeps trying to connect forever...

Sorry it took so long to respond... Have had to put this project on the back burner here at work for my official work. Thanks again for any help you can give.

(I'd be willing to try ssh as well, but I'm hoping to give this one more chance before giving up on FTP.) Eventually I will be wanting to setup SSH, Web hosting, and DNS, but I can't even get the first part of this project working :mad: I'm pretty sure it's something in the firewall, but I don't know anything about that... haven't been given enuf time to sit and read the man pages yet, either. Anywho... thanks again to anyone who can help me out w/ this!

Xera

jcliburn 11-07-2006 07:22 AM

Your server's firewall (iptables) is blocking the ftp command port (port 21) and the ftp data ports (ports 11001 through 11010). You need to add rules that unblock those ports.

To test this assertion, turn off iptables on your server (service iptables stop) and see if you can complete an ftp transaction.

Xera 11-07-2006 05:19 PM

Yep, that's definitely the problem. So I finally figured out how to actually SAVE the changes (I was typing in the rules that were listed in the linked thread, but didn't take the additional step of saving them...)

So, here's the new output of the command cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.11 on Tue Nov 7 18:59:22 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188:11645]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11001:11010 -j ACCEPT

-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Nov 7 18:59:22 2006\


Unfortunately... I still can't get ftp to connect to this server. I'll keep digging in the forums now that I'm sure it's an issue w/ iptables. (especially since I'm sure I'll need to be doing something similar to ports 53, 80, and whatever else I end up wanting to open up for the other servers I want to run).

I guess this just highlights my Linux newbie-ness even more ::blush:: Not used to being such a moron when it comes to something computer related, but I WILL get up to speed on this.

Xera 11-07-2006 05:51 PM

Lovely
 
Well, today I learned the difference between using iptables -I and -A :cry: as I seem to have lost all the original rules when I typed
iptables -I INPUT -m tcp -p tcp --dport 20 -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 20 -j ACCEPT
iptables-save>/etc/sysconfig/iptables
in my command line
::sigh::

So, it's good that I posted the original contents of the file here. I was able to edit the file and put everything back, as well as leaving the 2 new lines about port 20 in. AND.... I can now connect to the box from my other system!!! Wahoo!

Thanks for your help guys! (Hopefully I won't have to pester you all so much when I setup DNS, httpd and ssh now that I've got this down...)


All times are GMT -5. The time now is 11:36 AM.