LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 10-16-2006, 01:41 PM   #1
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Rep: Reputation: 0
Setting up secure FTP (trying vsftpd on RHEL 4)


I'm trying to setup an FTP server that only I can connect to. I've disabled anonymous logins, but cannot connect at all from my Windoze workstation - I get the following error "ftp: connect :Unknown error number". I'm looking to either restrict this by login, or by IP, or both.

I'm using RHEL 4, and it looks like vsftpd will do what I want. I can connect to ftp from the machine running vsftpd with no problems. I've tried looking through the man pages and the posts on here, but haven't found anything that helps. I'm wondering if there's another service I need to enable or if something is blocking remote access. To start: here is what's in my vsftpd.conf:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
 
Old 10-16-2006, 03:31 PM   #2
Drax946
Member
 
Registered: Jun 2005
Location: WV USA
Distribution: Debian/Ubuntu
Posts: 43

Rep: Reputation: 15
I'm running Debian Etch with vsftpd. I've just glanced at the vsftpd.conf file you posted thus far, but thought of something which might help. I have an entry in my /etc/hosts.allow file to allow all local machines to have access to all services:

/etc/hosts.allow

ALL: LOCAL 192.168.1.

I'll look a bit more, but this might fix the problem.
 
Old 10-16-2006, 04:04 PM   #3
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Still getting that odd error

I made the change to my /etc/hosts.allow file, and am still getting the wierd error from my Windows workstation. (it is able to FTP to a different box in the same subnet.) I am assuming of course that I change the subnet to the one that I'm using vs. 192.168.1

Thanks for the suggestion, though.
 
Old 10-16-2006, 06:32 PM   #4
Drax946
Member
 
Registered: Jun 2005
Location: WV USA
Distribution: Debian/Ubuntu
Posts: 43

Rep: Reputation: 15
I happened to have another PC that didn't have vsftpd installed on it. After just pulling down the package I could login from a WinXP SP2 PC using anonymous. After a few changes to the vsftpd.conf file:

anonymous_enabled=NO
local_enable=YES
write_enable=YES

and a restart of vsftpd I was able to login from the same WinXP PC with a user. I removed the lines from /etc/hosts.allow and that didn't seem to make any difference as you had mentioned.

I did notice a few lines in your vsftpd.conf which aren't in mine:

user_list_enable=YES
tcp_wrappers=YES

From reading the manpage it looks like the tcp_wrappers may be stopping you. You may want to give commenting that line out a try with a restart on vsftpd.
 
Old 10-16-2006, 07:08 PM   #5
jcliburn
Member
 
Registered: Dec 2003
Location: Mississippi, USA
Distribution: Fedora
Posts: 435

Rep: Reputation: 33
See if this post helps.

http://www.linuxquestions.org/questi...62#post2463162
 
Old 10-24-2006, 05:13 PM   #6
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Still no luck

Well, I took a look at the post that was suggested, and added the 3 lines to my vsftpd.conf:
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

I also entered the following at the command line
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 11001:11010 -j ACCEPT

Then restarted the vsftpd service... no change

I tried the modprobe ip_conntrack_ftp command, and then REM'd out the tcp_wrappers line in the vsftpd.conf, and restarted the service again - no change.

Honestly I'm stabbing in the dark here. I've barely got a fingernails hold on what exactly I'm doing. Did I miss any steps or do something incorrectly?

Thanks again for any help you can give...

Xera
 
Old 10-24-2006, 08:18 PM   #7
jcliburn
Member
 
Registered: Dec 2003
Location: Mississippi, USA
Distribution: Fedora
Posts: 435

Rep: Reputation: 33
Please post the output of the following commands executed on your ftp server.

uname -r
netstat -ptuna
cat /etc/sysconfig/iptables (redact any sensitive stuff if you wish)
cat /etc/vsftpd/vsftpd.conf (again)


Also, please cut and paste the entire ftp connection attempt from the client, including all error output.
 
Old 10-24-2006, 08:30 PM   #8
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
Can I suggest you try SSH?

SSH comes with SFTP which has similar commands to FTP, but is much more secure than FTP. FTP does everything in plain text, whereas SSH encrypts all your data. I have some info on SSH Here.

I think Putty will connect to SSH from Windows, otherwise try WinSCP.

I hope this helps
--Ian
 
Old 11-06-2006, 09:30 PM   #9
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jcliburn
Please post the output of the following commands executed on your ftp server.

uname -r
netstat -ptuna
cat /etc/sysconfig/iptables (redact any sensitive stuff if you wish)
cat /etc/vsftpd/vsftpd.conf (again)


Also, please cut and paste the entire ftp connection attempt from the client, including all error output.
uname -r
2.6.9-42.0.3.ELsmp

netstat -ptuna
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
tcp 0 0 0.0.0.0:867 0.0.0.0:* LIST EN 2381/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 2361/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LIST EN 2576/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST EN 2520/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN 2596/sendmail: acce
tcp 0 0 72.240.1.170:32802 64.233.163.104:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 72.240.1.170:32793 64.233.163.104:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 72.240.1.170:32789 72.14.203.99:80 ESTA BLISHED 4162/firefox-bin
tcp 0 0 :::80 :::* LIST EN 3892/httpd
tcp 0 0 :::22 :::* LIST EN 2551/sshd
tcp 0 0 :::443 :::* LIST EN 3892/httpd
udp 0 0 0.0.0.0:861 0.0.0.0:* 2381/rpc.statd
udp 0 0 0.0.0.0:864 0.0.0.0:* 2381/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2361/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2520/cupsd

cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

cat /etc/vsftpd/vsftpd.conf (with all the comments deleted for space)
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=No unauthorized use! Your IP is being tracked.
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
#tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

Unfortunately, there is no error log when I try to FTP(using MS CMD line FTP or CoffeeCup FTP). On the command line it will time out with the error ftp: connect :Unknown error number. CoffeeCup just keeps trying to connect forever...

Sorry it took so long to respond... Have had to put this project on the back burner here at work for my official work. Thanks again for any help you can give.

(I'd be willing to try ssh as well, but I'm hoping to give this one more chance before giving up on FTP.) Eventually I will be wanting to setup SSH, Web hosting, and DNS, but I can't even get the first part of this project working I'm pretty sure it's something in the firewall, but I don't know anything about that... haven't been given enuf time to sit and read the man pages yet, either. Anywho... thanks again to anyone who can help me out w/ this!

Xera
 
Old 11-07-2006, 07:22 AM   #10
jcliburn
Member
 
Registered: Dec 2003
Location: Mississippi, USA
Distribution: Fedora
Posts: 435

Rep: Reputation: 33
Your server's firewall (iptables) is blocking the ftp command port (port 21) and the ftp data ports (ports 11001 through 11010). You need to add rules that unblock those ports.

To test this assertion, turn off iptables on your server (service iptables stop) and see if you can complete an ftp transaction.
 
Old 11-07-2006, 05:19 PM   #11
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Yep, that's definitely the problem. So I finally figured out how to actually SAVE the changes (I was typing in the rules that were listed in the linked thread, but didn't take the additional step of saving them...)

So, here's the new output of the command cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.11 on Tue Nov 7 18:59:22 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188:11645]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11001:11010 -j ACCEPT

-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Nov 7 18:59:22 2006\


Unfortunately... I still can't get ftp to connect to this server. I'll keep digging in the forums now that I'm sure it's an issue w/ iptables. (especially since I'm sure I'll need to be doing something similar to ports 53, 80, and whatever else I end up wanting to open up for the other servers I want to run).

I guess this just highlights my Linux newbie-ness even more ::blush:: Not used to being such a moron when it comes to something computer related, but I WILL get up to speed on this.
 
Old 11-07-2006, 05:51 PM   #12
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Lovely

Well, today I learned the difference between using iptables -I and -A as I seem to have lost all the original rules when I typed
iptables -I INPUT -m tcp -p tcp --dport 20 -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 20 -j ACCEPT
iptables-save>/etc/sysconfig/iptables
in my command line
::sigh::

So, it's good that I posted the original contents of the file here. I was able to edit the file and put everything back, as well as leaving the 2 new lines about port 20 in. AND.... I can now connect to the box from my other system!!! Wahoo!

Thanks for your help guys! (Hopefully I won't have to pester you all so much when I setup DNS, httpd and ssh now that I've got this down...)

Last edited by Xera; 11-07-2006 at 06:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up a secure FTP and Tunneling Server Randvegeta Linux - Software 2 12-30-2005 10:44 AM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM
Vsftpd Folder ownerships - Is this secure? Korff Linux - Security 2 06-06-2003 01:05 PM


All times are GMT -5. The time now is 09:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration