Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I set up an SSL/VSFTPD/ Authenticated via PAM and MySQL and all was well when I set up on the internal LAN.
I changed the servers IP ready to go in the DMZ segment and chnaged it's host name. Racked her up and now the cert exchanege does not work with filezilla. I have disabled SSH support in the vsftpd.conf and all works (showing in my mind anyway thats it openssh). Re-enabled and I get no cert via filzilla and the secure log shows no activity. The only thing that does show is when I restart openssh I get. FYI: Putty, winscp all work OK
error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
So I thought I'll set a fixed IP which removes the error but I still get no cert via filezilla or any indication communication is going on in the secure log.
I have also created new certs thinking the change in IP/host may have caused an issue. I have even uninstalled opessh* and reinstalled.
I am going nuts! Because I have spent a while getting it all working and I was in the middle of a geek high only to get shot down;-(
Symptoms FTP is dropped on rule 0 AND SmartView Tracker displays error: "port command ended without a new line" Cause By default, FTP service protocol type drops packets that are not terminated with a newline character.
For more information on the internal functions of the FTP service, refer to the RFCs about FTP:
RFC 959 - File Transfer Protocol (FTP)
RFC 2228 - FTP Security Extensions
Solution In the FTP service object > Advanced Properties, change FTP service protocol type to ftp_basic, and install the Security Policy. The ftp_basic option does not enforce newline-character checking.
Using ftp_basic eliminates known connectivity problems with FTP implementations that are not fully RFC compliant. This protocol type enforces a reduced set of FTP security checks, as opposed to those done by the regular FTP protocol type.
The ftp_basic does not perform the following checks implemented in the standard FTP service object:
Every packet is terminated with a newline character, so the PORT command is not split across packets. This protects against the FTP Bounce attack.
Data connections to or from well-known ports are not allowed, to prevent the FTP data connection from being used to access some other service.
Bidirectional traffic on the data connection is not allowed, as it can be used improperly.