LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-09-2010, 02:36 PM   #1
ScorchPipe
Member
 
Registered: Sep 2010
Posts: 38

Rep: Reputation: 0
Problems with vsftpd, SSL and FileZilla


Hi there...

Sorry for a long post....

I've set up an FTP-server running vsftpd on CentOS 5.5 and I want to use FileZilla to connect to it. Everything went just fine without SSL. But when I implemtented SSL it stopped working properly. However, the login works and I get the cert. It just won't list...

Computer IP: 192.168.0.100
Server IP: 192.168.0.200

Now I can only connect from outside my router using Active Mode (even though I want to use Passive).
This is what I get when connecting with different methods:

-When I try to connect from my LAN (connecting to the servers private address) with Active mode:
Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 192,168,0,100,197,77
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs (means Time limit exceeded)
Fel: Misslyckades med att hämta kataloglistning (means directory listing failed)

-When I try to connect from my LAN (connecting to the servers private address) with Passive mode:
Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,75)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning

-When I try to connect from the outside (connecting to my domain-name) with Active mode (WORKS):
Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 194,47,XXX,XXX,198,218
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Svar: 150 Here comes the directory listing.
Svar: 226 Directory send OK.
Status: Kataloglistningen lyckades (means directory listing succeeded)

-When I try to connect from the outside (connecting to my domain-name) with Passive mode:
Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,74)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning


My vsftpd.conf:
log_ftp_protocol=YES
chroot_local_user=YES
banner_file=/etc/vsftpd/issue
max_clients=10
passwd_chroot_enable=YES
local_root=/home/vsftpd/
secure_chroot_dir=/home/vsftpd/

pasv_enable=YES
pasv_address=85.226.XXX.XXX
pasv_min_port=50505
pasv_max_port=50510

# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order
# to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem


My /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
My /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50505 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50506 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50507 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50508 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50509 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50510 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40 -j ACCEPT
# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

My routers port forwarding:
http://data.fuskbugg.se/dipdip/ports.PNG
(at "Rorschach FTP2" I've also tried 192.168.0.200)

Anyone got a clue whats wrong?
I have a friend running the same thing and his work. The only thing different between him and me is basically the router
 
Old 12-11-2010, 08:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?
 
Old 12-12-2010, 04:41 AM   #3
ScorchPipe
Member
 
Registered: Sep 2010
Posts: 38

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?
yeah.... The thing is that it worked without SSL with only 21.
I followed a guide then.

I added a rule for 20 now but there was no difference
 
Old 12-12-2010, 06:11 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
In addition FTPS needs port TCP/990 (or that's what 'getent services ftps' says)?

[EDIT]
(Not that that'll likely be all. My 'lftp' doesn't understand ftps:// and 'filezilla' seems unable to negotiate TLS:
Code:
FTP response: Client "1.2.3.4", "220 (vsFTPd 2.0.5)"
FTP command: Client "1.2.3.4", "????X???Y??Z???????X?Y???Z??????X??YZX?Y???Z?X?Y?Z?????X?Y?Z?????X?Y?Z?X???"
FTP response: Client "1.2.3.4", "530 Please login with USER and PASS."
but 'nc' can at least connect to port TCP/990 and display a pre-auth banner to show it works in theory ;-p)
[/EDIT]

Last edited by unSpawn; 12-12-2010 at 06:16 AM. Reason: //More *is* more. Well, maybe not in this case...
 
Old 12-13-2010, 11:36 AM   #5
ScorchPipe
Member
 
Registered: Sep 2010
Posts: 38

Original Poster
Rep: Reputation: 0
I tried opening 990 to but there was no difference

Here are my iptables now:

[root@Rorschach ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50506
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50507
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50508
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50509
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50510
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


The thing is that I use FTPES which seems to connect on port 21.... not FTPS that connect on 990
 
Old 12-14-2010, 09:00 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
OK. Lets head back to "start". I'd suggest you
- use a FTP client I know will work with FTP, FTPS and FTPES but more importantly can display useful debug information: 'lftp'. How you run it in debug mode is explained in a recent thread about FTP debugging here: http://www.linuxquestions.org/questi...-hangs-847009/,
- make Vsftpd log verbosely by adding these lines to your vsftpd.conf before restarting it:
Code:
syslog_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
pasv_min_port=1025
pasv_max_port=65535
- add "-j LOG" rules to your firewall rule set to see what traffic hits what port and from where (your rules are unenforceable anyway since your INPUT chain has a policy of ACCEPT anyway), log "--state RELATED", log "--state NEW" to TCP/21 and TCP/20 and log "-m multiport --dports 1025:65535" (note these only get used when the client requests PASV mode, else any other ephemeral port is game), and finally
- loosen up the port restrictions in your server 'sysctl -w net.ipv4.ip_local_port_range = 1025 65535' and replace 50505-50510 in the router with 20,21,1025-65535 (you added 20,21 to 192.168.0.200's UDP section) for the duration of the test.

Now if you 'tail -f /var/log/xferlog /var/log/vsftpd.log /var/log/secure /var/log/messages' in one window (use 'screen'?) and run 'lftp -d -p 21 -u username [LAN|WAN]hostname' in another you should get a better view of what's happening wrt FTP behaviour.
 
  


Reply

Tags
filezilla, list, ssl, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd SSL problem (522 SSL connection failed) stringZ Linux - Server 8 05-05-2009 02:27 PM
vsftpd and SSL problems jordib Linux - Server 0 07-20-2008 06:21 PM
problems when running vsFTPd with TLS/SSL knudsen83 Linux - Server 2 01-08-2008 03:10 PM
vsftpd and FileZilla help tvanhens Linux - Server 0 06-17-2007 10:46 PM
FileZilla Server and SSL BlackHatRob Linux - Software 0 05-29-2005 02:04 AM


All times are GMT -5. The time now is 09:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration