Problems with vsftpd, SSL and FileZilla

ScorchPipe · 12-09-2010, 02:36 PM

Hi there...

Sorry for a long post....

I've set up an FTP-server running vsftpd on CentOS 5.5 and I want to use FileZilla to connect to it. Everything went just fine without SSL. But when I implemtented SSL it stopped working properly. However, the login works and I get the cert. It just won't list...

Computer IP: 192.168.0.100
Server IP: 192.168.0.200

Now I can only connect from outside my router using Active Mode (even though I want to use Passive).
This is what I get when connecting with different methods:

-When I try to connect from my LAN (connecting to the servers private address) with Active mode:

Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 192,168,0,100,197,77
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs (means Time limit exceeded)
Fel: Misslyckades med att hämta kataloglistning (means directory listing failed)

-When I try to connect from my LAN (connecting to the servers private address) with Passive mode:

Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,75)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning

-When I try to connect from the outside (connecting to my domain-name) with Active mode (WORKS):

Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 194,47,XXX,XXX,198,218
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Svar: 150 Here comes the directory listing.
Svar: 226 Directory send OK.
Status: Kataloglistningen lyckades (means directory listing succeeded)

-When I try to connect from the outside (connecting to my domain-name) with Passive mode:

Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,74)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning

My vsftpd.conf:

log_ftp_protocol=YES
chroot_local_user=YES
banner_file=/etc/vsftpd/issue
max_clients=10
passwd_chroot_enable=YES
local_root=/home/vsftpd/
secure_chroot_dir=/home/vsftpd/

pasv_enable=YES
pasv_address=85.226.XXX.XXX
pasv_min_port=50505
pasv_max_port=50510

# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order
# to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem

My /etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"

My /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50505 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50506 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50507 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50508 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50509 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50510 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40 -j ACCEPT
# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

My routers port forwarding:

http://data.fuskbugg.se/dipdip/ports.PNG
(at "Rorschach FTP2" I've also tried 192.168.0.200)

Anyone got a clue whats wrong?
I have a friend running the same thing and his work. The only thing different between him and me is basically the router

unSpawn · 12-11-2010, 08:44 PM

Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?

ScorchPipe · 12-12-2010, 04:41 AM

Quote:

Originally Posted by unSpawn

Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?

yeah.... The thing is that it worked without SSL with only 21.
I followed a guide then.

I added a rule for 20 now but there was no difference

unSpawn · 12-12-2010, 06:11 AM

In addition FTPS needs port TCP/990 (or that's what 'getent services ftps' says)?

[EDIT]
(Not that that'll likely be all. My 'lftp' doesn't understand ftps:// and 'filezilla' seems unable to negotiate TLS:

Code:

FTP response: Client "1.2.3.4", "220 (vsFTPd 2.0.5)"
FTP command: Client "1.2.3.4", "????X???Y??Z???????X?Y???Z??????X??YZX?Y???Z?X?Y?Z?????X?Y?Z?????X?Y?Z?X???"
FTP response: Client "1.2.3.4", "530 Please login with USER and PASS."

but 'nc' can at least connect to port TCP/990 and display a pre-auth banner to show it works in theory ;-p)
[/EDIT]

ScorchPipe · 12-13-2010, 11:36 AM

I tried opening 990 to but there was no difference

Here are my iptables now:

[root@Rorschach ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50506
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50507
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50508
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50509
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50510
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

The thing is that I use FTPES which seems to connect on port 21.... not FTPS that connect on 990

unSpawn · 12-14-2010, 09:00 AM

OK. Lets head back to "start". I'd suggest you
- use a FTP client I know will work with FTP, FTPS and FTPES but more importantly can display useful debug information: 'lftp'. How you run it in debug mode is explained in a recent thread about FTP debugging here: http://www.linuxquestions.org/questi...-hangs-847009/,
- make Vsftpd log verbosely by adding these lines to your vsftpd.conf before restarting it:

Code:

syslog_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
pasv_min_port=1025
pasv_max_port=65535

- add "-j LOG" rules to your firewall rule set to see what traffic hits what port and from where (your rules are unenforceable anyway since your INPUT chain has a policy of ACCEPT anyway), log "--state RELATED", log "--state NEW" to TCP/21 and TCP/20 and log "-m multiport --dports 1025:65535" (note these only get used when the client requests PASV mode, else any other ephemeral port is game), and finally
- loosen up the port restrictions in your server 'sysctl -w net.ipv4.ip_local_port_range = 1025 65535' and replace 50505-50510 in the router with 20,21,1025-65535 (you added 20,21 to 192.168.0.200's UDP section) for the duration of the test.

Now if you 'tail -f /var/log/xferlog /var/log/vsftpd.log /var/log/secure /var/log/messages' in one window (use 'screen'?) and run 'lftp -d -p 21 -u username [LAN|WAN]hostname' in another you should get a better view of what's happening wrt FTP behaviour.