vsftpd: can connect remotely but not locally

jsmith6 · 01-31-2011, 05:58 PM

I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.

I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.

I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.

Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.

Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?

Here is my config and log files from a failed local attempt.

vsftpd.conf

Code:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO

FileZilla

Code:

Status:	Connecting to 10.0.0.3:2100...
Status:	Connection established, waiting for welcome message...
Response:	220 SERVERNAME
Command:	USER user
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 AUTH SSL
Response:	 AUTH TLS
Response:	 EPRT
Response:	 EPSV
Response:	 MDTM
Response:	 PASV
Response:	 PBSZ
Response:	 PROT
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	 UTF8
Response:	211 End
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (77,49,54,233,19,139).
Command:	LIST
Response:	425 Security: Bad IP connecting.
Error:	Failed to retrieve directory listing
Response:	500 OOPS: close
Response:	500 OOPS: priv_sock_get_cmd
Error:	Connection closed by server

vsftpd.log

Code:

Tue Feb  1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb  1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."

MCD555 · 02-01-2011, 05:21 AM

Quote:

Originally Posted by jsmith6

I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.

I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.

I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.

Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.

Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?

Here is my config and log files from a failed local attempt.

vsftpd.conf

Code:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO

FileZilla

Code:

Status:	Connecting to 10.0.0.3:2100...
Status:	Connection established, waiting for welcome message...
Response:	220 SERVERNAME
Command:	USER user
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 AUTH SSL
Response:	 AUTH TLS
Response:	 EPRT
Response:	 EPSV
Response:	 MDTM
Response:	 PASV
Response:	 PBSZ
Response:	 PROT
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	 UTF8
Response:	211 End
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (77,49,54,233,19,139).
Command:	LIST
Response:	425 Security: Bad IP connecting.
Error:	Failed to retrieve directory listing
Response:	500 OOPS: close
Response:	500 OOPS: priv_sock_get_cmd
Error:	Connection closed by server

vsftpd.log

Code:

Tue Feb  1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb  1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."

Hi,

using passive mode implies that the server return the IP and the Port to use for the data transfer.
This mean that when the client specify the command PASV the server return something like:

Code:

227 Entering Passive Mode (77,49,54,233,19,139).

this mean the it's in listening on the IP 77.49.54.233 on the port 19*256+139 (=5003): the client need to call this IP & Port to establish a data connection.
May this doesn't works locally because he should use the private IP and not the public one?

Have a try using the command EPSV instead of PASV....

Last but not least: the use of passive mode in FTP is a GOOD choice because it prevents (or try to

!) the sniffing on a well known data port...

jsmith6 · 02-04-2011, 09:53 AM

Quote:

Originally Posted by MCD555

Have a try using the command EPSV instead of PASV

I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.

Here it is, after connecting to the server with lftp:

Code:

lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).

So I'm already using EPSV, right?

MCD555 · 02-08-2011, 04:31 PM

Quote:

Originally Posted by jsmith6

I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.

Here it is, after connecting to the server with lftp:

Code:

lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).

So I'm already using EPSV, right?

Well, not really true...I mean EPSV is one of the default command available to the client, but if you want you can disable it (as the others, of course!) to limit your ftp user.
So to test if EPSV solve your local access to your ftp server just go on that way:

Code:

lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
lftp user@host:/> ls

If you get the list of the files of your directory EPSV is your solution!

Hope this help!