LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-11-2010, 04:38 PM   #1
AdamDaughterson
LQ Newbie
 
Registered: Jul 2009
Posts: 8

Rep: Reputation: 0
VSFTPD PASV suddenly stops working


Hello. My organization has been using PASV FTP via VSFTPD for some time now. We have defined the port range between 30000 and 33333 and as I mentioned, it has worked up to 20100108 (last Friday).
It appears that VSFTPD is not negotiating the defined PASV port range, which we can see with both netstat and tcpdump.
Has anyone here run into this before? Are there any VSFTPD hackers out there who know what mechanism VSFTPD is using to re-allocate the ports? I would think that it would release the port, and flag it as unused, or something...
Thanks in advance,
A
 
Old 01-11-2010, 05:49 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Lets start with the traditional question - what's changed ?

- check the modified date on your vsftpd.conf
- when was the vsftpd process started ?
- has vsftpd been updated ? .. when ?
- have there been any firewall changes/updates ?
- are the failing connections from a single source or multiple ?

cheers
 
Old 01-11-2010, 07:07 PM   #3
AdamDaughterson
LQ Newbie
 
Registered: Jul 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Sorry, I could have probably avoided the obvious questions with:
Nothing was changed in vsftpd
No firewall changes
No network changes
I've modified vsftpd.conf quite a few times today (adjusting min_pasv_port and max_pasv_port)
All ACTIVE connections work, only PASV fails
We can see via every tool available, that vsftpd is not using the defined PASV port range, but is choosing incrementally higher port numbers for each connection. This appears to be why it has worked up until last Friday; we hit port # 333334 (our max_pasv_port is set to 33333).
Our firewall has 30000-33333 open for this particular reason.

Thanks
A
 
Old 01-11-2010, 07:33 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Aren't they supposed to be

Code:
pasv_min_port
pasv_max_port
not

Code:
min_pasv_port
max_pasv_port
?
 
Old 01-12-2010, 10:00 AM   #5
AdamDaughterson
LQ Newbie
 
Registered: Jul 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Uh, yea, my typo (in the post, not the config).
As it turns out, it never should have been working in the first place. We worked on it till the wee hours of the night, and the solution turned out to be as strange as it having been working in the first place.
The history (just in case another sad SA has to tackle this thing at some point):
This configuration at the onset worked perfectly:
(sans things I don't want to share...)
pasv_enable=yes
pasv_min_port=30000
pasv_max_port=33333
pasv_address=external.ftp.server.ip
port_enable=YES
use_localtime=YES
anonymous_enable=NO
local_enable=YES
user_sub_token=$USER
local_root=/home/ftpHomes/$USER
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=ftpuser
listen=YES
listen_port=21
pam_service_name=vsftpd
hide_ids=YES
log_ftp_protocol=YES
xferlog_enable=YES
local_umask=0022
anon_umask=0022
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
use_sendfile=NO
connect_from_port_20=YES
listen=yes


Very soon after successfully testing this configuration, we began sending traffic to this working config and then suddenly one day, PASV suddenly stopped working. As we had no control over the network any longer (our small company was acquired by a large corporation), certain changes and restrictions were made to the firewall, which made it necessary to add the PASV ranges, and strangely enough, remove the pasv_address= declaration. This should not have worked, but it did for some reason. Like I said, there are definitely things outside my control which appear to change, though the network guys will always claim that no changes had been made.
At any rate, we removed the load-balancer from the equation to eliminate the possibility of it mangling the packets and whatnot, but this didn't prove to do any good, so I set the config back to the original, and what do you know; it works again.

So that is my saga of how VSFTP+Corporate Networks == Shiat-That-Makes-Me-Pull-All-Nighters.

Ciao

Last edited by AdamDaughterson; 01-12-2010 at 10:01 AM. Reason: Forum doesn't utilize inline html
 
  


Reply

Tags
pasv, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
__attribute__ ((weak)) suddenly stops working / starts working ta0kira Programming 3 08-15-2007 12:31 PM
NIC stops working suddenly mhm Linux - Networking 5 06-10-2007 02:35 PM
Brother MFC420CN suddenly stops working NosLycn Linux - Hardware 2 06-20-2006 12:18 AM
Wireless card suddenly stops working michelbehr Linux - Wireless Networking 2 07-24-2005 02:29 PM
Java suddenly stops working Wynd Linux - Software 2 04-23-2005 02:20 PM


All times are GMT -5. The time now is 02:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration