LinuxQuestions.org - VSFTPD Local Test

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - VSFTPD Local Test (https://www.linuxquestions.org/questions/linux-software-2/vsftpd-local-test-374481/)

VSFTPD Local Test

Hi there!!!

I´m having some problems with vsftpd... I´ve read and did everything on the www.vsftpdrocks.org site (RPM install) but when I run the local test (first test) this message appears on the console:

500 OOPS: could not listen IPv4 socket

Could anybody help?

Thanks a lot!!!

Ok... After typing /usr/sbin/vsftpd &, I try to connect locally to vsftpd by typing: ftp localhost and I get this response...
ftp: connect: connection timed out.

Can somebody help me out here?

try to flush iptables by iptables -F and try again ftping

Here ya go...
I´ve been able to connect locally with my ftp server. It had something to do with the loopback interface... After adding this line, the local connection can be established.

Code:

/sbin/iptables -A INPUT -i lo -j ACCEPT

But the thing now is with the Firewall... When I try any remote connections within my LAN or WAN, I get a "connection refused" response. My input policy is DROP. But I´ve added this line to allow incoming connection through port 21...

Code:

/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Shouldn´t it be working???

Just for some more information. I used that same line for opening port 80 (/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT) and when I use symantec´s port scanner (On Symantec Site), It shows port 80 as open... The same line with port 21 shows closed. While all the others are stealth... Isn´t that weird???

I´m running vsftpd through Xinetd by the way...

if you're running it through xinetd, I don't think you should be using the command /usr/sbin/vsftpd & to start it.

xinetd should be configured to start it, and the vsftpd.conf file should NOT contain listen = yes (default is listen = no)

Yep... The problem was with xinetd.
Yesterday, instead of creating a file named vsftpd inside /etc/xinetd.d, I edited the xinetd.conf file and putted everything I wanted regarding the ftp service. Then everything worked fine.

But now I have another concern about FTP in general. I don´t know if I should create a new thread or leave it inside this one. Any way here it is...

I created a folder inside my ftp folder... A folder called palula. Then I created a user with that same name. I changed the owner of the folder to that user and gave that user permission to write, read and execute, and no permission to others... After that I went to the vsftpd.conf and supressed permition for anonymous login to the ftp. After that I restarted xinetd and tried to logon again.

A pop-up window appeared telling that this server did not permit anonymous logins etc... Wich was supposed to happen. But when I typed palula and that user´s password within the prompt, the pop-up kept appearing on and on, and I couldn´t access the server with write permissions to the folder (wich is what I wanted in the first place).

Can anyody help me out?

lets see your vsftpd.conf

for local users, like paula, you need to have the user exist in the passwd file with a valid shell accorcing to /etc/shells (if the user shoudn't be able to log into the linux box to get a command prompt, use /bin/false and put that in /etc/shells)

also, the option 'local enable' needs to be set to yes (default is no) for local users. If enabled, normal user accounts in /etc/passwd may be used to log in. I restrict who may use ftp by using the userlist_deny and userlist_enable options.

Ok the login problem was solved. The problem was happening because of the local enable command line (it was commented).

Very nice, but now I´m facing a security problem. Users logging in to my ftp can go typing cd.. until they reach the "/" folder. And the upmost folder I would like for them to reach is the ftp folder.

This is the structure of the folders:
/root/var/ftp/"user_folders"

So the upmost should be "ftp" they shouldn´t reach any folder above ftp (like var or /). How can I do that?

Is there any other security I can implement to improove the security within logged users, like for example resctric his bash? Is yes, how can I do that?

Thanks a lot.

I´ve looked into it, and I found out that the user is accessing his home folder.
I just want the user to access the /var/ftp/ and to not be able to go up any level.

Another thing, I created the vsftpd.chroot_list and added the user to that list. So he wasn´t able to access the home directory. Ok that´s cool but the user is in "/". And when I type ls no file appears...

Again, I would like for the user to only access the /var/ftp and all downward folders (in this case, the ones he has access) but not upwards. I don´t want any user accessing anything over /var/ftp, this includes even the /var folder.

Thanks a lot guys.

chroot means that /var/ftp will the the users room when they log in, meaning it looks like they're in the root of the filesystem, /, but they're not. They're really in /var/ftp

Ok! So it means the user logged in is in the /var/ftp directory and he/she can´t go to an upper level right. That´s exactly what I wanted. But why can´t the user see my folders beyond /var/ftp, like for example one I´ve created "/var/ftp/statistics" or one the vsftpd creates by default "/var/ftp/pub"?

If the user lists anything, no folder appears. And I want it to show those folders...

The permissions of folder pub are: rwxr-xr-x --- Everybody should be able to access.
And the permissions of folder pub are: rwxr-xr-x --- It´s open for everybody to see it´s contents too?

Why doesn´t they appear?

Thanks a lot. :-)

post your vsftpd.conf

what is the particular user's home directory? that's in the passwd file if you don't know.

Here goes the vsftpd.conf

Code:

# Example config file /etc/vsftpd/vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

#

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES

#

# Uncomment this to allow local users to log in.

local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

#write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

#

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=NO

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

#xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format

xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that turning on ascii_download_enable enables malicious remote parties

# to consume your I/O resources, by issuing the command "SIZE /big/file" in

# ASCII mode.

# These ASCII options are split into upload and download because you may wish

# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),

# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be

# on the client anyway..

#ascii_upload_enable=YES

#ascii_download_enable=YES

#

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd.banned_emails

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

chroot_list_enable=YES

# (default follows)

chroot_list_file=/etc/vsftpd.chroot_list

#

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES



pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

#listen=YES

tcp_wrappers=YES

Help me out... I understand the banner still shows the default config. But I intend to do that as the last thing when the server is running sharp I´ll make a nice banner. :-)

Thank in advance.

About the home directory...

When I create any user, their default directory is /home/"user"
Hope this helps. :-)