VSFTPD Local Test

Palula · 10-18-2005, 08:20 PM

Hi there!!!

I´m having some problems with vsftpd... I´ve read and did everything on the www.vsftpdrocks.org site (RPM install) but when I run the local test (first test) this message appears on the console:

500 OOPS: could not listen IPv4 socket

Could anybody help?

Thanks a lot!!!

Palula · 10-19-2005, 08:49 PM

Ok... After typing /usr/sbin/vsftpd &, I try to connect locally to vsftpd by typing: ftp localhost and I get this response...
ftp: connect: connection timed out.

Can somebody help me out here?

deepclutch · 10-19-2005, 08:54 PM

try to flush iptables by iptables -F and try again ftping

Palula · 10-21-2005, 10:30 AM

Here ya go...
I´ve been able to connect locally with my ftp server. It had something to do with the loopback interface... After adding this line, the local connection can be established.

Code:

/sbin/iptables -A INPUT -i lo -j ACCEPT

But the thing now is with the Firewall... When I try any remote connections within my LAN or WAN, I get a "connection refused" response. My input policy is DROP. But I´ve added this line to allow incoming connection through port 21...

Code:

/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Shouldn´t it be working???

Just for some more information. I used that same line for opening port 80 (/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT) and when I use symantec´s port scanner (On Symantec Site), It shows port 80 as open... The same line with port 21 shows closed. While all the others are stealth... Isn´t that weird???

I´m running vsftpd through Xinetd by the way...

gsgleason · 10-21-2005, 10:38 AM

if you're running it through xinetd, I don't think you should be using the command /usr/sbin/vsftpd & to start it.

xinetd should be configured to start it, and the vsftpd.conf file should NOT contain listen = yes (default is listen = no)

Palula · 10-21-2005, 06:01 PM

Yep... The problem was with xinetd.
Yesterday, instead of creating a file named vsftpd inside /etc/xinetd.d, I edited the xinetd.conf file and putted everything I wanted regarding the ftp service. Then everything worked fine.

But now I have another concern about FTP in general. I don´t know if I should create a new thread or leave it inside this one. Any way here it is...

I created a folder inside my ftp folder... A folder called palula. Then I created a user with that same name. I changed the owner of the folder to that user and gave that user permission to write, read and execute, and no permission to others... After that I went to the vsftpd.conf and supressed permition for anonymous login to the ftp. After that I restarted xinetd and tried to logon again.

A pop-up window appeared telling that this server did not permit anonymous logins etc... Wich was supposed to happen. But when I typed palula and that user´s password within the prompt, the pop-up kept appearing on and on, and I couldn´t access the server with write permissions to the folder (wich is what I wanted in the first place).

Can anyody help me out?

gsgleason · 10-21-2005, 08:58 PM

lets see your vsftpd.conf

for local users, like paula, you need to have the user exist in the passwd file with a valid shell accorcing to /etc/shells (if the user shoudn't be able to log into the linux box to get a command prompt, use /bin/false and put that in /etc/shells)

also, the option 'local enable' needs to be set to yes (default is no) for local users. If enabled, normal user accounts in /etc/passwd may be used to log in. I restrict who may use ftp by using the userlist_deny and userlist_enable options.

Palula · 10-22-2005, 05:59 PM

Ok the login problem was solved. The problem was happening because of the local enable command line (it was commented).

Very nice, but now I´m facing a security problem. Users logging in to my ftp can go typing cd.. until they reach the "/" folder. And the upmost folder I would like for them to reach is the ftp folder.

This is the structure of the folders:
/root/var/ftp/"user_folders"

So the upmost should be "ftp" they shouldn´t reach any folder above ftp (like var or /). How can I do that?

Is there any other security I can implement to improove the security within logged users, like for example resctric his bash? Is yes, how can I do that?

Thanks a lot.

Palula · 10-22-2005, 09:21 PM

I´ve looked into it, and I found out that the user is accessing his home folder.
I just want the user to access the /var/ftp/ and to not be able to go up any level.

Another thing, I created the vsftpd.chroot_list and added the user to that list. So he wasn´t able to access the home directory. Ok that´s cool but the user is in "/". And when I type ls no file appears...

Again, I would like for the user to only access the /var/ftp and all downward folders (in this case, the ones he has access) but not upwards. I don´t want any user accessing anything over /var/ftp, this includes even the /var folder.

Thanks a lot guys.

gsgleason · 10-23-2005, 01:46 PM

chroot means that /var/ftp will the the users room when they log in, meaning it looks like they're in the root of the filesystem, /, but they're not. They're really in /var/ftp

Palula · 10-24-2005, 06:41 AM

Ok! So it means the user logged in is in the /var/ftp directory and he/she can´t go to an upper level right. That´s exactly what I wanted. But why can´t the user see my folders beyond /var/ftp, like for example one I´ve created "/var/ftp/statistics" or one the vsftpd creates by default "/var/ftp/pub"?

If the user lists anything, no folder appears. And I want it to show those folders...

The permissions of folder pub are: rwxr-xr-x --- Everybody should be able to access.
And the permissions of folder pub are: rwxr-xr-x --- It´s open for everybody to see it´s contents too?

Why doesn´t they appear?

Thanks a lot. :-)

gsgleason · 10-24-2005, 07:21 AM

post your vsftpd.conf

gsgleason · 10-24-2005, 07:40 AM

what is the particular user's home directory? that's in the passwd file if you don't know.

Palula · 10-24-2005, 08:06 PM

Here goes the vsftpd.conf

Code:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
#listen=YES
tcp_wrappers=YES

Help me out... I understand the banner still shows the default config. But I intend to do that as the last thing when the server is running sharp I´ll make a nice banner. :-)

Thank in advance.

Palula · 10-24-2005, 08:09 PM

About the home directory...

When I create any user, their default directory is /home/"user"
Hope this helps. :-)