Vsftpd + SSL + Passive = Listing problem

subspawn · 12-03-2004, 04:16 AM

Hi,

We've got some kind of a rare problem I haven't seen on any other forums or maillinglists.

We've set up vsftpd on our new debian server, which resides behind a PIX firewall (we may not access the pix itself, only the server), so for transfers internally and externally to go perfectly we requested forwarding of some 50 data lines and port 21 and set those ports up passively:
# Passive + Port cmd's (allow FXP)
connect_from_port_20=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=2101
pasv_max_port=2149

This config works perfectly for everybody (anonymous & users) with listing, sending and receiving using our passive ports. Next thing we tried to enable SSL on vsftpd (we've got the latest ssl enabled build). Created a vsftpd.pem file, and started it up with following settings:
# SSL instellingen
# SSL cert /usr/share/ssl/cert/vsftpd.pem
# Create: openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO

Oke... so we want users to be able to use SSL, but don't oblige them yet. When we try to connect using SSL (tested with several FTP clients such as FlashFXP, SmartFTP, ...) we always get the following:

Quote:

Resolving host name domain.be...
Connecting to (domain.be) -> IP: 193.190.x.x PORT: 21
Connected to (domain.be) -> Time = 20ms
Socket connected waiting for login sequence.
220 Welcome to our ftp server.
AUTH TLS
234 Proceed with negotiation.
Connected. Exchanging encryption keys...
Session Cipher: 168 bit 3DES
SSL encrypted session established.
PBSZ 0
200 PBSZ set to 0.
USER xxxxxxx
331 Please specify the password.
PASS (hidden)
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
PWD
257 "/"
TYPE A
200 Switching to ASCII mode.
PROT P
200 PROT now Private.
PASV
227 Entering Passive Mode (193,190,x,x,8,69)
LIST -aL
Opening data connection IP: 193,190,x,x,8,69 PORT: 2117.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Connection closed. Server timeout.
425 Failed to establish connection.
NOOP
200 NOOP ok.

As passive works perfectly without SSL, this could be an SSL related bug or does anyone have another solution ?

Adylas · 12-05-2004, 10:35 PM

Hello,

I got exactly the same.

I'm running gentoo

pam-0.77-r1
vsftpd-2.0.1
openssl-0.9.7d-r1

Someone have a clue ?

Thanks !

serzberg · 01-04-2005, 03:22 AM

FTP uses a control connection for the login process. The file listing or up-/download request is also sent on the control connection. However, the for the actual data (listing or file) a new connection is opened (result of PASV in your log).

The PIX firewall does stateful inspection of ftp traffic, which means it understands the protocol on the control connection. When it sees the PORT directive (result of PASV) it knows that the client will try to open a new connection to the IP address and port specified and opens the "hole".

When you start using SSL the control connection is encrypted and the PIX (or any other firewall for that matter) cannot interpret the protocol. And therefore will not let the data connection thru.

This problem may exist either on your firewall or on the remote firewall if there's one infront of the FTP server as well.

I see you have
> pasv_min_port=2101
> pasv_max_port=2149
in your config file.

You could allow connections to these ports for your ftp server in your pix to make it work. But this means that you open a permanent "hole". This may or may not be a serious issue.

0001001 · 11-18-2005, 06:15 AM

Hi,

I've found a solution for this problem but, since I'm not very familiar with Linux, I need some help.

Here's how you get vsftpd + ssl + passive to work:

add the following line to your vsftpd.conf:

Code:

pasv_address=writedownyourstaticiphere

The main problem is that most of you don't have a static IP, but use a dyndns service such as dyndns.org.
The problem is, that you can't do this:

Code:

pasv_address=mike123.dyndns.org

because vsftpd cannot resolve the dns name to an real IP.

There are two solutions:
1. Somebody makes vsftpd work with dns names, so that vsftpd can resolve the address. I have no clue how to do this, but maybe there are some linux gurus or programmers out there to change the vsftpd sources. I hope so, cause most Windows FTP Servers can resolve dns names.

2. That's the solution I'm working on:
Automatically resolve the dyndns name let's say every 15 minutes and write it down to the vsftpd.conf.
Here's how it works:
- type nslookup mike123.dyndns.org
- filter the IP address and send the commandline output to vsftpd.conf

But I'm not very familiar with Linux yet, so I need someone to write a script that does this.

Hope someone can work it out!

0001001 · 11-18-2005, 11:18 AM

So people here's the solution:

1. go to /etc and create a file called getmyip.sh
and write the following code in getmyip.sh:

Code:

#!/bin/bash
sed -e '64,$D' /etc/vsftpd.conf > /etc/tempfile
mv /etc/tempfile /etc/vsftpd.conf
echo pasv_address=`dig youradress.dyndns.org | sed -n '/ANSWER SECTION/{n;p;}' | awk '{print $NF}'` >> /etc/vsftpd.conf

2. Open your /etc/vsftpd.conf . Now a very important thing: go to the last line of your vsftpd.conf and create a new last line called

Code:

pasv_address=

Remember the number of the last line, in my case the last line is 64.

3. Change the line number in your /etc/getmyip.sh. Just enter your last line number instead of mine (64).

4. Make a cronjob. Go to /etc and open your crontab.
create a new line with the following code:

Code:

*/15 * * * *   root /etc/getmyip.sh

that means the script will be executed every 15 minutes

Hope someone can use it!

dwarfette · 08-03-2006, 02:19 PM

Well..

Even after adding pasv_address=xxx.xxx.xxx.xxx, I'm still having the same problem

Has anyone really got it working??

Thanx

louisgag · 07-01-2007, 11:27 AM

For the dig command:

Code:

dig +short your_site.dyndns.org

or, more precisely:

Code:

echo pasv_address=`dig +short your_site.dyndns.org`>>/etc/tempfileftp

Kobi007 · 05-16-2008, 08:02 PM

If you use:

Code:

pasv_addr_resolve=YES

you can also use

Code:

pasv_address=mike123.dyndns.org

With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.

Works fine.

Kobi007 · 05-18-2008, 03:59 AM

Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.

Quote:

Originally Posted by Kobi007

If you use:

Code:

pasv_addr_resolve=YES

you can also use

Code:

pasv_address=mike123.dyndns.org

With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.

Works fine.

fishstick · 05-21-2009, 01:34 AM

I had the same problem. make sure to open the passive ports in the firewall . once i did that it works fine.

MarchHare22 · 01-12-2010, 08:42 AM

I am having this same problem. I have:

pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=41000
pasv_max_port=41020
pasv_address=$MYIP

I can get in behind the firewall find. Once I hit the firewall it logs me in connects but does not return the file listing. It times out. I have forwarded ports 20+21 and the min-max range all to the ftp server. Why the heck is this not working?

It seems to me that vsftp is not using the min-max ports at all. Does anyone have any ideas?

dashko · 06-07-2010, 10:49 AM

Hi there,

i had exactly same problem. I just added this lines to vsftpd.conf

pasv_addr_resolve=NO
pasv_address=YOUR.STATIC.IP.ADRESS

replace YOUR.STATIC.IP.ADRESS with your static ip adress

MarchHare22 · 06-08-2010, 09:06 AM

That worked! thanks dashko!

sbrot · 07-08-2010, 08:03 PM

Quote:

Originally Posted by Kobi007

Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.

Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<

ps: hope my english is understandable.

pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration

edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?

<--->
Giacomo

Kobi007 · 07-09-2010, 04:25 AM

Quote:

Originally Posted by sbrot

Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<

ps: hope my english is understandable.

pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration

edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?

<--->
Giacomo

Hi Giacomo,

I also thought of such a script. I think it would be a good idea. I could run as cronjob every minute and check the ipadress. If it has changed, it could restart the daemon. Obviously it has to store the current IP-address in a file, so that it can compare it.

Greets

Kobi