LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 12-03-2004, 05:16 AM   #1
subspawn
LQ Newbie
 
Registered: Dec 2004
Location: Belgium, Antwerp
Distribution: Slackware, Debian
Posts: 5

Rep: Reputation: 0
Vsftpd + SSL + Passive = Listing problem


Hi,

We've got some kind of a rare problem I haven't seen on any other forums or maillinglists.

We've set up vsftpd on our new debian server, which resides behind a PIX firewall (we may not access the pix itself, only the server), so for transfers internally and externally to go perfectly we requested forwarding of some 50 data lines and port 21 and set those ports up passively:
# Passive + Port cmd's (allow FXP)
connect_from_port_20=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=2101
pasv_max_port=2149

This config works perfectly for everybody (anonymous & users) with listing, sending and receiving using our passive ports. Next thing we tried to enable SSL on vsftpd (we've got the latest ssl enabled build). Created a vsftpd.pem file, and started it up with following settings:
# SSL instellingen
# SSL cert /usr/share/ssl/cert/vsftpd.pem
# Create: openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO

Oke... so we want users to be able to use SSL, but don't oblige them yet. When we try to connect using SSL (tested with several FTP clients such as FlashFXP, SmartFTP, ...) we always get the following:
Quote:
Resolving host name domain.be...
Connecting to (domain.be) -> IP: 193.190.x.x PORT: 21
Connected to (domain.be) -> Time = 20ms
Socket connected waiting for login sequence.
220 Welcome to our ftp server.
AUTH TLS
234 Proceed with negotiation.
Connected. Exchanging encryption keys...
Session Cipher: 168 bit 3DES
SSL encrypted session established.
PBSZ 0
200 PBSZ set to 0.
USER xxxxxxx
331 Please specify the password.
PASS (hidden)
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
PWD
257 "/"
TYPE A
200 Switching to ASCII mode.
PROT P
200 PROT now Private.
PASV
227 Entering Passive Mode (193,190,x,x,8,69)
LIST -aL
Opening data connection IP: 193,190,x,x,8,69 PORT: 2117.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Connection closed. Server timeout.
425 Failed to establish connection.
NOOP
200 NOOP ok.
As passive works perfectly without SSL, this could be an SSL related bug or does anyone have another solution ?
 
Old 12-05-2004, 11:35 PM   #2
Adylas
LQ Newbie
 
Registered: Dec 2004
Posts: 6

Rep: Reputation: 0
Talking Exactly same thing !

Hello,

I got exactly the same.

I'm running gentoo


pam-0.77-r1
vsftpd-2.0.1
openssl-0.9.7d-r1


Someone have a clue ?

Thanks !
 
Old 01-04-2005, 04:22 AM   #3
serzberg
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian & Suse
Posts: 1

Rep: Reputation: 0
Lightbulb PIX cannot inspect ftp traffic when SSL is used

FTP uses a control connection for the login process. The file listing or up-/download request is also sent on the control connection. However, the for the actual data (listing or file) a new connection is opened (result of PASV in your log).

The PIX firewall does stateful inspection of ftp traffic, which means it understands the protocol on the control connection. When it sees the PORT directive (result of PASV) it knows that the client will try to open a new connection to the IP address and port specified and opens the "hole".

When you start using SSL the control connection is encrypted and the PIX (or any other firewall for that matter) cannot interpret the protocol. And therefore will not let the data connection thru.

This problem may exist either on your firewall or on the remote firewall if there's one infront of the FTP server as well.

I see you have
> pasv_min_port=2101
> pasv_max_port=2149
in your config file.

You could allow connections to these ports for your ftp server in your pix to make it work. But this means that you open a permanent "hole". This may or may not be a serious issue.
 
Old 11-18-2005, 07:15 AM   #4
0001001
LQ Newbie
 
Registered: Nov 2005
Posts: 7

Rep: Reputation: 0
solution

Hi,

I've found a solution for this problem but, since I'm not very familiar with Linux, I need some help.

Here's how you get vsftpd + ssl + passive to work:

add the following line to your vsftpd.conf:
Code:
pasv_address=writedownyourstaticiphere
The main problem is that most of you don't have a static IP, but use a dyndns service such as dyndns.org.
The problem is, that you can't do this:
Code:
pasv_address=mike123.dyndns.org
because vsftpd cannot resolve the dns name to an real IP.

There are two solutions:
1. Somebody makes vsftpd work with dns names, so that vsftpd can resolve the address. I have no clue how to do this, but maybe there are some linux gurus or programmers out there to change the vsftpd sources. I hope so, cause most Windows FTP Servers can resolve dns names.

2. That's the solution I'm working on:
Automatically resolve the dyndns name let's say every 15 minutes and write it down to the vsftpd.conf.
Here's how it works:
- type nslookup mike123.dyndns.org
- filter the IP address and send the commandline output to vsftpd.conf

But I'm not very familiar with Linux yet, so I need someone to write a script that does this.

Hope someone can work it out!
 
Old 11-18-2005, 12:18 PM   #5
0001001
LQ Newbie
 
Registered: Nov 2005
Posts: 7

Rep: Reputation: 0
So people here's the solution:

1. go to /etc and create a file called getmyip.sh
and write the following code in getmyip.sh:
Code:
#!/bin/bash
sed -e '64,$D' /etc/vsftpd.conf > /etc/tempfile
mv /etc/tempfile /etc/vsftpd.conf
echo pasv_address=`dig youradress.dyndns.org | sed -n '/ANSWER SECTION/{n;p;}' | awk '{print $NF}'` >> /etc/vsftpd.conf
2. Open your /etc/vsftpd.conf . Now a very important thing: go to the last line of your vsftpd.conf and create a new last line called
Code:
pasv_address=
Remember the number of the last line, in my case the last line is 64.

3. Change the line number in your /etc/getmyip.sh. Just enter your last line number instead of mine (64).

4. Make a cronjob. Go to /etc and open your crontab.
create a new line with the following code:
Code:
*/15 * * * *   root /etc/getmyip.sh
that means the script will be executed every 15 minutes

Hope someone can use it!
 
Old 08-03-2006, 03:19 PM   #6
dwarfette
LQ Newbie
 
Registered: Aug 2006
Posts: 1

Rep: Reputation: 0
Well..

Even after adding pasv_address=xxx.xxx.xxx.xxx, I'm still having the same problem

Has anyone really got it working??

Thanx
 
Old 07-01-2007, 12:27 PM   #7
louisgag
LQ Newbie
 
Registered: Feb 2005
Posts: 15

Rep: Reputation: 2
For the dig command:

Code:
dig +short your_site.dyndns.org
or, more precisely:

Code:
echo pasv_address=`dig +short your_site.dyndns.org`>>/etc/tempfileftp

Last edited by louisgag; 07-01-2007 at 01:22 PM.
 
Old 05-16-2008, 09:02 PM   #8
Kobi007
LQ Newbie
 
Registered: May 2008
Posts: 3

Rep: Reputation: 0
If you use:
Code:
pasv_addr_resolve=YES
you can also use
Code:
pasv_address=mike123.dyndns.org
With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.


Works fine.
 
Old 05-18-2008, 04:59 AM   #9
Kobi007
LQ Newbie
 
Registered: May 2008
Posts: 3

Rep: Reputation: 0
Angry

Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.


Quote:
Originally Posted by Kobi007 View Post
If you use:
Code:
pasv_addr_resolve=YES
you can also use
Code:
pasv_address=mike123.dyndns.org
With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.


Works fine.
 
Old 05-21-2009, 02:34 AM   #10
fishstick
LQ Newbie
 
Registered: Oct 2006
Location: Chicago, IL
Distribution: SUSE 10.1
Posts: 14

Rep: Reputation: 0
I had the same problem. make sure to open the passive ports in the firewall . once i did that it works fine.

Last edited by fishstick; 05-21-2009 at 02:36 AM.
 
Old 01-12-2010, 09:42 AM   #11
MarchHare22
LQ Newbie
 
Registered: Mar 2009
Location: Milwaukee, WI
Distribution: Slackware 13
Posts: 22

Rep: Reputation: 15
I am having this same problem. I have:

pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=41000
pasv_max_port=41020
pasv_address=$MYIP

I can get in behind the firewall find. Once I hit the firewall it logs me in connects but does not return the file listing. It times out. I have forwarded ports 20+21 and the min-max range all to the ftp server. Why the heck is this not working?

It seems to me that vsftp is not using the min-max ports at all. Does anyone have any ideas?
 
Old 06-07-2010, 11:49 AM   #12
dashko
LQ Newbie
 
Registered: Jun 2010
Location: Slovakia, Bratislava
Distribution: Gentoo
Posts: 9

Rep: Reputation: 1
Worked for me

Hi there,

i had exactly same problem. I just added this lines to vsftpd.conf

pasv_addr_resolve=NO
pasv_address=YOUR.STATIC.IP.ADRESS

replace YOUR.STATIC.IP.ADRESS with your static ip adress
 
Old 06-08-2010, 10:06 AM   #13
MarchHare22
LQ Newbie
 
Registered: Mar 2009
Location: Milwaukee, WI
Distribution: Slackware 13
Posts: 22

Rep: Reputation: 15
That worked! thanks dashko!
 
0 members found this post helpful.
Old 07-08-2010, 09:03 PM   #14
sbrot
LQ Newbie
 
Registered: Jul 2010
Posts: 2

Rep: Reputation: 0
Angry

Quote:
Originally Posted by Kobi007 View Post
Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<

ps: hope my english is understandable.

pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration

edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?

<--->
Giacomo

Last edited by sbrot; 07-08-2010 at 09:19 PM. Reason: idea!
 
Old 07-09-2010, 05:25 AM   #15
Kobi007
LQ Newbie
 
Registered: May 2008
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by sbrot View Post
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<

ps: hope my english is understandable.

pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration

edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?

<--->
Giacomo
Hi Giacomo,

I also thought of such a script. I think it would be a good idea. I could run as cronjob every minute and check the ipadress. If it has changed, it could restart the daemon. Obviously it has to store the current IP-address in a file, so that it can compare it.

Greets

Kobi
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsFTPd - SSL connection and dynamic SSL ports toxoplasme Linux - Server 11 08-22-2008 11:50 PM
problem building vsFTPD withh ssl support manuelle_slow Linux - Software 0 09-12-2005 10:14 AM
Problem: VSFTPD using SSL through firewall dancinfrandsen Linux - Software 0 03-30-2005 04:01 PM
SuSE vsftpd ssl problem phesse Linux - Software 0 03-09-2005 09:27 AM
vsftpd + passive ports range connexion problem ashokleyland Linux - Networking 1 01-03-2005 01:57 PM


All times are GMT -5. The time now is 03:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration