LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   425 Failed to Establish Connection | vsftpd | AWS (https://www.linuxquestions.org/questions/linux-networking-3/425-failed-to-establish-connection-%7C-vsftpd-%7C-aws-4175654009/)

gauravtewari88 05-16-2019 07:04 AM

425 Failed to Establish Connection | vsftpd | AWS
 
Hello,
I'm trying to ftp from Windows VM into CentOS VM in AWS and getting below error. I can login and can do 'pwd' but doing 'ls' & 'put' is giving problem.
+++++++++++++++
C:\ ftp Server IP
200 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User:*****
Password:*****
230 Login Successful
ftp>pwd
257 "/home/user/"
ftp>ls
200 Port Command Successful. Consider using PASV.
425 Failed to establish connection.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I have added port 20,21 in iptables as well as inbound rules in security groups of Linux VM and still unable to ftp.
I have also tried disabling the iptables & SELinux but still got same error
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I have also tried using tha passive mode but still same error. I'm not sure and totally stuck on where the problem is as it doesn't looks like in firewall.

Can anyone please suggest any solution or direction.

Thanks

Turbocapitalist 05-16-2019 07:40 AM

Quote:

Originally Posted by gauravtewari88 (Post 5995626)
Can anyone please suggest any solution or direction.

I would suggest abandoning attempts to get FTP working, uninstall vsFTP post haste, and use a different protocol.

For authenticated downloads: SFTP
For authenticated uploads: SFTP

For encrypted, anonymous uploads: HTTPS

For encrypted, anonymous downloads: HTTPS
For unencrypted, anonymous downloads: HTTP

If you are logging in via SSH then by default you also have SFTP already installed and available. Programs like FileZilla already support SFTP, you just have to select it.

HTTP / HTTPS is easy to add with Apache2 alone / Apache2 with Let's Encrypt.

MensaWater 05-16-2019 07:51 AM

You can also install WinSCP on Windows to do sftp to UNIX/Linux servers. WinSCP can also be used for ftp/ftps connections so might give you better output of why it is failing.

gauravtewari88 05-16-2019 10:53 AM

Thanks for your replies but the requirement is to ftp from windows machine into CentOS using ftp command.
Please suggest if any ideas

dc.901 05-16-2019 11:48 AM

Quote:

Originally Posted by gauravtewari88 (Post 5995696)
Thanks for your replies but the requirement is to ftp from windows machine into CentOS using ftp command.
Please suggest if any ideas

Have you looked at the messages file on CentOS?
How exactly did you setup the FTP server?
Here is good reference: https://www.unixmen.com/install-conf...rver-centos-7/

MensaWater 05-16-2019 11:57 AM

Quote:

Originally Posted by gauravtewari88 (Post 5995696)
the requirement is to ftp from windows machine into CentOS using ftp command.

Requirement per who? You're an admin not a monkey. You should push back telling them that ftp is an insecure protocol and most people are abandoning it.

Here we forced the move from ftp to sftp years ago and were so successful that on the one Windows server they were still using inbound ftp on they installed Cygwin and sshd and converted inbound to it to use sftp using that sshd. They disabled ftp completely at that point.

Turbocapitalist 05-16-2019 12:01 PM

Quote:

Originally Posted by gauravtewari88 (Post 5995696)
Please suggest if any ideas

Again, the ideas would be using SFTP or HTTPS.

I would need more strong evidence before accepting any assertion as accurate that an ancient (1970s), very insecure, and exceptionally difficult retro technology like FTP is required by anyone or anything in 2019. Can you please explain what is the barrier to using SFTP or HTTPS? The former is probably already installed and it only remains to start using it.

MensaWater 05-16-2019 12:38 PM

In case you need to convince management ftp is a bad idea a quick web search will explain it.

This article was written EIGHT years ago and explains it well.

gauravtewari88 05-16-2019 09:07 PM

Quote:

Originally Posted by dc.901 (Post 5995719)
Have you looked at the messages file on CentOS?
How exactly did you setup the FTP server?
Here is good reference: https://www.unixmen.com/install-conf...rver-centos-7/


Yes i have setup in the same way.
I cannot see any error message in audit logs

gauravtewari88 05-16-2019 09:14 PM

Quote:

Originally Posted by MensaWater (Post 5995725)
Requirement per who? You're an admin not a monkey. You should push back telling them that ftp is an insecure protocol and most people are abandoning it.

Here we forced the move from ftp to sftp years ago and were so successful that on the one Windows server they were still using inbound ftp on they installed Cygwin and sshd and converted inbound to it to use sftp using that sshd. They disabled ftp completely at that point.


It's due to requirement of one of the projects and they want to use it.

Let's say i want to use it. Do you think any OS hardening might be blocking it?

scasey 05-16-2019 09:57 PM

OK. Given that you're required to use ftp (and I agree that's a bad idea) Do any other commands work?
I don't use vsFTPd -- perhaps there's a problem in its configuration?
What's in /var/log/messages?
Does it have its own logfile? What's in that?

gauravtewari88 05-16-2019 10:43 PM

Quote:

Originally Posted by scasey (Post 5995929)
OK. Given that you're required to use ftp (and I agree that's a bad idea) Do any other commands work?
I don't use vsFTPd -- perhaps there's a problem in its configuration?
What's in /var/log/messages?
Does it have its own logfile? What's in that?

There is no error message inside /var/log/messages

gauravtewari88 05-16-2019 11:03 PM

Quote:

Originally Posted by gauravtewari88 (Post 5995941)
There is no error message inside /var/log/messages

I did the same deployment in Azure and it was successful and managed to FTP

But problem when i'm doing it in AWS- I have disabled all the firewall in Windows VM and CentOS VM. Disabled Iptables and SELinux still getting connection not established error.

Is there any way i can see where the connection is dropping?

Turbocapitalist 05-16-2019 11:07 PM

Quote:

Originally Posted by gauravtewari88 (Post 5995919)
It's due to requirement of one of the projects and they want to use it.

Then please seriously consider renegotiating that component. If you do not, then at least make very sure that you have in writing in the agreement that 1) you have documented it is their insistence on FTP, 2) it is clear inthat FTP is over your objections, and 3) most importantly they absolve you of ANY and ALL security liabilities for the system involved.

Quote:

Originally Posted by gauravtewari88 (Post 5995919)
Let's say i want to use it. Do you think any OS hardening might be blocking it?

It could be any number of things, it is designed from the 1970s. Among other shortcomings it does not fit with most modern networks and needs a direct connection from the outside on both the client and the server.

You'll need to make sure that logging is enabled for vsftd itself in /etc/vsftpd/vsftpd.conf

As for the connection dropping, you can also turn on logging in iptables, but as you won't and can't know which ports are involved, you'll have to log a lot of ports and try extra to not get ports known not to be involved.

Don't forget to get those first three points above in writing.

gauravtewari88 05-17-2019 01:07 AM

Quote:

Originally Posted by Turbocapitalist (Post 5995949)
Then please seriously consider renegotiating that component. If you do not, then at least make very sure that you have in writing in the agreement that 1) you have documented it is their insistence on FTP, 2) it is clear inthat FTP is over your objections, and 3) most importantly they absolve you of ANY and ALL security liabilities for the system involved.



It could be any number of things, it is designed from the 1970s. Among other shortcomings it does not fit with most modern networks and needs a direct connection from the outside on both the client and the server.

You'll need to make sure that logging is enabled for vsftd itself in /etc/vsftpd/vsftpd.conf

As for the connection dropping, you can also turn on logging in iptables, but as you won't and can't know which ports are involved, you'll have to log a lot of ports and try extra to not get ports known not to be involved.

Don't forget to get those first three points above in writing.


Thanks for your reply. I have disabled IPTables and also SElinux.
I have put logging as well in the vsftpd as well but still i don't see any trace of error.

Even Windows Firewall is disabled and still it is not working. I have checked AWS rules as well and 20,21 ports are open in inbound rules.
Yes i will take in writing that the project want to use FTP and the security risk is owned by them.

Do you have any other stuff i can do to debug this problem?


All times are GMT -5. The time now is 01:37 AM.