LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-16-2019, 07:04 AM   #1
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Rep: Reputation: Disabled
425 Failed to Establish Connection | vsftpd | AWS


Hello,
I'm trying to ftp from Windows VM into CentOS VM in AWS and getting below error. I can login and can do 'pwd' but doing 'ls' & 'put' is giving problem.
+++++++++++++++
C:\ ftp Server IP
200 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User:*****
Password:*****
230 Login Successful
ftp>pwd
257 "/home/user/"
ftp>ls
200 Port Command Successful. Consider using PASV.
425 Failed to establish connection.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I have added port 20,21 in iptables as well as inbound rules in security groups of Linux VM and still unable to ftp.
I have also tried disabling the iptables & SELinux but still got same error
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I have also tried using tha passive mode but still same error. I'm not sure and totally stuck on where the problem is as it doesn't looks like in firewall.

Can anyone please suggest any solution or direction.

Thanks
 
Old 05-16-2019, 07:40 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,963
Blog Entries: 3

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
Quote:
Originally Posted by gauravtewari88 View Post
Can anyone please suggest any solution or direction.
I would suggest abandoning attempts to get FTP working, uninstall vsFTP post haste, and use a different protocol.

For authenticated downloads: SFTP
For authenticated uploads: SFTP

For encrypted, anonymous uploads: HTTPS

For encrypted, anonymous downloads: HTTPS
For unencrypted, anonymous downloads: HTTP

If you are logging in via SSH then by default you also have SFTP already installed and available. Programs like FileZilla already support SFTP, you just have to select it.

HTTP / HTTPS is easy to add with Apache2 alone / Apache2 with Let's Encrypt.
 
2 members found this post helpful.
Old 05-16-2019, 07:51 AM   #3
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,719
Blog Entries: 15

Rep: Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602
You can also install WinSCP on Windows to do sftp to UNIX/Linux servers. WinSCP can also be used for ftp/ftps connections so might give you better output of why it is failing.
 
Old 05-16-2019, 10:53 AM   #4
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Thanks for your replies but the requirement is to ftp from windows machine into CentOS using ftp command.
Please suggest if any ideas
 
Old 05-16-2019, 11:48 AM   #5
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 449

Rep: Reputation: 118Reputation: 118
Quote:
Originally Posted by gauravtewari88 View Post
Thanks for your replies but the requirement is to ftp from windows machine into CentOS using ftp command.
Please suggest if any ideas
Have you looked at the messages file on CentOS?
How exactly did you setup the FTP server?
Here is good reference: https://www.unixmen.com/install-conf...rver-centos-7/
 
Old 05-16-2019, 11:57 AM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,719
Blog Entries: 15

Rep: Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602
Quote:
Originally Posted by gauravtewari88 View Post
the requirement is to ftp from windows machine into CentOS using ftp command.
Requirement per who? You're an admin not a monkey. You should push back telling them that ftp is an insecure protocol and most people are abandoning it.

Here we forced the move from ftp to sftp years ago and were so successful that on the one Windows server they were still using inbound ftp on they installed Cygwin and sshd and converted inbound to it to use sftp using that sshd. They disabled ftp completely at that point.

Last edited by MensaWater; 05-16-2019 at 12:00 PM.
 
2 members found this post helpful.
Old 05-16-2019, 12:01 PM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,963
Blog Entries: 3

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
Quote:
Originally Posted by gauravtewari88 View Post
Please suggest if any ideas
Again, the ideas would be using SFTP or HTTPS.

I would need more strong evidence before accepting any assertion as accurate that an ancient (1970s), very insecure, and exceptionally difficult retro technology like FTP is required by anyone or anything in 2019. Can you please explain what is the barrier to using SFTP or HTTPS? The former is probably already installed and it only remains to start using it.
 
2 members found this post helpful.
Old 05-16-2019, 12:38 PM   #8
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,719
Blog Entries: 15

Rep: Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602Reputation: 1602
In case you need to convince management ftp is a bad idea a quick web search will explain it.

This article was written EIGHT years ago and explains it well.
 
Old 05-16-2019, 09:07 PM   #9
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dc.901 View Post
Have you looked at the messages file on CentOS?
How exactly did you setup the FTP server?
Here is good reference: https://www.unixmen.com/install-conf...rver-centos-7/

Yes i have setup in the same way.
I cannot see any error message in audit logs
 
Old 05-16-2019, 09:14 PM   #10
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
Requirement per who? You're an admin not a monkey. You should push back telling them that ftp is an insecure protocol and most people are abandoning it.

Here we forced the move from ftp to sftp years ago and were so successful that on the one Windows server they were still using inbound ftp on they installed Cygwin and sshd and converted inbound to it to use sftp using that sshd. They disabled ftp completely at that point.

It's due to requirement of one of the projects and they want to use it.

Let's say i want to use it. Do you think any OS hardening might be blocking it?
 
Old 05-16-2019, 09:57 PM   #11
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,069

Rep: Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069
OK. Given that you're required to use ftp (and I agree that's a bad idea) Do any other commands work?
I don't use vsFTPd -- perhaps there's a problem in its configuration?
What's in /var/log/messages?
Does it have its own logfile? What's in that?
 
Old 05-16-2019, 10:43 PM   #12
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
OK. Given that you're required to use ftp (and I agree that's a bad idea) Do any other commands work?
I don't use vsFTPd -- perhaps there's a problem in its configuration?
What's in /var/log/messages?
Does it have its own logfile? What's in that?
There is no error message inside /var/log/messages
 
Old 05-16-2019, 11:03 PM   #13
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by gauravtewari88 View Post
There is no error message inside /var/log/messages
I did the same deployment in Azure and it was successful and managed to FTP

But problem when i'm doing it in AWS- I have disabled all the firewall in Windows VM and CentOS VM. Disabled Iptables and SELinux still getting connection not established error.

Is there any way i can see where the connection is dropping?
 
Old 05-16-2019, 11:07 PM   #14
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,963
Blog Entries: 3

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
Quote:
Originally Posted by gauravtewari88 View Post
It's due to requirement of one of the projects and they want to use it.
Then please seriously consider renegotiating that component. If you do not, then at least make very sure that you have in writing in the agreement that 1) you have documented it is their insistence on FTP, 2) it is clear inthat FTP is over your objections, and 3) most importantly they absolve you of ANY and ALL security liabilities for the system involved.

Quote:
Originally Posted by gauravtewari88 View Post
Let's say i want to use it. Do you think any OS hardening might be blocking it?
It could be any number of things, it is designed from the 1970s. Among other shortcomings it does not fit with most modern networks and needs a direct connection from the outside on both the client and the server.

You'll need to make sure that logging is enabled for vsftd itself in /etc/vsftpd/vsftpd.conf

As for the connection dropping, you can also turn on logging in iptables, but as you won't and can't know which ports are involved, you'll have to log a lot of ports and try extra to not get ports known not to be involved.

Don't forget to get those first three points above in writing.

Last edited by Turbocapitalist; 05-16-2019 at 11:08 PM.
 
1 members found this post helpful.
Old 05-17-2019, 01:07 AM   #15
gauravtewari88
LQ Newbie
 
Registered: May 2019
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Then please seriously consider renegotiating that component. If you do not, then at least make very sure that you have in writing in the agreement that 1) you have documented it is their insistence on FTP, 2) it is clear inthat FTP is over your objections, and 3) most importantly they absolve you of ANY and ALL security liabilities for the system involved.



It could be any number of things, it is designed from the 1970s. Among other shortcomings it does not fit with most modern networks and needs a direct connection from the outside on both the client and the server.

You'll need to make sure that logging is enabled for vsftd itself in /etc/vsftpd/vsftpd.conf

As for the connection dropping, you can also turn on logging in iptables, but as you won't and can't know which ports are involved, you'll have to log a lot of ports and try extra to not get ports known not to be involved.

Don't forget to get those first three points above in writing.

Thanks for your reply. I have disabled IPTables and also SElinux.
I have put logging as well in the vsftpd as well but still i don't see any trace of error.

Even Windows Firewall is disabled and still it is not working. I have checked AWS rules as well and 20,21 ports are open in inbound rules.
Yes i will take in writing that the project want to use FTP and the security risk is owned by them.

Do you have any other stuff i can do to debug this problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd: error 425 Failed to establish connection. dirkjo Linux - Server 3 04-21-2016 10:32 AM
vsftpd server not listing ( 425 Failed to establish connection) oscargim Linux - Server 4 09-05-2012 10:41 PM
425 - failed to establish connection with vsftp and the firewall on brucerowe Linux - Networking 4 02-07-2012 12:28 AM
vsftpd - 425 failed to establish connection mohitanchlia Linux - Networking 7 03-17-2009 05:43 PM
425 failed to establish connection for ftp Networking linuxhippy Slackware 4 05-02-2005 03:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration