Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is in my home RHEL v6.5 lab. I'm trying to setup a RHEL rpm local repo that I can server up RPMs via vsftp.
If I leave IPTables up and running on the server, I cannot reach the server. If I flush IPTables on the server, I can reach it no problem and log in as well and do what I need to do.
I had problem like that. is your ftp with tls configrured? in your place i would try to connect with iptables stopped. if it is the iptables issue here is how i configured ftp and iptables
I had problem like that. is your ftp with tls configrured? in your place i would try to connect with iptables stopped. if it is the iptables issue here is how i configured ftp and iptables
Just for the record, this is VSFTP not plain old FTP. I would think that the there is a big difference in config files.
I don't recognize any of the settings that you have listed that are under /etc/vsftpd.
Have you loaded the conntrack ftp module in /etc/sysconfig/iptables-config?
IPTABLES_MODULES="ip_conntrack_ftp"
Normally, without this modules, with stateful rules, iptables won't be able to switch the port accordingly from the data port to the command port (21 to 20). Now I'm guessing you already know this, but just making sure.
Have you loaded the conntrack ftp module in /etc/sysconfig/iptables-config?
IPTABLES_MODULES="ip_conntrack_ftp"
Normally, without this modules, with stateful rules, iptables won't be able to switch the port accordingly from the data port to the command port (21 to 20). Now I'm guessing you already know this, but just making sure.
Yes sir, under /etc/sysconfig/iptables-config I've added the end of the file the following:
Code:
IPTABLES_MODULES="ip_conntrack_ftp"
Now just to confirm, the config file under /etc/vsftpd/vsftpd.conf is setup with the following:
Code:
connect_from_port_20=YES
Now on IPTables, I have rules open for 20 and 21, however netcat continues to fail for port 20, however it works for port 21. I don't understand it, especially if it is set in the config file. I've never worked with FTP before in a production environment. This is in a lab.
As you might be aware, ftp works in two modes, passive and active. I've read somewhere that passive mode occurs most frequently. And this is the case here. Passive mode means that, after the client makes a request to port 21, the server answers to the client's port, which is a random high port (this is obvious). But now, the client itself again initiates the data connection (the server is 'passive') to the port previously specified by the server, which is a port higher than 1023.
So in passive mode, the file transfer in ftp works between two high ports, and thus 20 is actually not used, and port 21 is only used temporarily to establish the parametres.
Now, in active mode, port 20 is indeed used, and after the client's initial request, the server switches to port 20 and initiates the data transfer.
To be honest, I still haven't understood fully why passive mode is more often used. The explanation seems to be the firewall itself, although in your case you're obviously allowing port 20. You might be able to force vsftpd to use active mode, but I am not sure there are any advantages to it. And another thing that I don't really get is why that exact range of ports (12000-13000) allowed for the ftp connection. Might it be that the vsftpd server was clever enough to find a try various ports until it found a free port to listen to?
To be honest, I still haven't understood fully why passive mode is more often used. The explanation seems to be the firewall itself, although in your case you're obviously allowing port 20. You might be able to force vsftpd to use active mode, but I am not sure there are any advantages to it. And another thing that I don't really get is why that exact range of ports (12000-13000) allowed for the ftp connection. Might it be that the vsftpd server was clever enough to find a try various ports until it found a free port to listen to?
I'm really interested in the problem myself too.
I'm currently at work, so when I get home I can check the config file and see how it is setup.
I also found a website where someone really detailed the inner workings of VSFTPD and check that webpage again. If I find something, I can repost it here.
I'm currently at work, so when I get home I can check the config file and see how it is setup.
I also found a website where someone really detailed the inner workings of VSFTPD and check that webpage again. If I find something, I can repost it here.
If you connect with ftp (linux ftp client, I mean), one of the first messages you receive is the mode in which the ftp works. Usually you don't need to set the server in any particular way, it will do it automatically.
If you connect with ftp (linux ftp client, I mean), one of the first messages you receive is the mode in which the ftp works. Usually you don't need to set the server in any particular way, it will do it automatically.
In my lab, I'm using the following client:
Code:
rpm -qa | grep ftp
ftp-0.17-52.el6.x86_64
When I log in via ftp to the VSFTPS Server, I'm not seeing anything about active/passive.
Code:
ftp 192.168.122.254
Connected to 192.168.122.254 (192.168.122.254).
220-
220-"NOTICE TO USERS - use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220-
220-YOU HAVE BEEN WARNED."
220
NAME (192.168.122.154:JockVSJock): ftp_tester
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As far as active/passive connection, I've searched up and down in the config file under /etc/vsftpd/vsftpd.conf and I don't see any indication of this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.