openssh - VSFTPD - cert failure
Hi all I hope you can help... The story so far.
I set up an SSL/VSFTPD/ Authenticated via PAM and MySQL and all was well when I set up on the internal LAN. I changed the servers IP ready to go in the DMZ segment and chnaged it's host name. Racked her up and now the cert exchanege does not work with filezilla. I have disabled SSH support in the vsftpd.conf and all works (showing in my mind anyway thats it openssh). Re-enabled and I get no cert via filzilla and the secure log shows no activity. The only thing that does show is when I restart openssh I get. FYI: Putty, winscp all work OK error: Bind to port 22 on 0.0.0.0 failed: Address already in use. So I thought I'll set a fixed IP which removes the error but I still get no cert via filezilla or any indication communication is going on in the secure log. I have also created new certs thinking the change in IP/host may have caused an issue. I have even uninstalled opessh* and reinstalled. I am going nuts! Because I have spent a while getting it all working and I was in the middle of a geek high only to get shot down;-( I could not see anything here lsof -p `ps -ef | grep [/]sshd | awk '{print $2}'` COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 2011 root cwd DIR 253,0 4096 2 / sshd 2011 root rtd DIR 253,0 4096 2 / sshd 2011 root txt REG 253,0 383180 5714554 /usr/sbin/sshd sshd 2011 root mem REG 253,0 125728 6389833 /lib/ld-2.5.so sshd 2011 root mem REG 253,0 31376 5708821 /usr/lib/libwrap.so.0.7.6 sshd 2011 root mem REG 253,0 43592 6392655 /lib/libpam.so.0.81.5 sshd 2011 root mem REG 253,0 16428 6392238 /lib/libdl-2.5.so sshd 2011 root mem REG 253,0 93512 6392653 /lib/libselinux.so.1 sshd 2011 root mem REG 253,0 76772 6389850 /lib/libaudit.so.0.0.0 sshd 2011 root mem REG 253,0 76400 6389969 /lib/libresolv-2.5.so sshd 2011 root mem REG 253,0 1242256 6392242 /lib/libcrypto.so.0.9.8b sshd 2011 root mem REG 253,0 15164 6392656 /lib/libutil-2.5.so sshd 2011 root mem REG 253,0 75284 5703051 /usr/lib/libz.so.1.2.3 sshd 2011 root mem REG 253,0 101404 6389925 /lib/libnsl-2.5.so sshd 2011 root mem REG 253,0 27736 6389921 /lib/libcrypt-2.5.so sshd 2011 root mem REG 253,0 174540 5703015 /usr/lib/libgssapi_krb5.so.2.2 sshd 2011 root mem REG 253,0 559532 5702994 /usr/lib/libkrb5.so.3.2 sshd 2011 root mem REG 253,0 157196 5702992 /usr/lib/libk5crypto.so.3.0 sshd 2011 root mem REG 253,0 7944 6392241 /lib/libcom_err.so.2.1 sshd 2011 root mem REG 253,0 1589908 6389873 /lib/libc-2.5.so sshd 2011 root mem REG 253,0 245376 6392652 /lib/libsepol.so.1 sshd 2011 root mem REG 253,0 30596 5702980 /usr/lib/libkrb5support.so.0.1 sshd 2011 root mem REG 253,0 46680 6389800 /lib/libnss_files-2.5.so sshd 2011 root 0u CHR 1,3 1441 /dev/null sshd 2011 root 1u CHR 1,3 1441 /dev/null sshd 2011 root 2u CHR 1,3 1441 /dev/null sshd 2011 root 3u IPv6 6662 TCP *:ssh (LISTEN) or here netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:735 0.0.0.0:* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::ffff:192.168.1.110:22 ::ffff:172.16.132.47:4199 ESTABLISHED tcp 0 1056 ::ffff:192.168.1.110:22 ::ffff:172.16.132.47:4196 ESTABLISHED udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 192.168.1.110:137 0.0.0.0:* udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 192.168.1.110:138 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:* udp 0 0 0.0.0.0:10000 0.0.0.0:* udp 0 0 0.0.0.0:729 0.0.0.0:* udp 0 0 0.0.0.0:732 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 :::32769 :::* udp 0 0 :::5353 :::* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6942 /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 7370 @/var/run/hald/dbus-KadEusEuoD unix 2 [ ACC ] STREAM LISTENING 6843 /var/lib/mysql/mysql.sock unix 2 [ ] DGRAM 1457 @/org/kernel/udev/udevd unix 2 [ ] DGRAM 7379 @/org/freedesktop/hal/udev_event unix 15 [ ] DGRAM 6039 /dev/log unix 2 [ ACC ] STREAM LISTENING 6420 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 6540 /var/run/pcscd.comm unix 2 [ ACC ] STREAM LISTENING 6619 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 7371 @/var/run/hald/dbus-1laUZdyRRH unix 2 [ ACC ] STREAM LISTENING 7166 /var/run/avahi-daemon/socket unix 2 [ ] DGRAM 8569 unix 2 [ ] DGRAM 8531 unix 2 [ ] DGRAM 8304 unix 3 [ ] STREAM CONNECTED 8211 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 8210 unix 3 [ ] STREAM CONNECTED 8217 @/var/run/hald/dbus-KadEusEuoD unix 3 [ ] STREAM CONNECTED 8208 unix 3 [ ] STREAM CONNECTED 8089 @/var/run/hald/dbus-KadEusEuoD unix 3 [ ] STREAM CONNECTED 8084 unix 3 [ ] STREAM CONNECTED 8042 /var/run/acpid.socket unix 3 [ ] STREAM CONNECTED 8041 unix 3 [ ] STREAM CONNECTED 8036 @/var/run/hald/dbus-KadEusEuoD unix 3 [ ] STREAM CONNECTED 8033 unix 3 [ ] STREAM CONNECTED 7374 @/var/run/hald/dbus-1laUZdyRRH unix 3 [ ] STREAM CONNECTED 7373 unix 3 [ ] STREAM CONNECTED 7169 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7168 unix 3 [ ] STREAM CONNECTED 7162 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7161 unix 3 [ ] STREAM CONNECTED 7160 unix 3 [ ] STREAM CONNECTED 7159 unix 2 [ ] DGRAM 7157 unix 2 [ ] DGRAM 7119 unix 2 [ ] DGRAM 7084 unix 2 [ ] DGRAM 6946 unix 2 [ ] DGRAM 6912 unix 2 [ ] DGRAM 6879 unix 2 [ ] DGRAM 6572 unix 2 [ ] DGRAM 6513 unix 3 [ ] STREAM CONNECTED 6423 unix 3 [ ] STREAM CONNECTED 6422 unix 3 [ ] STREAM CONNECTED 6359 unix 3 [ ] STREAM CONNECTED 6358 unix 2 [ ] DGRAM 6196 unix 2 [ ] DGRAM 6047 Just in case here is the vsftpd conf xferlog_file=/var/log/xferlog listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES nopriv_user=vsftpd chroot_local_user=YES secure_chroot_dir=/home/vsftpd pam_service_name=vsftpd guest_enable=YES guest_username=vsftpd local_root=/home/vsftpd/$USER user_sub_token=$USER virtual_use_local_privs=NO user_config_dir=/etc/vsftpd_user_conf ftpd_banner=ALL ACTIVITY IS LOGGED! ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem |
Hi.
I'm not an expert with SSL/SSH/vsftpd, but if you change the IP/hostname of the box, you'll have to regenerate the SSL certificates. Dave |
Quote:
|
Found the problem - it was the checkpoint FW!!
Symptoms FTP is dropped on rule 0 AND SmartView Tracker displays error: "port command ended without a new line" Cause By default, FTP service protocol type drops packets that are not terminated with a newline character. For more information on the internal functions of the FTP service, refer to the RFCs about FTP: RFC 959 - File Transfer Protocol (FTP) RFC 2228 - FTP Security Extensions Solution In the FTP service object > Advanced Properties, change FTP service protocol type to ftp_basic, and install the Security Policy. The ftp_basic option does not enforce newline-character checking. Using ftp_basic eliminates known connectivity problems with FTP implementations that are not fully RFC compliant. This protocol type enforces a reduced set of FTP security checks, as opposed to those done by the regular FTP protocol type. The ftp_basic does not perform the following checks implemented in the standard FTP service object: Every packet is terminated with a newline character, so the PORT command is not split across packets. This protects against the FTP Bounce attack. Data connections to or from well-known ports are not allowed, to prevent the FTP data connection from being used to access some other service. Bidirectional traffic on the data connection is not allowed, as it can be used improperly. |
All times are GMT -5. The time now is 03:03 PM. |