openssh - VSFTPD - cert failure
 

Hi all I hope you can help... The story so far.

I set up an SSL/VSFTPD/ Authenticated via PAM and MySQL and all was well when I set up on the internal LAN.

I changed the servers IP ready to go in the DMZ segment and chnaged it's host name. Racked her up and now the cert exchanege does not work with filezilla. I have disabled SSH support in the vsftpd.conf and all works (showing in my mind anyway thats it openssh). Re-enabled and I get no cert via filzilla and the secure log shows no activity. The only thing that does show is when I restart openssh I get. FYI: Putty, winscp all work OK

error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

So I thought I'll set a fixed IP which removes the error but I still get no cert via filezilla or any indication communication is going on in the secure log.

I have also created new certs thinking the change in IP/host may have caused an issue. I have even uninstalled opessh* and reinstalled.

I am going nuts! Because I have spent a while getting it all working and I was in the middle of a geek high only to get shot down;-(

I could not see anything here

lsof -p `ps -ef | grep [/]sshd | awk '{print $2}'`

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2011 root cwd DIR 253,0 4096 2 /
sshd 2011 root rtd DIR 253,0 4096 2 /
sshd 2011 root txt REG 253,0 383180 5714554 /usr/sbin/sshd
sshd 2011 root mem REG 253,0 125728 6389833 /lib/ld-2.5.so
sshd 2011 root mem REG 253,0 31376 5708821 /usr/lib/libwrap.so.0.7.6
sshd 2011 root mem REG 253,0 43592 6392655 /lib/libpam.so.0.81.5
sshd 2011 root mem REG 253,0 16428 6392238 /lib/libdl-2.5.so
sshd 2011 root mem REG 253,0 93512 6392653 /lib/libselinux.so.1
sshd 2011 root mem REG 253,0 76772 6389850 /lib/libaudit.so.0.0.0
sshd 2011 root mem REG 253,0 76400 6389969 /lib/libresolv-2.5.so
sshd 2011 root mem REG 253,0 1242256 6392242 /lib/libcrypto.so.0.9.8b
sshd 2011 root mem REG 253,0 15164 6392656 /lib/libutil-2.5.so
sshd 2011 root mem REG 253,0 75284 5703051 /usr/lib/libz.so.1.2.3
sshd 2011 root mem REG 253,0 101404 6389925 /lib/libnsl-2.5.so
sshd 2011 root mem REG 253,0 27736 6389921 /lib/libcrypt-2.5.so
sshd 2011 root mem REG 253,0 174540 5703015 /usr/lib/libgssapi_krb5.so.2.2
sshd 2011 root mem REG 253,0 559532 5702994 /usr/lib/libkrb5.so.3.2
sshd 2011 root mem REG 253,0 157196 5702992 /usr/lib/libk5crypto.so.3.0
sshd 2011 root mem REG 253,0 7944 6392241 /lib/libcom_err.so.2.1
sshd 2011 root mem REG 253,0 1589908 6389873 /lib/libc-2.5.so
sshd 2011 root mem REG 253,0 245376 6392652 /lib/libsepol.so.1
sshd 2011 root mem REG 253,0 30596 5702980 /usr/lib/libkrb5support.so.0.1
sshd 2011 root mem REG 253,0 46680 6389800 /lib/libnss_files-2.5.so
sshd 2011 root 0u CHR 1,3 1441 /dev/null
sshd 2011 root 1u CHR 1,3 1441 /dev/null
sshd 2011 root 2u CHR 1,3 1441 /dev/null
sshd 2011 root 3u IPv6 6662 TCP *:ssh (LISTEN)


or here

netstat -an

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:735 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::ffff:192.168.1.110:22 ::ffff:172.16.132.47:4199 ESTABLISHED
tcp 0 1056 ::ffff:192.168.1.110:22 ::ffff:172.16.132.47:4196 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 192.168.1.110:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.110:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 0.0.0.0:10000 0.0.0.0:*
udp 0 0 0.0.0.0:729 0.0.0.0:*
udp 0 0 0.0.0.0:732 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 :::32769 :::*
udp 0 0 :::5353 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6942 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 7370 @/var/run/hald/dbus-KadEusEuoD
unix 2 [ ACC ] STREAM LISTENING 6843 /var/lib/mysql/mysql.sock
unix 2 [ ] DGRAM 1457 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 7379 @/org/freedesktop/hal/udev_event
unix 15 [ ] DGRAM 6039 /dev/log
unix 2 [ ACC ] STREAM LISTENING 6420 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 6540 /var/run/pcscd.comm
unix 2 [ ACC ] STREAM LISTENING 6619 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 7371 @/var/run/hald/dbus-1laUZdyRRH
unix 2 [ ACC ] STREAM LISTENING 7166 /var/run/avahi-daemon/socket
unix 2 [ ] DGRAM 8569
unix 2 [ ] DGRAM 8531
unix 2 [ ] DGRAM 8304
unix 3 [ ] STREAM CONNECTED 8211 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8210
unix 3 [ ] STREAM CONNECTED 8217 @/var/run/hald/dbus-KadEusEuoD
unix 3 [ ] STREAM CONNECTED 8208
unix 3 [ ] STREAM CONNECTED 8089 @/var/run/hald/dbus-KadEusEuoD
unix 3 [ ] STREAM CONNECTED 8084
unix 3 [ ] STREAM CONNECTED 8042 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 8041
unix 3 [ ] STREAM CONNECTED 8036 @/var/run/hald/dbus-KadEusEuoD
unix 3 [ ] STREAM CONNECTED 8033
unix 3 [ ] STREAM CONNECTED 7374 @/var/run/hald/dbus-1laUZdyRRH
unix 3 [ ] STREAM CONNECTED 7373
unix 3 [ ] STREAM CONNECTED 7169 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 7168
unix 3 [ ] STREAM CONNECTED 7162 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 7161
unix 3 [ ] STREAM CONNECTED 7160
unix 3 [ ] STREAM CONNECTED 7159
unix 2 [ ] DGRAM 7157
unix 2 [ ] DGRAM 7119
unix 2 [ ] DGRAM 7084
unix 2 [ ] DGRAM 6946
unix 2 [ ] DGRAM 6912
unix 2 [ ] DGRAM 6879
unix 2 [ ] DGRAM 6572
unix 2 [ ] DGRAM 6513
unix 3 [ ] STREAM CONNECTED 6423
unix 3 [ ] STREAM CONNECTED 6422
unix 3 [ ] STREAM CONNECTED 6359
unix 3 [ ] STREAM CONNECTED 6358
unix 2 [ ] DGRAM 6196
unix 2 [ ] DGRAM 6047

Just in case here is the vsftpd conf

xferlog_file=/var/log/xferlog
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=vsftpd
chroot_local_user=YES
secure_chroot_dir=/home/vsftpd
pam_service_name=vsftpd
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=NO
user_config_dir=/etc/vsftpd_user_conf
ftpd_banner=ALL ACTIVITY IS LOGGED!

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

Hi.

I'm not an expert with SSL/SSH/vsftpd, but if you change the IP/hostname of the box, you'll have to regenerate the SSL certificates.

Dave

I created a new cert... ;-(

Found the problem - it was the checkpoint FW!!

Symptoms FTP is dropped on rule 0 AND SmartView Tracker displays error: "port command ended without a new line" Cause By default, FTP service protocol type drops packets that are not terminated with a newline character.

For more information on the internal functions of the FTP service, refer to the RFCs about FTP:

RFC 959 - File Transfer Protocol (FTP)
RFC 2228 - FTP Security Extensions
Solution In the FTP service object > Advanced Properties, change FTP service protocol type to ftp_basic, and install the Security Policy. The ftp_basic option does not enforce newline-character checking.

Using ftp_basic eliminates known connectivity problems with FTP implementations that are not fully RFC compliant. This protocol type enforces a reduced set of FTP security checks, as opposed to those done by the regular FTP protocol type.

The ftp_basic does not perform the following checks implemented in the standard FTP service object:

Every packet is terminated with a newline character, so the PORT command is not split across packets. This protects against the FTP Bounce attack.
Data connections to or from well-known ports are not allowed, to prevent the FTP data connection from being used to access some other service.
Bidirectional traffic on the data connection is not allowed, as it can be used improperly.