FTP wrapped in ssl or VSFTP Daemon?

weisso5 · 03-17-2008, 12:01 PM

Okay we are getting there...

Does the vsftpd user have the correct Grants in mysql?

Are there any errors in mysql logs?

Also make sure there is a local user created to test with, make sure this account is in ftp group.

Add this line to config so we get more info in vsftpd logs:

Quote:

log_ftp_protocol=YES

Also comment out:

Quote:

local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES

Let's try to keep it simple for right now. Once we get connections working then we can work more with using virtual users and more advanced chroot settings.

Report Back on status.

Thanks,
weisso

richinsc · 03-17-2008, 12:47 PM

Result after setting log_ftp_protocol=YES in vsftpd.conf file.

Code:

Mon Mar 17 13:31:08 2008 [pid 31824] CONNECT: Client "10.4.10.21"
Mon Mar 17 13:31:08 2008 [pid 31824] FTP response: Client "10.4.10.21", "220-Test Banner"
Mon Mar 17 13:31:08 2008 [pid 31824] FTP response: Client "10.4.10.21", "220 "
Mon Mar 17 13:31:08 2008 [pid 31824] FTP command: Client "10.4.10.21", "AUTH TLS"
Mon Mar 17 13:31:08 2008 [pid 31824] FTP response: Client "10.4.10.21", "234 Proceed with negotiation."
Mon Mar 17 13:31:08 2008 [pid 31824] FTP command: Client "10.4.10.21", "USER testuser"
Mon Mar 17 13:31:08 2008 [pid 31824] [testuser] FTP response: Client "10.4.10.21", "331 Please specify the password."
Mon Mar 17 13:31:08 2008 [pid 31824] [testuser] FTP command: Client "10.4.10.21", "PASS <password>"
Mon Mar 17 13:31:08 2008 [pid 31823] [testuser] OK LOGIN: Client "10.4.10.21"

After Disabling the following

Code:

local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES

This is the result of the ftp log

Code:

Mon Mar 17 13:34:17 2008 [pid 31835] CONNECT: Client "10.4.10.21"
Mon Mar 17 13:34:17 2008 [pid 31835] FTP response: Client "10.4.10.21", "220-Test Banner"
Mon Mar 17 13:34:17 2008 [pid 31835] FTP response: Client "10.4.10.21", "220 "
Mon Mar 17 13:34:17 2008 [pid 31835] FTP command: Client "10.4.10.21", "AUTH TLS"
Mon Mar 17 13:34:17 2008 [pid 31835] FTP response: Client "10.4.10.21", "234 Proceed with negotiation."
Mon Mar 17 13:34:17 2008 [pid 31835] FTP command: Client "10.4.10.21", "USER richinsc"
Mon Mar 17 13:34:17 2008 [pid 31835] [richinsc] FTP response: Client "10.4.10.21", "331 Please specify the password."
Mon Mar 17 13:34:17 2008 [pid 31835] [richinsc] FTP command: Client "10.4.10.21", "PASS <password>"
Mon Mar 17 13:34:17 2008 [pid 31834] [richinsc] FAIL LOGIN: Client "10.4.10.21"
Mon Mar 17 13:34:18 2008 [pid 31835] [richinsc] FTP response: Client "10.4.10.21", "530 Login incorrect."

I did notice however that after doing this, in my /var/log/auth.log I had message that said

Code:

vsftpd: pam_mysql - SELECT returned no result

Of course this is because I am still telling it to read from mysql database via /etc/pam.d/vsftpd

There is nothing in mysql logs. Logs are blank as if no activity has occurred. To give you and idea how i started this I followed directions from http://www.howtoforge.com/vsftpd_mysql_debian_etch.

Apparently many people have followed this and gotten it to work but without encryption. So this is the setup I have followed. I might have to setup yet another test system and try walking through setup again and see if I can get it to work. It worked after following steps but broke after I went to put ssl over it.

Code:

SHOW GRANTS for 'vsftpd'@'localhost'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON 'vsftpd'.* TO 'vsftpd'@'localhost'

weisso5 · 03-17-2008, 01:34 PM

Did you make the changes stated at the end of the document?

Quote:

CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE (
`username`
)
) ENGINE = MYISAM ;

To:

CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) BINARY NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE (
`username`
)
) ENGINE = MYISAM ;

To prevent this:

Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.5)
Name (localhost:nunya): testuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.5)
Name (localhost:bizniss): Testuser
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/virtual/Testuser
Login failed.
ftp>

richinsc · 03-17-2008, 01:40 PM

Yes I did make those changes at the end. I am currently in process of setting up a second box that I can do a complete install from scratch. Any suggestions?

weisso5 · 03-17-2008, 01:51 PM

How many users are going to be accessing this server?

richinsc · 03-17-2008, 02:04 PM

Currently only 46 but in the future it is unknown. I have been using sftp via ssh but this is getting cumbersome and requires me to have local accounts on the system which I do not want.

weisso5 · 03-17-2008, 02:19 PM

I would say follow the guide again...But don't add SSL till you can confirm that it works. Once you have it working without SSL, then we can work on incorporating SSL.

-weisso

richinsc · 03-17-2008, 03:22 PM

I Figured out the problem.. I can't believe it was something this simple. In the config file I had the following commented out.

Code:

guest_enable=YES
guest_username=vsftpd

This basically meant that no connections could be accepted because it has to establish the connection as guest first and then verify the user before allowing the user in. So without first allowing a guest connection I could not connect... AAAARRRRGGG.. I was something so simple....

richinsc · 03-17-2008, 04:38 PM

Now any suggestions on how to prevent attacks and password guesses... Currently I have ssh protected via deny hosts. If a user name and password is typed more then 5 times the ip is blocked.

weisso5 · 03-18-2008, 11:38 AM

That sounds great to me!

Good luck!

-weisso