| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-09-2010, 03:36 PM
|
#1
|
|
Member
Registered: Sep 2010
Posts: 38
Rep: 
|
Problems with vsftpd, SSL and FileZilla
Hi there...
Sorry for a long post....
I've set up an FTP-server running vsftpd on CentOS 5.5 and I want to use FileZilla to connect to it. Everything went just fine without SSL. But when I implemtented SSL it stopped working properly. However, the login works and I get the cert. It just won't list...
Computer IP: 192.168.0.100
Server IP: 192.168.0.200
Now I can only connect from outside my router using Active Mode (even though I want to use Passive).
This is what I get when connecting with different methods:
-When I try to connect from my LAN (connecting to the servers private address) with Active mode: Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 192,168,0,100,197,77
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs (means Time limit exceeded)
Fel: Misslyckades med att hämta kataloglistning (means directory listing failed)
-When I try to connect from my LAN (connecting to the servers private address) with Passive mode: Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,75)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning
-When I try to connect from the outside (connecting to my domain-name) with Active mode (WORKS): Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PORT 194,47,XXX,XXX,198,218
Svar: 200 PORT command successful. Consider using PASV.
Kommando: LIST
Svar: 150 Here comes the directory listing.
Svar: 226 Directory send OK.
Status: Kataloglistningen lyckades (means directory listing succeeded)
-When I try to connect from the outside (connecting to my domain-name) with Passive mode: Kommando: PBSZ 0
Svar: 200 PBSZ set to 0.
Kommando: PROT P
Svar: 200 PROT now Private.
Status: Ansluten
Status: Hämtar kataloglistning...
Kommando: PWD
Svar: 257 "/"
Kommando: TYPE I
Svar: 200 Switching to Binary mode.
Kommando: PASV
Svar: 227 Entering Passive Mode (85,226,XXX,XXX,197,74)
Kommando: LIST
Fel: Tidsgränsen för anslutningen överstegs
Fel: Misslyckades med att hämta kataloglistning
My vsftpd.conf: log_ftp_protocol=YES
chroot_local_user=YES
banner_file=/etc/vsftpd/issue
max_clients=10
passwd_chroot_enable=YES
local_root=/home/vsftpd/
secure_chroot_dir=/home/vsftpd/
pasv_enable=YES
pasv_address=85.226.XXX.XXX
pasv_min_port=50505
pasv_max_port=50510
# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order
# to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem
My /etc/sysconfig/iptables-config: IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
My /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50505 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50506 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50507 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50508 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50509 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50510 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40 -j ACCEPT
# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
My routers port forwarding: http://data.fuskbugg.se/dipdip/ports.PNG
(at "Rorschach FTP2" I've also tried 192.168.0.200)
Anyone got a clue whats wrong?
I have a friend running the same thing and his work. The only thing different between him and me is basically the router |
|
|
|
|
12-11-2010, 09:44 PM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?
|
|
|
|
|
12-12-2010, 05:41 AM
|
#3
|
|
Member
Registered: Sep 2010
Posts: 38
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
Active FTP uses two TCP ports: 20 (data) and 21 (control). Your firewall rule set only shows port 21?
|
yeah.... The thing is that it worked without SSL with only 21.
I followed a guide then.
I added a rule for 20 now but there was no difference |
|
|
|
|
12-12-2010, 07:11 AM
|
#4
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
In addition FTPS needs port TCP/990 (or that's what 'getent services ftps' says)?
[EDIT]
(Not that that'll likely be all. My 'lftp' doesn't understand ftps:// and 'filezilla' seems unable to negotiate TLS:
Code:
FTP response: Client "1.2.3.4", "220 (vsFTPd 2.0.5)"
FTP command: Client "1.2.3.4", "????X???Y??Z???????X?Y???Z??????X??YZX?Y???Z?X?Y?Z?????X?Y?Z?????X?Y?Z?X???"
FTP response: Client "1.2.3.4", "530 Please login with USER and PASS."
but 'nc' can at least connect to port TCP/990 and display a pre-auth banner to show it works in theory ;-p)
[/EDIT]
Last edited by unSpawn; 12-12-2010 at 07:16 AM.
Reason: //More *is* more. Well, maybe not in this case...
|
|
|
|
|
12-13-2010, 12:36 PM
|
#5
|
|
Member
Registered: Sep 2010
Posts: 38
Original Poster
Rep:
|
I tried opening 990 to but there was no difference
Here are my iptables now:
[root@Rorschach ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50506
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50507
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50508
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50509
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:50510
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
The thing is that I use FTPES which seems to connect on port 21.... not FTPS that connect on 990
|
|
|
|
|
12-14-2010, 10:00 AM
|
#6
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
OK. Lets head back to "start". I'd suggest you
- use a FTP client I know will work with FTP, FTPS and FTPES but more importantly can display useful debug information: 'lftp'. How you run it in debug mode is explained in a recent thread about FTP debugging here: http://www.linuxquestions.org/questi...-hangs-847009/,
- make Vsftpd log verbosely by adding these lines to your vsftpd.conf before restarting it:
Code:
syslog_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
pasv_min_port=1025
pasv_max_port=65535
- add "-j LOG" rules to your firewall rule set to see what traffic hits what port and from where (your rules are unenforceable anyway since your INPUT chain has a policy of ACCEPT anyway), log "--state RELATED", log "--state NEW" to TCP/21 and TCP/20 and log "-m multiport --dports 1025:65535" (note these only get used when the client requests PASV mode, else any other ephemeral port is game), and finally
- loosen up the port restrictions in your server 'sysctl -w net.ipv4.ip_local_port_range = 1025 65535' and replace 50505-50510 in the router with 20,21,1025-65535 (you added 20,21 to 192.168.0.200's UDP section) for the duration of the test.
Now if you 'tail -f /var/log/xferlog /var/log/vsftpd.log /var/log/secure /var/log/messages' in one window (use 'screen'?) and run 'lftp -d -p 21 -u username [LAN|WAN]hostname' in another you should get a better view of what's happening wrt FTP behaviour. |
|
|
|
All times are GMT -5. The time now is 06:19 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
