Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-31-2011, 06:58 PM
|
#1
|
Member
Registered: Feb 2006
Distribution: Slackware 13.1 / 13.37
Posts: 91
Rep:
|
vsftpd: can connect remotely but not locally
I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.
I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.
I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.
Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.
Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?
Here is my config and log files from a failed local attempt.
vsftpd.conf
Code:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO
FileZilla
Code:
Status: Connecting to 10.0.0.3:2100...
Status: Connection established, waiting for welcome message...
Response: 220 SERVERNAME
Command: USER user
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: AUTH SSL
Response: AUTH TLS
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: UTF8
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (77,49,54,233,19,139).
Command: LIST
Response: 425 Security: Bad IP connecting.
Error: Failed to retrieve directory listing
Response: 500 OOPS: close
Response: 500 OOPS: priv_sock_get_cmd
Error: Connection closed by server
vsftpd.log
Code:
Tue Feb 1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb 1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb 1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb 1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb 1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb 1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."
|
|
|
02-01-2011, 06:21 AM
|
#2
|
Member
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109
Rep:
|
Quote:
Originally Posted by jsmith6
I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.
I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.
I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.
Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.
Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?
Here is my config and log files from a failed local attempt.
vsftpd.conf
Code:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO
FileZilla
Code:
Status: Connecting to 10.0.0.3:2100...
Status: Connection established, waiting for welcome message...
Response: 220 SERVERNAME
Command: USER user
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: AUTH SSL
Response: AUTH TLS
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: UTF8
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (77,49,54,233,19,139).
Command: LIST
Response: 425 Security: Bad IP connecting.
Error: Failed to retrieve directory listing
Response: 500 OOPS: close
Response: 500 OOPS: priv_sock_get_cmd
Error: Connection closed by server
vsftpd.log
Code:
Tue Feb 1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb 1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb 1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb 1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb 1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb 1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb 1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."
|
Hi,
using passive mode implies that the server return the IP and the Port to use for the data transfer.
This mean that when the client specify the command PASV the server return something like:
Code:
227 Entering Passive Mode (77,49,54,233,19,139).
this mean the it's in listening on the IP 77.49.54.233 on the port 19*256+139 (=5003): the client need to call this IP & Port to establish a data connection.
May this doesn't works locally because he should use the private IP and not the public one?
Have a try using the command EPSV instead of PASV....
Last but not least: the use of passive mode in FTP is a GOOD choice because it prevents (or try to !) the sniffing on a well known data port...
|
|
|
02-04-2011, 10:53 AM
|
#3
|
Member
Registered: Feb 2006
Distribution: Slackware 13.1 / 13.37
Posts: 91
Original Poster
Rep:
|
Quote:
Originally Posted by MCD555
Have a try using the command EPSV instead of PASV
|
I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.
Here it is, after connecting to the server with lftp:
Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
So I'm already using EPSV, right?
|
|
|
02-08-2011, 05:31 PM
|
#4
|
Member
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109
Rep:
|
Quote:
Originally Posted by jsmith6
I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.
Here it is, after connecting to the server with lftp:
Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
So I'm already using EPSV, right?
|
Well, not really true...I mean EPSV is one of the default command available to the client, but if you want you can disable it (as the others, of course!) to limit your ftp user.
So to test if EPSV solve your local access to your ftp server just go on that way:
Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
lftp user@host:/> ls
If you get the list of the files of your directory EPSV is your solution!
Hope this help!
|
|
|
All times are GMT -5. The time now is 01:52 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|