LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-31-2011, 06:58 PM   #1
jsmith6
Member
 
Registered: Feb 2006
Distribution: Slackware 13.1 / 13.37
Posts: 91

Rep: Reputation: 16
vsftpd: can connect remotely but not locally


I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.

I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.

I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.

Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.

Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?

Here is my config and log files from a failed local attempt.

vsftpd.conf

Code:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO
FileZilla

Code:
Status:	Connecting to 10.0.0.3:2100...
Status:	Connection established, waiting for welcome message...
Response:	220 SERVERNAME
Command:	USER user
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 AUTH SSL
Response:	 AUTH TLS
Response:	 EPRT
Response:	 EPSV
Response:	 MDTM
Response:	 PASV
Response:	 PBSZ
Response:	 PROT
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	 UTF8
Response:	211 End
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (77,49,54,233,19,139).
Command:	LIST
Response:	425 Security: Bad IP connecting.
Error:	Failed to retrieve directory listing
Response:	500 OOPS: close
Response:	500 OOPS: priv_sock_get_cmd
Error:	Connection closed by server
vsftpd.log

Code:
Tue Feb  1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb  1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."
 
Old 02-01-2011, 06:21 AM   #2
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109

Rep: Reputation: 10
Quote:
Originally Posted by jsmith6 View Post
I'm running vsftpd-2.2.2 on Slackware 13.1 and I'm behind a NAT with a dynamic IP. I'm using pasv_address, which makes it necessary to have a crontab that checks whether my IP has changed, and if it has, edits the conf and restarts vsfptd. It's hackish but it works. I have also enabled FTPES on the same port that normal FTP runs.

I have allowed only the 5001:5003 ports and I am aware that the recommented is 50 ports. However I never had an issue with the transfers since I'm the only user and have at maximum two simultaneous transfers.

I can connect remotely with FTP and FTPES with every client I tried but I'm having issues locally. FileZilla refuses to connect on FTP and FTPES. WinSCP can connect on FTP but not FTPES.

Issues are gone if I enable pasv_promiscuous, which the manpage strongly recommends not to use unless "you know what you're doing". I don't.

Why is this happening? And, can I fix the local connections without resorting to pasv_promiscuous?

Here is my config and log files from a failed local attempt.

vsftpd.conf

Code:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
check_shell=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=SERVERNAME
ls_recurse_enable=YES
listen=YES
dual_log_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
listen_port=2100
ftp_data_port=5000
pasv_min_port=5001
pasv_max_port=5003
connect_from_port_20=NO
pasv_address=77.49.54.233
ssl_enable=YES
rsa_cert_file=/etc/vsftpd2.pem
require_ssl_reuse=NO
implicit_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
pasv_promiscuous=NO
FileZilla

Code:
Status:	Connecting to 10.0.0.3:2100...
Status:	Connection established, waiting for welcome message...
Response:	220 SERVERNAME
Command:	USER user
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 AUTH SSL
Response:	 AUTH TLS
Response:	 EPRT
Response:	 EPSV
Response:	 MDTM
Response:	 PASV
Response:	 PBSZ
Response:	 PROT
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	 UTF8
Response:	211 End
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (77,49,54,233,19,139).
Command:	LIST
Response:	425 Security: Bad IP connecting.
Error:	Failed to retrieve directory listing
Response:	500 OOPS: close
Response:	500 OOPS: priv_sock_get_cmd
Error:	Connection closed by server
vsftpd.log

Code:
Tue Feb  1 01:15:48 2011 [pid 7805] CONNECT: Client "10.0.0.2"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP response: Client "10.0.0.2", "220 SERVERNAME"
Tue Feb  1 01:15:48 2011 [pid 7805] FTP command: Client "10.0.0.2", "USER user"
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP response: Client "10.0.0.2", "331 Please specify the password."
Tue Feb  1 01:15:48 2011 [pid 7805] [user] FTP command: Client "10.0.0.2", "PASS <password>"
Tue Feb  1 01:15:49 2011 [pid 7804] [user] OK LOGIN: Client "10.0.0.2"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "230 Login successful."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "SYST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "215 UNIX Type: L8"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "FEAT"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211-Features:"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH SSL??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " AUTH TLS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPRT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " EPSV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " MDTM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PASV??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PBSZ??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " PROT??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " REST STREAM??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " SIZE??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " TVFS??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", " UTF8??"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "211 End"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "OPTS UTF8 ON"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Always in UTF8 mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PWD"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "257 "/""
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "TYPE I"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "200 Switching to Binary mode."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "PASV"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "227 Entering Passive Mode (77,49,54,233,19,139)."
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP command: Client "10.0.0.2", "LIST"
Tue Feb  1 01:15:49 2011 [pid 7806] [user] FTP response: Client "10.0.0.2", "425 Security: Bad IP connecting."
Hi,

using passive mode implies that the server return the IP and the Port to use for the data transfer.
This mean that when the client specify the command PASV the server return something like:

Code:
227 Entering Passive Mode (77,49,54,233,19,139).
this mean the it's in listening on the IP 77.49.54.233 on the port 19*256+139 (=5003): the client need to call this IP & Port to establish a data connection.
May this doesn't works locally because he should use the private IP and not the public one?

Have a try using the command EPSV instead of PASV....

Last but not least: the use of passive mode in FTP is a GOOD choice because it prevents (or try to !) the sniffing on a well known data port...
 
Old 02-04-2011, 10:53 AM   #3
jsmith6
Member
 
Registered: Feb 2006
Distribution: Slackware 13.1 / 13.37
Posts: 91

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by MCD555
Have a try using the command EPSV instead of PASV
I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.

Here it is, after connecting to the server with lftp:

Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
So I'm already using EPSV, right?
 
Old 02-08-2011, 05:31 PM   #4
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109

Rep: Reputation: 10
Quote:
Originally Posted by jsmith6 View Post
I think vsftpd has EPSV enabled by default and you need to do some special stuff to disable it.

Here it is, after connecting to the server with lftp:

Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
So I'm already using EPSV, right?
Well, not really true...I mean EPSV is one of the default command available to the client, but if you want you can disable it (as the others, of course!) to limit your ftp user.
So to test if EPSV solve your local access to your ftp server just go on that way:


Code:
lftp user@host:/> quote epsv
229 Entering Extended Passive Mode (|||5002|).
lftp user@host:/> ls
If you get the list of the files of your directory EPSV is your solution!

Hope this help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd login locally, but not remotely. get a login prompt though! ajkett Linux - Server 0 02-22-2007 05:18 AM
vsftpd server: can connect locally, not remotely propz Linux - Networking 2 10-24-2005 01:59 AM
tightVNC works locally but not remotely? mikeli Linux - Software 2 02-01-2005 05:48 AM
Reboots locally not remotely dolem98 Linux - Software 2 07-08-2004 10:05 AM
Reboots locally not remotely dolem98 Slackware 10 07-08-2004 03:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration