vsftpd freezes at LIST / SSL

salmonix · 04-06-2012, 02:48 AM

Hi there,
vsftpd freezes at LIST.
Here is the client message:
220 Welcome to FACE-R service
AUTH TLS
234 Proceed with negotiation.
PBSZ 0
200 PBSZ set to 0.
USER arcadmin
331 Please specify the password.
PASS (password not shown)
230 Login successful.
CWD /home/arcadmin
250 Directory successfully changed.
TYPE A
200 Switching to ASCII mode.
PASV
227 Entering Passive Mode (10,10,13,3,39,35).
LIST
QUIT

Vsftpd log:

Client "client.ip.addr"
response: Client "client.ip.addr", "220 Welcome to FACE-R service"
command: Client "client.ip.addr", "AUTH TLS"
response: Client "client.ip.addr", "234 Proceed with negotiation."
Client "client.ip.addr", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, reused, no cert"
command: Client "client.ip.addr", "PBSZ 0"
response: Client "client.ip.addr", "200 PBSZ set to 0."
command: Client "client.ip.addr", "USER arcadmin"
FTP response: Client "client.ip.addr", "331 Please specify the password."
FTP command: Client "client.ip.addr", "PASS <password>"
OK LOGIN: Client "client.ip.addr"
FTP response: Client "client.ip.addr", "230 Login successful."
FTP command: Client "client.ip.addr", "CWD /home/arcadmin"
FTP response: Client "client.ip.addr", "250 Directory successfully changed."
FTP command: Client "client.ip.addr", "TYPE A"
FTP response: Client "client.ip.addr", "200 Switching to ASCII mode."
FTP command: Client "client.ip.addr", "PASV"
FTP response: Client "client.ip.addr", "227 Entering Passive Mode (10,10,13,3,39,34)."
FTP command: Client "client.ip.addr", "LIST"
FTP response: Client "client.ip.addr", "425 Failed to establish connection."
FTP command: Client "client.ip.addr", "QUIT"
FTP response: Client "client.ip.addr", "221 Goodbye."

vsfptd conf:

listen=YES
nopriv_user=ftpsecure
connect_from_port_20=YES
max_per_ip=4
ftpd_banner=Welcome to FACE-R service
idle_session_timeout=600
pam_service_name=vsftpd
pasv_enable=YES # no effect
pasv_address=10.10.13.3 #no effect
pasv_min_port=10000 # no effect
pasv_max_port=10020 # no effect
hide_ids=yes
local_enable=YES
dirmessage_enable=YES
write_enable=YES
check_shell=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
log_ftp_protocol=YES
chroot_list_enable=YES
ssl_enable=yes
require_ssl_reuse=NO
allow_anon_ssl=no
force_local_data_ssl=no
force_local_logins_ssl=yes
ssl_tlsv1=yes
ssl_sslv2=no
ssl_sslv3=no
rsa_cert_file=/etc/CA/FACERca.pem
rsa_private_key_file=/etc/CA/private/FACERpriv.pem
debug_ssl=YES

The #no effect marked lines does not change the symptom.
The user I am trying to connect is not chrooted user ( free to move around ).
The ssl certificate self-signed.

The server is behind a firewall receiving static IP address. The firewall is ok., the system ran before. The symptoms appeared just now, after a global update.
I have this in /etc/pam.d/vsftpd :

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth include system-auth
account include system-auth
session include system-auth

ftpusers does not contain the user I am trying to connect with.
I have found very similar issues but not exactly the same as mine.

deep27ak · 04-06-2012, 06:23 AM

make sure that

Code:

pasv_min_port=10000 
pasv_max_port=10020

are enabled in your firewall

salmonix · 04-06-2012, 07:27 AM

These settings seems not to have effect. I have no access to the firewall, but as I know it is accepted on the terms of RELATED, ESTABLISHED.
As I know it is not closed.
I think it is something with ssl. If I config

ssl_enable=no

I can connect then regardless those settings.
Btw., the certificate is self-signed, but the clients are aware of it.

salmonix · 04-06-2012, 07:49 AM

Perhaps this is a piece that helps those savants of the subject to help me out. With lftp debug I have the following:

<--- 227 Entering Passive Mode (IP_OF_THE_SERVER,122,247).
---- Address returned by PASV seemed to be incorrect and has been fixed
---- Connecting data socket to (IP_OF_THE_FIREWALL) port 31479
**** Socket error (Connection timed out) - reconnecting
---- Switching passive mode off
---> LIST
---> ABOR
---- Closing aborted data socket
---- Closing control socket

grim76 · 04-06-2012, 08:11 AM

The passive ports have to be setup in your firewall otherwise the connections will time out. I know that some FTP clients can be switched over to use PORT, but I am unsure if that is an option for lftp (Never really used it).

salmonix · 04-06-2012, 09:04 AM

I think this is not related to my problem. As I set ssl_enable=NO , I can ftp w/o problem.
See vsftpd log with ssl_enable=NO:

"220 Welcome to FACE-R service"
"USER arcadmin"
"CLIENT_IP", "331 Please specify the password."
"CLIENT_IP", "PASS <password>"
"CLIENT_IP"
"CLIENT_IP", "230 Login successful."
"CLIENT_IP", "SYST"
"CLIENT_IP", "215 UNIX Type: L8"
"CLIENT_IP", "TYPE I"
"CLIENT_IP", "200 Switching to Binary mode."
"CLIENT_IP", "PWD"
"CLIENT_IP", "257 "/home/arcadmin""
"CLIENT_IP", "PASV"
"CLIENT_IP", "227 Entering Passive Mode (10,10,13,3,42,216)." # server has fixed subnet IP
"CLIENT_IP", "LIST -aL"
"CLIENT_IP", "150 Here comes the directory listing."
"CLIENT_IP", "226 Directory send OK."

Everything is fine. But w/o encryption.

salmonix · 04-06-2012, 09:17 AM

The problem is most probably described here:
http://blog.joshua.net/2006/07/ftps-...firewalls.html

salmonix · 04-06-2012, 09:24 AM

( so deep27ak migh be right, I have to contact the firewall admin. )