vsftpd - Logging in via Filezilla - Cannot get past LIST command
 

down vote favorite


I am using CentOS 6.4 and I am using vsftp to manage my ftp connections.

I have created a non-root user for my ftp server. Now, when I log into my ftp account via filezilla, it authenticates but when it gets to the LIST command, it stops/freezes.

Command: PASV
Response: 227 Entering Passive Mode (xxxxxxmyIPxxxxx).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

Also, in Wordpress, it ask me to log into ,my ftp account, but authentication fails everytime, I believe the 2 problems are related...

Could anybody please give me some advise?

I tried the following, but it does not work:

while logged in as root on server:
sudo chown -R /var/www/html david

This is probably NAT or firewall related. In passive mode, the LIST command will cause the client to open a secondary data connection to TCP port 20 (usually) on the FTP server. It looks like the connection attempt is being blocked (a firewall issue) or the client attempts to connect to the wrong address (a NAT issue).

Are you accessing the server over the Internet? If not, is there a router between the FTP server and the client? Is either the client or the server behind NAT? Are you using the iptables firewall on the CentOS server, and if so, what does the ruleset look like?

Thank you Ser Olmy. I already added the following rule to my iptables file:

iptables -A INPUT -p tcp --dport 20 -j ACCEPT

Yes, I am accessing the server over the internet. (3G connection). Nope, NO NATting as far as I am concerned of

So both the server and the client have public, routable IP addresses?

Rather than allowing TCP port 20 in the INPUT chain, you might want to consider loading the nf_conntrack_ftp module. This module contains an FTP ALG which will open and close ports dynamically based on whatever commands are being sent/received over the FTP command channel.

Try ...and see what happens.

thank you very much. it works!

Just out of curiosity; is there any of these options that are more or less secure:

I.e. is setting an IP Tables rule to allow port 22 or port 20 (depending on if your using SFTP or not) more secure than nf_conntrack_ftp; is there any that have more merit than the other?

I just ask this as I am interested in this method of conntrack at the kernel level.

An iptables rule to allow TCP port 20 will leave the port open to everyone at all times, while the ALG module opens and closes the port as needed. This should theoretically make the conntrack module the safer option, assuming it doesn't contain exploitable bugs.

SFTP is a completely different protocol and doesn't use a separate data channel. Both FTP and SFTP servers need an open command channel (TCP port 21 and 22 respectively).

Could you please tell me: What exactly does modprobe nf_conntrack_ftp do?

Thank you

nf_conntrack_ftp belongs to a group of firewall modules called Application Layer Gateways (or "Application-level Gateways", depending on who you ask).

ALGs are designed to monitor and analyze data flows containing a particular application protocol (FTP in this case), and dynamically adjust the firewall ruleset as needed in order for the protocol to work.

For instance, FTP uses one control connection and a separate data connection, and the latter is opened on demand. A data connection may be initiated by either party (passive vs. active FTP) and the port number on the client end is usually a random high port (>1024). If the router/firewall has an ALG, all you need to do is open the port for the control channel; the ALG handles the rest.

FTP is not the only protocol making use of secondary connections. SIP works in much the same way, using RTP on essentially random ports for the actual voice traffic. H.323 works in a similar manner. An ALG not only opens these ports on demand, it closes them once they're no longer needed. Without an ALGs for such protocols, the firewall administrator would have to leave a whole range of ports open on a permanent basis.

In addition to the "conntrack" ALGs, routers performing network address translation (NAT) will need NAT ALGs for all application protocols that reference either the client or the server IP address and/or port number. A NAT ALG actually modifies the application protocol traffic as it passes through the router, replacing IP addresses and port numbers as needed.

wow, great explanation...Thank you, is it good to know all of this...At least I know what I am allowing...

Really appreciate your help.

Have a great day.