[SOLVED] vsftpd - Logging in via Filezilla - Cannot get past LIST command
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
vsftpd - Logging in via Filezilla - Cannot get past LIST command
down vote favorite
I am using CentOS 6.4 and I am using vsftp to manage my ftp connections.
I have created a non-root user for my ftp server. Now, when I log into my ftp account via filezilla, it authenticates but when it gets to the LIST command, it stops/freezes.
Command: PASV
Response: 227 Entering Passive Mode (xxxxxxmyIPxxxxx).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
Also, in Wordpress, it ask me to log into ,my ftp account, but authentication fails everytime, I believe the 2 problems are related...
Could anybody please give me some advise?
I tried the following, but it does not work:
while logged in as root on server:
sudo chown -R /var/www/html david
This is probably NAT or firewall related. In passive mode, the LIST command will cause the client to open a secondary data connection to TCP port 20 (usually) on the FTP server. It looks like the connection attempt is being blocked (a firewall issue) or the client attempts to connect to the wrong address (a NAT issue).
Are you accessing the server over the Internet? If not, is there a router between the FTP server and the client? Is either the client or the server behind NAT? Are you using the iptables firewall on the CentOS server, and if so, what does the ruleset look like?
So both the server and the client have public, routable IP addresses?
Rather than allowing TCP port 20 in the INPUT chain, you might want to consider loading the nf_conntrack_ftp module. This module contains an FTP ALG which will open and close ports dynamically based on whatever commands are being sent/received over the FTP command channel.
Just out of curiosity; is there any of these options that are more or less secure:
I.e. is setting an IP Tables rule to allow port 22 or port 20 (depending on if your using SFTP or not) more secure than nf_conntrack_ftp; is there any that have more merit than the other?
I just ask this as I am interested in this method of conntrack at the kernel level.
Quote:
Originally Posted by Ser Olmy
So both the server and the client have public, routable IP addresses?
Rather than allowing TCP port 20 in the INPUT chain, you might want to consider loading the nf_conntrack_ftp module. This module contains an FTP ALG which will open and close ports dynamically based on whatever commands are being sent/received over the FTP command channel.
Just out of curiosity; is there any of these options that are more or less secure:
I.e. is setting an IP Tables rule to allow port 22 or port 20 (depending on if your using SFTP or not) more secure than nf_conntrack_ftp; is there any that have more merit than the other?
An iptables rule to allow TCP port 20 will leave the port open to everyone at all times, while the ALG module opens and closes the port as needed. This should theoretically make the conntrack module the safer option, assuming it doesn't contain exploitable bugs.
SFTP is a completely different protocol and doesn't use a separate data channel. Both FTP and SFTP servers need an open command channel (TCP port 21 and 22 respectively).
Could you please tell me: What exactly does modprobe nf_conntrack_ftp do?
nf_conntrack_ftp belongs to a group of firewall modules called Application Layer Gateways (or "Application-level Gateways", depending on who you ask).
ALGs are designed to monitor and analyze data flows containing a particular application protocol (FTP in this case), and dynamically adjust the firewall ruleset as needed in order for the protocol to work.
For instance, FTP uses one control connection and a separate data connection, and the latter is opened on demand. A data connection may be initiated by either party (passive vs. active FTP) and the port number on the client end is usually a random high port (>1024). If the router/firewall has an ALG, all you need to do is open the port for the control channel; the ALG handles the rest.
FTP is not the only protocol making use of secondary connections. SIP works in much the same way, using RTP on essentially random ports for the actual voice traffic. H.323 works in a similar manner. An ALG not only opens these ports on demand, it closes them once they're no longer needed. Without an ALGs for such protocols, the firewall administrator would have to leave a whole range of ports open on a permanent basis.
In addition to the "conntrack" ALGs, routers performing network address translation (NAT) will need NAT ALGs for all application protocols that reference either the client or the server IP address and/or port number. A NAT ALG actually modifies the application protocol traffic as it passes through the router, replacing IP addresses and port numbers as needed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.