LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-07-2013, 01:24 PM   #1
DextrousDave
LQ Newbie
 
Registered: Jul 2013
Posts: 16

Rep: Reputation: Disabled
vsftpd - Logging in via Filezilla - Cannot get past LIST command


down vote favorite


I am using CentOS 6.4 and I am using vsftp to manage my ftp connections.

I have created a non-root user for my ftp server. Now, when I log into my ftp account via filezilla, it authenticates but when it gets to the LIST command, it stops/freezes.

Command: PASV
Response: 227 Entering Passive Mode (xxxxxxmyIPxxxxx).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

Also, in Wordpress, it ask me to log into ,my ftp account, but authentication fails everytime, I believe the 2 problems are related...

Could anybody please give me some advise?

I tried the following, but it does not work:

while logged in as root on server:
sudo chown -R /var/www/html david
 
Old 07-07-2013, 02:44 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
This is probably NAT or firewall related. In passive mode, the LIST command will cause the client to open a secondary data connection to TCP port 20 (usually) on the FTP server. It looks like the connection attempt is being blocked (a firewall issue) or the client attempts to connect to the wrong address (a NAT issue).

Are you accessing the server over the Internet? If not, is there a router between the FTP server and the client? Is either the client or the server behind NAT? Are you using the iptables firewall on the CentOS server, and if so, what does the ruleset look like?
 
Old 07-07-2013, 02:55 PM   #3
DextrousDave
LQ Newbie
 
Registered: Jul 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
Thank you Ser Olmy. I already added the following rule to my iptables file:

iptables -A INPUT -p tcp --dport 20 -j ACCEPT

Yes, I am accessing the server over the internet. (3G connection). Nope, NO NATting as far as I am concerned of
 
Old 07-07-2013, 03:18 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
So both the server and the client have public, routable IP addresses?

Rather than allowing TCP port 20 in the INPUT chain, you might want to consider loading the nf_conntrack_ftp module. This module contains an FTP ALG which will open and close ports dynamically based on whatever commands are being sent/received over the FTP command channel.

Try
Code:
modprobe nf_conntrack_ftp
...and see what happens.
 
1 members found this post helpful.
Old 07-07-2013, 04:32 PM   #5
DextrousDave
LQ Newbie
 
Registered: Jul 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
thank you very much. it works!
 
Old 07-08-2013, 07:33 AM   #6
tombelcher7
Member
 
Registered: Feb 2008
Location: Surrey
Distribution: Debian
Posts: 214

Rep: Reputation: 5
Just out of curiosity; is there any of these options that are more or less secure:

I.e. is setting an IP Tables rule to allow port 22 or port 20 (depending on if your using SFTP or not) more secure than nf_conntrack_ftp; is there any that have more merit than the other?

I just ask this as I am interested in this method of conntrack at the kernel level.

Quote:
Originally Posted by Ser Olmy View Post
So both the server and the client have public, routable IP addresses?

Rather than allowing TCP port 20 in the INPUT chain, you might want to consider loading the nf_conntrack_ftp module. This module contains an FTP ALG which will open and close ports dynamically based on whatever commands are being sent/received over the FTP command channel.

Try
Code:
modprobe nf_conntrack_ftp
...and see what happens.
 
Old 07-08-2013, 08:00 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by tombelcher7 View Post
Just out of curiosity; is there any of these options that are more or less secure:

I.e. is setting an IP Tables rule to allow port 22 or port 20 (depending on if your using SFTP or not) more secure than nf_conntrack_ftp; is there any that have more merit than the other?
An iptables rule to allow TCP port 20 will leave the port open to everyone at all times, while the ALG module opens and closes the port as needed. This should theoretically make the conntrack module the safer option, assuming it doesn't contain exploitable bugs.

SFTP is a completely different protocol and doesn't use a separate data channel. Both FTP and SFTP servers need an open command channel (TCP port 21 and 22 respectively).
 
Old 07-09-2013, 12:51 AM   #8
DextrousDave
LQ Newbie
 
Registered: Jul 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
Could you please tell me: What exactly does modprobe nf_conntrack_ftp do?

Thank you
 
Old 07-09-2013, 12:41 PM   #9
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by DextrousDave View Post
Could you please tell me: What exactly does modprobe nf_conntrack_ftp do?
nf_conntrack_ftp belongs to a group of firewall modules called Application Layer Gateways (or "Application-level Gateways", depending on who you ask).

ALGs are designed to monitor and analyze data flows containing a particular application protocol (FTP in this case), and dynamically adjust the firewall ruleset as needed in order for the protocol to work.

For instance, FTP uses one control connection and a separate data connection, and the latter is opened on demand. A data connection may be initiated by either party (passive vs. active FTP) and the port number on the client end is usually a random high port (>1024). If the router/firewall has an ALG, all you need to do is open the port for the control channel; the ALG handles the rest.

FTP is not the only protocol making use of secondary connections. SIP works in much the same way, using RTP on essentially random ports for the actual voice traffic. H.323 works in a similar manner. An ALG not only opens these ports on demand, it closes them once they're no longer needed. Without an ALGs for such protocols, the firewall administrator would have to leave a whole range of ports open on a permanent basis.

In addition to the "conntrack" ALGs, routers performing network address translation (NAT) will need NAT ALGs for all application protocols that reference either the client or the server IP address and/or port number. A NAT ALG actually modifies the application protocol traffic as it passes through the router, replacing IP addresses and port numbers as needed.

Last edited by Ser Olmy; 07-09-2013 at 12:42 PM.
 
Old 07-09-2013, 01:27 PM   #10
DextrousDave
LQ Newbie
 
Registered: Jul 2013
Posts: 16

Original Poster
Rep: Reputation: Disabled
wow, great explanation...Thank you, is it good to know all of this...At least I know what I am allowing...

Really appreciate your help.

Have a great day.
 
  


Reply

Tags
filezilla, ftp, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] vsftpd and filezilla namijason Linux - Server 2 10-03-2011 08:00 AM
vsftpd stopped working: LIST gives 500 Unknown command sethb Linux - Software 9 10-28-2010 06:58 AM
[SOLVED] VSFTPD hangs on LIST command ! teamer Linux - Networking 5 06-01-2010 06:21 AM
vsftpd and FileZilla help tvanhens Linux - Server 0 06-17-2007 10:46 PM
unable to get list after logging on to VSFTPD dmurray8888 Linux - Networking 2 04-29-2004 01:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration