Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
12-03-2004, 05:16 AM
|
#1
|
LQ Newbie
Registered: Dec 2004
Location: Belgium, Antwerp
Distribution: Slackware, Debian
Posts: 5
Rep:
|
Vsftpd + SSL + Passive = Listing problem
Hi,
We've got some kind of a rare problem I haven't seen on any other forums or maillinglists.
We've set up vsftpd on our new debian server, which resides behind a PIX firewall (we may not access the pix itself, only the server), so for transfers internally and externally to go perfectly we requested forwarding of some 50 data lines and port 21 and set those ports up passively:
# Passive + Port cmd's (allow FXP)
connect_from_port_20=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=2101
pasv_max_port=2149
This config works perfectly for everybody (anonymous & users) with listing, sending and receiving using our passive ports. Next thing we tried to enable SSL on vsftpd (we've got the latest ssl enabled build). Created a vsftpd.pem file, and started it up with following settings:
# SSL instellingen
# SSL cert /usr/share/ssl/cert/vsftpd.pem
# Create: openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
Oke... so we want users to be able to use SSL, but don't oblige them yet. When we try to connect using SSL (tested with several FTP clients such as FlashFXP, SmartFTP, ...) we always get the following:
Quote:
Resolving host name domain.be...
Connecting to (domain.be) -> IP: 193.190.x.x PORT: 21
Connected to (domain.be) -> Time = 20ms
Socket connected waiting for login sequence.
220 Welcome to our ftp server.
AUTH TLS
234 Proceed with negotiation.
Connected. Exchanging encryption keys...
Session Cipher: 168 bit 3DES
SSL encrypted session established.
PBSZ 0
200 PBSZ set to 0.
USER xxxxxxx
331 Please specify the password.
PASS (hidden)
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
PWD
257 "/"
TYPE A
200 Switching to ASCII mode.
PROT P
200 PROT now Private.
PASV
227 Entering Passive Mode (193,190,x,x,8,69)
LIST -aL
Opening data connection IP: 193,190,x,x,8,69 PORT: 2117.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Connection closed. Server timeout.
425 Failed to establish connection.
NOOP
200 NOOP ok.
|
As passive works perfectly without SSL, this could be an SSL related bug or does anyone have another solution ?
|
|
|
12-05-2004, 11:35 PM
|
#2
|
LQ Newbie
Registered: Dec 2004
Posts: 6
Rep:
|
Exactly same thing !
Hello,
I got exactly the same.
I'm running gentoo
pam-0.77-r1
vsftpd-2.0.1
openssl-0.9.7d-r1
Someone have a clue ?
Thanks !
|
|
|
01-04-2005, 04:22 AM
|
#3
|
LQ Newbie
Registered: Jan 2005
Distribution: Debian & Suse
Posts: 1
Rep:
|
PIX cannot inspect ftp traffic when SSL is used
FTP uses a control connection for the login process. The file listing or up-/download request is also sent on the control connection. However, the for the actual data (listing or file) a new connection is opened (result of PASV in your log).
The PIX firewall does stateful inspection of ftp traffic, which means it understands the protocol on the control connection. When it sees the PORT directive (result of PASV) it knows that the client will try to open a new connection to the IP address and port specified and opens the "hole".
When you start using SSL the control connection is encrypted and the PIX (or any other firewall for that matter) cannot interpret the protocol. And therefore will not let the data connection thru.
This problem may exist either on your firewall or on the remote firewall if there's one infront of the FTP server as well.
I see you have
> pasv_min_port=2101
> pasv_max_port=2149
in your config file.
You could allow connections to these ports for your ftp server in your pix to make it work. But this means that you open a permanent "hole". This may or may not be a serious issue.
|
|
|
11-18-2005, 07:15 AM
|
#4
|
LQ Newbie
Registered: Nov 2005
Posts: 7
Rep:
|
solution
Hi,
I've found a solution for this problem but, since I'm not very familiar with Linux, I need some help.
Here's how you get vsftpd + ssl + passive to work:
add the following line to your vsftpd.conf:
Code:
pasv_address=writedownyourstaticiphere
The main problem is that most of you don't have a static IP, but use a dyndns service such as dyndns.org.
The problem is, that you can't do this:
Code:
pasv_address=mike123.dyndns.org
because vsftpd cannot resolve the dns name to an real IP.
There are two solutions:
1. Somebody makes vsftpd work with dns names, so that vsftpd can resolve the address. I have no clue how to do this, but maybe there are some linux gurus or programmers out there to change the vsftpd sources. I hope so, cause most Windows FTP Servers can resolve dns names.
2. That's the solution I'm working on:
Automatically resolve the dyndns name let's say every 15 minutes and write it down to the vsftpd.conf.
Here's how it works:
- type nslookup mike123.dyndns.org
- filter the IP address and send the commandline output to vsftpd.conf
But I'm not very familiar with Linux yet, so I need someone to write a script that does this.
Hope someone can work it out!
|
|
|
11-18-2005, 12:18 PM
|
#5
|
LQ Newbie
Registered: Nov 2005
Posts: 7
Rep:
|
So people here's the solution:
1. go to /etc and create a file called getmyip.sh
and write the following code in getmyip.sh:
Code:
#!/bin/bash
sed -e '64,$D' /etc/vsftpd.conf > /etc/tempfile
mv /etc/tempfile /etc/vsftpd.conf
echo pasv_address=`dig youradress.dyndns.org | sed -n '/ANSWER SECTION/{n;p;}' | awk '{print $NF}'` >> /etc/vsftpd.conf
2. Open your /etc/vsftpd.conf . Now a very important thing: go to the last line of your vsftpd.conf and create a new last line called
Remember the number of the last line, in my case the last line is 64.
3. Change the line number in your /etc/getmyip.sh. Just enter your last line number instead of mine (64).
4. Make a cronjob. Go to /etc and open your crontab.
create a new line with the following code:
Code:
*/15 * * * * root /etc/getmyip.sh
that means the script will be executed every 15 minutes
Hope someone can use it!
|
|
|
08-03-2006, 03:19 PM
|
#6
|
LQ Newbie
Registered: Aug 2006
Posts: 1
Rep:
|
Well..
Even after adding pasv_address=xxx.xxx.xxx.xxx, I'm still having the same problem
Has anyone really got it working??
Thanx 
|
|
|
07-01-2007, 12:27 PM
|
#7
|
LQ Newbie
Registered: Feb 2005
Posts: 16
Rep:
|
For the dig command:
Code:
dig +short your_site.dyndns.org
or, more precisely:
Code:
echo pasv_address=`dig +short your_site.dyndns.org`>>/etc/tempfileftp
Last edited by louisgag; 07-01-2007 at 01:22 PM.
|
|
|
05-16-2008, 09:02 PM
|
#8
|
LQ Newbie
Registered: May 2008
Posts: 3
Rep:
|
If you use:
Code:
pasv_addr_resolve=YES
you can also use
Code:
pasv_address=mike123.dyndns.org
With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.
Works fine.
|
|
|
05-18-2008, 04:59 AM
|
#9
|
LQ Newbie
Registered: May 2008
Posts: 3
Rep:
|
Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.
Quote:
Originally Posted by Kobi007
If you use:
Code:
pasv_addr_resolve=YES
you can also use
Code:
pasv_address=mike123.dyndns.org
With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.
Works fine.
|
|
|
|
05-21-2009, 02:34 AM
|
#10
|
LQ Newbie
Registered: Oct 2006
Location: Chicago, IL
Distribution: SUSE 10.1
Posts: 14
Rep:
|
I had the same problem. make sure to open the passive ports in the firewall . once i did that it works fine.
Last edited by fishstick; 05-21-2009 at 02:36 AM.
|
|
|
01-12-2010, 09:42 AM
|
#11
|
LQ Newbie
Registered: Mar 2009
Location: Milwaukee, WI
Distribution: Slackware 13
Posts: 22
Rep:
|
I am having this same problem. I have:
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=41000
pasv_max_port=41020
pasv_address=$MYIP
I can get in behind the firewall find. Once I hit the firewall it logs me in connects but does not return the file listing. It times out. I have forwarded ports 20+21 and the min-max range all to the ftp server. Why the heck is this not working?
It seems to me that vsftp is not using the min-max ports at all. Does anyone have any ideas?
|
|
|
06-07-2010, 11:49 AM
|
#12
|
LQ Newbie
Registered: Jun 2010
Location: Slovakia, Bratislava
Distribution: Gentoo
Posts: 9
Rep:
|
Worked for me
Hi there,
i had exactly same problem. I just added this lines to vsftpd.conf
pasv_addr_resolve=NO
pasv_address=YOUR.STATIC.IP.ADRESS
replace YOUR.STATIC.IP.ADRESS with your static ip adress 
|
|
|
06-08-2010, 10:06 AM
|
#13
|
LQ Newbie
Registered: Mar 2009
Location: Milwaukee, WI
Distribution: Slackware 13
Posts: 22
Rep:
|
That worked! thanks dashko!
|
|
0 members found this post helpful.
|
07-08-2010, 09:03 PM
|
#14
|
LQ Newbie
Registered: Jul 2010
Posts: 2
Rep:
|
Quote:
Originally Posted by Kobi007
Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.
|
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<
ps: hope my english is understandable.
pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration
edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?
<--->
Giacomo
Last edited by sbrot; 07-08-2010 at 09:19 PM.
Reason: idea!
|
|
|
07-09-2010, 05:25 AM
|
#15
|
LQ Newbie
Registered: May 2008
Posts: 3
Rep:
|
Quote:
Originally Posted by sbrot
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<
ps: hope my english is understandable.
pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration
edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?
<--->
Giacomo
|
Hi Giacomo,
I also thought of such a script. I think it would be a good idea. I could run as cronjob every minute and check the ipadress. If it has changed, it could restart the daemon. Obviously it has to store the current IP-address in a file, so that it can compare it.
Greets
Kobi
|
|
|
All times are GMT -5. The time now is 09:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|