Need help with VSFTP server

I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
20-21 to the box. It works fine when FTPing from a shell (although the
password authentication takes a long time) but not from an FTP GUI
client. I first tried it from a Windows client (WinSCP) but it failed
with a timeout error. I then tried it from gFTP which gave be the error
message when I accessed via the Internet (local access worked)

425 Security: Bad IP connecting.

Are there some additional ports that I need to port forward?

Here is my vsftp.conf file,

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd
options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this
out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to
022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This
only
# has an effect if the above global write enable is activated. Also, you
will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is
shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=1000
#
# You may change the default value for timing out a data connection.
data_connection_timeout=1000
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests.
Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact
ignore
# the request. Turn on the below options to have the server actually do
ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote
parties
# to consume your I/O resources, by issuing the command "SIZE /big/file"
in
# ASCII mode.
# These ASCII options are split into upload and download because you may
wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from
breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should
be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to Saratoga
#
# You may specify a file of disallowed anonymous e-mail addresses.
Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their
home
# directory. If chroot_local_user is YES, then this list becomes a list of
chroot_local_user=YES
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror"
assume
# the presence of the "-R" option, so there is a strong case for enabling
it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
#enable for standalone mode
listen=YES
tcp_wrappers=YES

pasv_max_port=1024
pasv_min_port=2047

General Schvantzkoph wrote:
> I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
> 20-21 to the box. It works fine when FTPing from a shell (although the
> password authentication takes a long time) but not from an FTP GUI
> client. I first tried it from a Windows client (WinSCP) but it failed
> with a timeout error. I then tried it from gFTP which gave be the error
> message when I accessed via the Internet (local access worked)
>
> 425 Security: Bad IP connecting.
>
> Are there some additional ports that I need to port forward?
>
> Here is my vsftp.conf file,
>
> [snip]

The problem is passive vs. active transfers. FTP uses two ports.

Port 21 on the server is the control channel. You forwarded that fine.

In active mode, port 20 on the server is the data channel. The server
initiates connections from port 20. You don't have to forward packets
to port 20, assuming whatever you've got forwarding packets knows about
ftp. The Windows command line ftp uses active mode.

In passive mode, the client initiates the data channel from a random
high port to a random high port on the server. The server tells the
client which high port to use on the server. You'd have to forward
every high port if whatever you've got forwarding packets doesn't know
how to deal with ftp. Most clients that are not the Windows command
line client use passive mode.

If you're using a Linux box and netfilter to do the port forwarding,
make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
modules loaded.

If you're not using netfilter to do the port forwarding, then you'll
have to read up on ftp support in whatever you've got forwarding packets.

On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:

> General Schvantzkoph wrote:
>> I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
>> 20-21 to the box. It works fine when FTPing from a shell (although the
>> password authentication takes a long time) but not from an FTP GUI
>> client. I first tried it from a Windows client (WinSCP) but it failed
>> with a timeout error. I then tried it from gFTP which gave be the error
>> message when I accessed via the Internet (local access worked)
>>
>> 425 Security: Bad IP connecting.
>>
>> Are there some additional ports that I need to port forward?
>>
>> Here is my vsftp.conf file,
>>
>> [snip]
>
> The problem is passive vs. active transfers. FTP uses two ports.
>
> Port 21 on the server is the control channel. You forwarded that fine.
>
> In active mode, port 20 on the server is the data channel. The server
> initiates connections from port 20. You don't have to forward packets
> to port 20, assuming whatever you've got forwarding packets knows about
> ftp. The Windows command line ftp uses active mode.
>
> In passive mode, the client initiates the data channel from a random
> high port to a random high port on the server. The server tells the
> client which high port to use on the server. You'd have to forward
> every high port if whatever you've got forwarding packets doesn't know
> how to deal with ftp. Most clients that are not the Windows command
> line client use passive mode.
>
> If you're using a Linux box and netfilter to do the port forwarding,
> make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
> nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
> modules loaded.
>
> If you're not using netfilter to do the port forwarding, then you'll
> have to read up on ftp support in whatever you've got forwarding
> packets.

I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
server box, that didn't do it. In gFTP I was able to disable passive mode
and that mad it work, however it seems to be harder to do for Windows
Clients, most of which are pretty crappy compared to gFTP. I couldn't get
WinSCP or Filezilla to work however I was able to get CoreFTP to work, it
has the ability to limit the port range and it has a means of disabling
passive mode that seems to work.

General Schvantzkoph wrote:
> On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:
>
>> General Schvantzkoph wrote:
>>> I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
>>> 20-21 to the box. It works fine when FTPing from a shell (although the
>>> password authentication takes a long time) but not from an FTP GUI
>>> client. I first tried it from a Windows client (WinSCP) but it failed
>>> with a timeout error. I then tried it from gFTP which gave be the error
>>> message when I accessed via the Internet (local access worked)
>>>
>>> 425 Security: Bad IP connecting.
>>>
>>> Are there some additional ports that I need to port forward?
>>>
>>> Here is my vsftp.conf file,
>>>
>>> [snip]
>> The problem is passive vs. active transfers. FTP uses two ports.
>>
>> Port 21 on the server is the control channel. You forwarded that fine.
>>
>> In active mode, port 20 on the server is the data channel. The server
>> initiates connections from port 20. You don't have to forward packets
>> to port 20, assuming whatever you've got forwarding packets knows about
>> ftp. The Windows command line ftp uses active mode.
>>
>> In passive mode, the client initiates the data channel from a random
>> high port to a random high port on the server. The server tells the
>> client which high port to use on the server. You'd have to forward
>> every high port if whatever you've got forwarding packets doesn't know
>> how to deal with ftp. Most clients that are not the Windows command
>> line client use passive mode.
>>
>> If you're using a Linux box and netfilter to do the port forwarding,
>> make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
>> nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
>> modules loaded.
>>
>> If you're not using netfilter to do the port forwarding, then you'll
>> have to read up on ftp support in whatever you've got forwarding
>> packets.
>
> I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
> server box, that didn't do it. In gFTP I was able to disable passive mode
> and that mad it work, however it seems to be harder to do for Windows
> Clients, most of which are pretty crappy compared to gFTP. I couldn't get
> WinSCP or Filezilla to work however I was able to get CoreFTP to work, it
> has the ability to limit the port range and it has a means of disabling
> passive mode that seems to work.

You could probably also put "pasv_enable=NO" in your vsftpd.conf. That
way at least your server would be less of a tease to clients that wanted
to try passive. I'm not certain it would fix anything, though.

On Thu, 06 Nov 2008 16:18:00 -0600, Allen Kistler wrote:

> General Schvantzkoph wrote:
>> On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:
>>
>>> General Schvantzkoph wrote:
>>>> I've installed vsftp on a CentOS 5.2 box and I've port forwarded
>>>> ports 20-21 to the box. It works fine when FTPing from a shell
>>>> (although the password authentication takes a long time) but not from
>>>> an FTP GUI client. I first tried it from a Windows client (WinSCP)
>>>> but it failed with a timeout error. I then tried it from gFTP which
>>>> gave be the error message when I accessed via the Internet (local
>>>> access worked)
>>>>
>>>> 425 Security: Bad IP connecting.
>>>>
>>>> Are there some additional ports that I need to port forward?
>>>>
>>>> Here is my vsftp.conf file,
>>>>
>>>> [snip]
>>> The problem is passive vs. active transfers. FTP uses two ports.
>>>
>>> Port 21 on the server is the control channel. You forwarded that
>>> fine.
>>>
>>> In active mode, port 20 on the server is the data channel. The server
>>> initiates connections from port 20. You don't have to forward packets
>>> to port 20, assuming whatever you've got forwarding packets knows
>>> about ftp. The Windows command line ftp uses active mode.
>>>
>>> In passive mode, the client initiates the data channel from a random
>>> high port to a random high port on the server. The server tells the
>>> client which high port to use on the server. You'd have to forward
>>> every high port if whatever you've got forwarding packets doesn't know
>>> how to deal with ftp. Most clients that are not the Windows command
>>> line client use passive mode.
>>>
>>> If you're using a Linux box and netfilter to do the port forwarding,
>>> make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
>>> nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
>>> modules loaded.
>>>
>>> If you're not using netfilter to do the port forwarding, then you'll
>>> have to read up on ftp support in whatever you've got forwarding
>>> packets.
>>
>> I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
>> server box, that didn't do it. In gFTP I was able to disable passive
>> mode and that mad it work, however it seems to be harder to do for
>> Windows Clients, most of which are pretty crappy compared to gFTP. I
>> couldn't get WinSCP or Filezilla to work however I was able to get
>> CoreFTP to work, it has the ability to limit the port range and it has
>> a means of disabling passive mode that seems to work.
>
> You could probably also put "pasv_enable=NO" in your vsftpd.conf. That
> way at least your server would be less of a tease to clients that wanted
> to try passive. I'm not certain it would fix anything, though.

pasv_enable=NO doesn't seem to have any effect on WinSCP and Filezilla,
gFTP works even with passive enabled and CoreFTP still works.