Need help with VSFTP server

Discussion in 'Linux Networking' started by General Schvantzkoph, Nov 6, 2008.

  1. I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
    20-21 to the box. It works fine when FTPing from a shell (although the
    password authentication takes a long time) but not from an FTP GUI
    client. I first tried it from a Windows client (WinSCP) but it failed
    with a timeout error. I then tried it from gFTP which gave be the error
    message when I accessed via the Internet (local access worked)

    425 Security: Bad IP connecting.

    Are there some additional ports that I need to port forward?

    Here is my vsftp.conf file,

    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd
    options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this
    out).
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to
    022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This
    only
    # has an effect if the above global write enable is activated. Also, you
    will
    # obviously need to create a directory writable by the FTP user.
    anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # Activate logging of uploads/downloads.
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # You may override where the log file goes if you like. The default is
    shown
    # below.
    #xferlog_file=/var/log/vsftpd.log
    #
    # If you want, you can have your log file in standard ftpd xferlog format
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    idle_session_timeout=1000
    #
    # You may change the default value for timing out a data connection.
    data_connection_timeout=1000
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests.
    Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact
    ignore
    # the request. Turn on the below options to have the server actually do
    ASCII
    # mangling on files when in ASCII mode.
    # Beware that turning on ascii_download_enable enables malicious remote
    parties
    # to consume your I/O resources, by issuing the command "SIZE /big/file"
    in
    # ASCII mode.
    # These ASCII options are split into upload and download because you may
    wish
    # to enable ASCII uploads (to prevent uploaded scripts etc. from
    breaking),
    # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should
    be
    # on the client anyway..
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    ftpd_banner=Welcome to Saratoga
    #
    # You may specify a file of disallowed anonymous e-mail addresses.
    Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their
    home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    chroot_local_user=YES
    # users to NOT chroot().
    chroot_list_enable=YES
    # (default follows)
    chroot_list_file=/etc/vsftpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror"
    assume
    # the presence of the "-R" option, so there is a strong case for enabling
    it.
    #ls_recurse_enable=YES

    pam_service_name=vsftpd
    userlist_enable=YES
    userlist_deny=NO
    #enable for standalone mode
    listen=YES
    tcp_wrappers=YES

    pasv_max_port=1024
    pasv_min_port=2047
     
    General Schvantzkoph, Nov 6, 2008
    #1
    1. Advertisements

  2. The problem is passive vs. active transfers. FTP uses two ports.

    Port 21 on the server is the control channel. You forwarded that fine.

    In active mode, port 20 on the server is the data channel. The server
    initiates connections from port 20. You don't have to forward packets
    to port 20, assuming whatever you've got forwarding packets knows about
    ftp. The Windows command line ftp uses active mode.

    In passive mode, the client initiates the data channel from a random
    high port to a random high port on the server. The server tells the
    client which high port to use on the server. You'd have to forward
    every high port if whatever you've got forwarding packets doesn't know
    how to deal with ftp. Most clients that are not the Windows command
    line client use passive mode.

    If you're using a Linux box and netfilter to do the port forwarding,
    make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
    nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
    modules loaded.

    If you're not using netfilter to do the port forwarding, then you'll
    have to read up on ftp support in whatever you've got forwarding packets.
     
    Allen Kistler, Nov 6, 2008
    #2
    1. Advertisements

  3. I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
    server box, that didn't do it. In gFTP I was able to disable passive mode
    and that mad it work, however it seems to be harder to do for Windows
    Clients, most of which are pretty crappy compared to gFTP. I couldn't get
    WinSCP or Filezilla to work however I was able to get CoreFTP to work, it
    has the ability to limit the port range and it has a means of disabling
    passive mode that seems to work.
     
    General Schvantzkoph, Nov 6, 2008
    #3
  4. You could probably also put "pasv_enable=NO" in your vsftpd.conf. That
    way at least your server would be less of a tease to clients that wanted
    to try passive. I'm not certain it would fix anything, though.
     
    Allen Kistler, Nov 6, 2008
    #4
  5. pasv_enable=NO doesn't seem to have any effect on WinSCP and Filezilla,
    gFTP works even with passive enabled and CoreFTP still works.
     
    General Schvantzkoph, Nov 7, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.