Need help with VSFTP server - Networking

This is a discussion on Need help with VSFTP server - Networking ; I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports 20-21 to the box. It works fine when FTPing from a shell (although the password authentication takes a long time) but not from an FTP GUI client. ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Need help with VSFTP server

  1. Need help with VSFTP server

    I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
    20-21 to the box. It works fine when FTPing from a shell (although the
    password authentication takes a long time) but not from an FTP GUI
    client. I first tried it from a Windows client (WinSCP) but it failed
    with a timeout error. I then tried it from gFTP which gave be the error
    message when I accessed via the Internet (local access worked)

    425 Security: Bad IP connecting.

    Are there some additional ports that I need to port forward?

    Here is my vsftp.conf file,

    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd
    options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this
    out).
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to
    022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This
    only
    # has an effect if the above global write enable is activated. Also, you
    will
    # obviously need to create a directory writable by the FTP user.
    anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # Activate logging of uploads/downloads.
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # You may override where the log file goes if you like. The default is
    shown
    # below.
    #xferlog_file=/var/log/vsftpd.log
    #
    # If you want, you can have your log file in standard ftpd xferlog format
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    idle_session_timeout=1000
    #
    # You may change the default value for timing out a data connection.
    data_connection_timeout=1000
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests.
    Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact
    ignore
    # the request. Turn on the below options to have the server actually do
    ASCII
    # mangling on files when in ASCII mode.
    # Beware that turning on ascii_download_enable enables malicious remote
    parties
    # to consume your I/O resources, by issuing the command "SIZE /big/file"
    in
    # ASCII mode.
    # These ASCII options are split into upload and download because you may
    wish
    # to enable ASCII uploads (to prevent uploaded scripts etc. from
    breaking),
    # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should
    be
    # on the client anyway..
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    ftpd_banner=Welcome to Saratoga
    #
    # You may specify a file of disallowed anonymous e-mail addresses.
    Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their
    home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    chroot_local_user=YES
    # users to NOT chroot().
    chroot_list_enable=YES
    # (default follows)
    chroot_list_file=/etc/vsftpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror"
    assume
    # the presence of the "-R" option, so there is a strong case for enabling
    it.
    #ls_recurse_enable=YES

    pam_service_name=vsftpd
    userlist_enable=YES
    userlist_deny=NO
    #enable for standalone mode
    listen=YES
    tcp_wrappers=YES

    pasv_max_port=1024
    pasv_min_port=2047



  2. Re: Need help with VSFTP server

    General Schvantzkoph wrote:
    > I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
    > 20-21 to the box. It works fine when FTPing from a shell (although the
    > password authentication takes a long time) but not from an FTP GUI
    > client. I first tried it from a Windows client (WinSCP) but it failed
    > with a timeout error. I then tried it from gFTP which gave be the error
    > message when I accessed via the Internet (local access worked)
    >
    > 425 Security: Bad IP connecting.
    >
    > Are there some additional ports that I need to port forward?
    >
    > Here is my vsftp.conf file,
    >
    > [snip]


    The problem is passive vs. active transfers. FTP uses two ports.

    Port 21 on the server is the control channel. You forwarded that fine.

    In active mode, port 20 on the server is the data channel. The server
    initiates connections from port 20. You don't have to forward packets
    to port 20, assuming whatever you've got forwarding packets knows about
    ftp. The Windows command line ftp uses active mode.

    In passive mode, the client initiates the data channel from a random
    high port to a random high port on the server. The server tells the
    client which high port to use on the server. You'd have to forward
    every high port if whatever you've got forwarding packets doesn't know
    how to deal with ftp. Most clients that are not the Windows command
    line client use passive mode.

    If you're using a Linux box and netfilter to do the port forwarding,
    make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
    nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
    modules loaded.

    If you're not using netfilter to do the port forwarding, then you'll
    have to read up on ftp support in whatever you've got forwarding packets.

  3. Re: Need help with VSFTP server

    On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:

    > General Schvantzkoph wrote:
    >> I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
    >> 20-21 to the box. It works fine when FTPing from a shell (although the
    >> password authentication takes a long time) but not from an FTP GUI
    >> client. I first tried it from a Windows client (WinSCP) but it failed
    >> with a timeout error. I then tried it from gFTP which gave be the error
    >> message when I accessed via the Internet (local access worked)
    >>
    >> 425 Security: Bad IP connecting.
    >>
    >> Are there some additional ports that I need to port forward?
    >>
    >> Here is my vsftp.conf file,
    >>
    >> [snip]

    >
    > The problem is passive vs. active transfers. FTP uses two ports.
    >
    > Port 21 on the server is the control channel. You forwarded that fine.
    >
    > In active mode, port 20 on the server is the data channel. The server
    > initiates connections from port 20. You don't have to forward packets
    > to port 20, assuming whatever you've got forwarding packets knows about
    > ftp. The Windows command line ftp uses active mode.
    >
    > In passive mode, the client initiates the data channel from a random
    > high port to a random high port on the server. The server tells the
    > client which high port to use on the server. You'd have to forward
    > every high port if whatever you've got forwarding packets doesn't know
    > how to deal with ftp. Most clients that are not the Windows command
    > line client use passive mode.
    >
    > If you're using a Linux box and netfilter to do the port forwarding,
    > make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
    > nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
    > modules loaded.
    >
    > If you're not using netfilter to do the port forwarding, then you'll
    > have to read up on ftp support in whatever you've got forwarding
    > packets.


    I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
    server box, that didn't do it. In gFTP I was able to disable passive mode
    and that mad it work, however it seems to be harder to do for Windows
    Clients, most of which are pretty crappy compared to gFTP. I couldn't get
    WinSCP or Filezilla to work however I was able to get CoreFTP to work, it
    has the ability to limit the port range and it has a means of disabling
    passive mode that seems to work.

  4. Re: Need help with VSFTP server

    General Schvantzkoph wrote:
    > On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:
    >
    >> General Schvantzkoph wrote:
    >>> I've installed vsftp on a CentOS 5.2 box and I've port forwarded ports
    >>> 20-21 to the box. It works fine when FTPing from a shell (although the
    >>> password authentication takes a long time) but not from an FTP GUI
    >>> client. I first tried it from a Windows client (WinSCP) but it failed
    >>> with a timeout error. I then tried it from gFTP which gave be the error
    >>> message when I accessed via the Internet (local access worked)
    >>>
    >>> 425 Security: Bad IP connecting.
    >>>
    >>> Are there some additional ports that I need to port forward?
    >>>
    >>> Here is my vsftp.conf file,
    >>>
    >>> [snip]

    >> The problem is passive vs. active transfers. FTP uses two ports.
    >>
    >> Port 21 on the server is the control channel. You forwarded that fine.
    >>
    >> In active mode, port 20 on the server is the data channel. The server
    >> initiates connections from port 20. You don't have to forward packets
    >> to port 20, assuming whatever you've got forwarding packets knows about
    >> ftp. The Windows command line ftp uses active mode.
    >>
    >> In passive mode, the client initiates the data channel from a random
    >> high port to a random high port on the server. The server tells the
    >> client which high port to use on the server. You'd have to forward
    >> every high port if whatever you've got forwarding packets doesn't know
    >> how to deal with ftp. Most clients that are not the Windows command
    >> line client use passive mode.
    >>
    >> If you're using a Linux box and netfilter to do the port forwarding,
    >> make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
    >> nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
    >> modules loaded.
    >>
    >> If you're not using netfilter to do the port forwarding, then you'll
    >> have to read up on ftp support in whatever you've got forwarding
    >> packets.

    >
    > I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
    > server box, that didn't do it. In gFTP I was able to disable passive mode
    > and that mad it work, however it seems to be harder to do for Windows
    > Clients, most of which are pretty crappy compared to gFTP. I couldn't get
    > WinSCP or Filezilla to work however I was able to get CoreFTP to work, it
    > has the ability to limit the port range and it has a means of disabling
    > passive mode that seems to work.


    You could probably also put "pasv_enable=NO" in your vsftpd.conf. That
    way at least your server would be less of a tease to clients that wanted
    to try passive. I'm not certain it would fix anything, though.

  5. Re: Need help with VSFTP server

    On Thu, 06 Nov 2008 16:18:00 -0600, Allen Kistler wrote:

    > General Schvantzkoph wrote:
    >> On Thu, 06 Nov 2008 10:03:54 -0600, Allen Kistler wrote:
    >>
    >>> General Schvantzkoph wrote:
    >>>> I've installed vsftp on a CentOS 5.2 box and I've port forwarded
    >>>> ports 20-21 to the box. It works fine when FTPing from a shell
    >>>> (although the password authentication takes a long time) but not from
    >>>> an FTP GUI client. I first tried it from a Windows client (WinSCP)
    >>>> but it failed with a timeout error. I then tried it from gFTP which
    >>>> gave be the error message when I accessed via the Internet (local
    >>>> access worked)
    >>>>
    >>>> 425 Security: Bad IP connecting.
    >>>>
    >>>> Are there some additional ports that I need to port forward?
    >>>>
    >>>> Here is my vsftp.conf file,
    >>>>
    >>>> [snip]
    >>> The problem is passive vs. active transfers. FTP uses two ports.
    >>>
    >>> Port 21 on the server is the control channel. You forwarded that
    >>> fine.
    >>>
    >>> In active mode, port 20 on the server is the data channel. The server
    >>> initiates connections from port 20. You don't have to forward packets
    >>> to port 20, assuming whatever you've got forwarding packets knows
    >>> about ftp. The Windows command line ftp uses active mode.
    >>>
    >>> In passive mode, the client initiates the data channel from a random
    >>> high port to a random high port on the server. The server tells the
    >>> client which high port to use on the server. You'd have to forward
    >>> every high port if whatever you've got forwarding packets doesn't know
    >>> how to deal with ftp. Most clients that are not the Windows command
    >>> line client use passive mode.
    >>>
    >>> If you're using a Linux box and netfilter to do the port forwarding,
    >>> make sure you've got ip_conntrack_ftp and ip_nat_ftp (or
    >>> nf_conntrack_ftp and nf_nat_ftp, depending on your kernel version)
    >>> modules loaded.
    >>>
    >>> If you're not using netfilter to do the port forwarding, then you'll
    >>> have to read up on ftp support in whatever you've got forwarding
    >>> packets.

    >>
    >> I'm using a Dlink router. I've tried port forwarding 1024-65535 to the
    >> server box, that didn't do it. In gFTP I was able to disable passive
    >> mode and that mad it work, however it seems to be harder to do for
    >> Windows Clients, most of which are pretty crappy compared to gFTP. I
    >> couldn't get WinSCP or Filezilla to work however I was able to get
    >> CoreFTP to work, it has the ability to limit the port range and it has
    >> a means of disabling passive mode that seems to work.

    >
    > You could probably also put "pasv_enable=NO" in your vsftpd.conf. That
    > way at least your server would be less of a tease to clients that wanted
    > to try passive. I'm not certain it would fix anything, though.


    pasv_enable=NO doesn't seem to have any effect on WinSCP and Filezilla,
    gFTP works even with passive enabled and CoreFTP still works.

  6. Re: Need help with VSFTP server

    set

    pasv_max_port=1024
    pasv_min_port=1024

    and open tcp port 1024 in the firewall

  7. Re: Need help with VSFTP server

    hey can u please tell me what IS VSFTP?

+ Reply to Thread