Nov 22, 2009
Pages: 1, 2

Problems With VS-FTPD Under FC4

 		free web hosting

Read Latest Entries..: (Post #12) by yordan on Apr 9 2006, 10:53 AM.
QUOTE If you pretend to be unix user, you have to know what you are doing! Nope ! I you want to be a Unix network security admin, you need to know that. If you are a unix administrator you may know this. If you are a unix user, you don't have to worry about that.
Read the FIRST post of this Topic. - Express your Opinion! Contribute Knowledge :-).

Open Discussion & Free Web Hosting > Computers & Tech > Operating Systems > Linux

Problems With VS-FTPD Under FC4

miCRoSCoPiC^eaRthLinG
Mar 28 2006, 06:20 AM
Hey guys,
    I just reinstalled my server with FC4. VSFTPD is enabled on it. When I try to connect to it from my windows system using FileZilla - it connects fine, i.e. VSFTPD accepts the login/pass and shows the welcome message too. Then comes the problem - when it issues a LIST command and tries to show me the default directory it gets stuck for a good while and then times out. This is happening for ANY and EVERY directory. At first I thought it must be something to do with the chmodding - so I tried all the modes +777, +755 etc.. but no avail. Same result in all cases. Can someone point out where I'm going wrong ?

Here's my vsftpd.conf:
CODE

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to ABCD Co. FTP Services.

# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES



Here's a typical FileZilla session:
QUOTE

Status: Connecting to 10.19.168.5 ...
Status: Connected with x.x.x.x. Waiting for welcome message...
Response: 220 Welcome to ABCD Co. FTP Services.
Command: USER abcd
Response: 331 Please specify the password.
Command: PASS *********
Response: 230 Login successful.
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: 211 End
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/abcd"
Command: TYPE A
Response: 200 Switching to ASCII mode.
Command: PASV
Response: 227 Entering Passive Mode (10,19,168,5,207,58)
Command: LIST
Error: Timeout detected!
Error: Could not retrieve directory listing


This is getting too irritating I swear. I tried quite a few different ftp clients too. I even used the dos-based ftp client - same problem, except that it can list the files - but cannot upload/write any.

The folder /home/abcd is owned by the user/group abcd. So I don't see why there should be any problem listing/writing to it. sad.gif

 

 

 


Comment/Reply (w/o sign-up)

yordan
Mar 28 2006, 10:39 AM
Just for clearness and completeness.
Please try to connect using FileZilla in "Passive" mode.
This mode is set up inside FileZilla, go the Sites Menu, click your site, then choose "advanced" choose "passive" mode instead of "active" or "automatic" mode.
Please tell me first if this works.
Then we will have to fix why vsftpd needs passive mode to be manually set.
On some sites I really have to set this mode to passive, on other site I have seen "automatic" to automatically switch to passive when asked by the remote host.
Regards
Yordan

Comment/Reply (w/o sign-up)

miCRoSCoPiC^eaRthLinG
Mar 28 2006, 11:27 AM
This is really funny - FileZilla was in Passive mode all this while. I went to the Advanced as you said and found it to be in passive itself. Just for the heck of it, I set it to Active and have it a shot. And IT LISTED THE DIRECTORY !!!! I tried all three options there - i.e., Active, Passive and Default. Out of these only Active is working.

Well - that's one problem done.

Now to the second one - even though I can see the directory listing now - I still cannot write anything to it. Files pre-existing in the dir can be downloaded - but nothing uploaded to it !! When I attempt to upload - the file gets stuck in the queue with a message saying - Critical Transfer Error - and that's about it. Any bright ideas ?

For your reference, here's the new FileZilla log, after I switched it to Active
QUOTE

Status: Connecting to 10.19.168.5 ...
Status: Connected with 10.19.168.5. Waiting for welcome message...
Response: 220 Welcome to ABCD Services.
Command: USER abcd
Response: 331 Please specify the password.
Command: PASS *********
Response: 230 Login successful.
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: 211 End
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/abcd"
Command: TYPE A
Response: 200 Switching to ASCII mode.
Command: PORT 10,19,168,50,15,76
Response: 200 PORT command successful. Consider using PASV.
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing successful



Log of when I try to upload
QUOTE

Status: Starting upload of C:\Temp\test.txt
Command: TYPE A
Response: 200 Switching to ASCII mode.
Command: PORT 10,19,168,50,15,110
Response: 200 PORT command successful. Consider using PASV.
Command: STOR test.txt
Response: 553 Could not create file.
Error: Upload failed
Status: Retrieving directory listing...
Command: TYPE A
Response: 200 Switching to ASCII mode.
Command: PORT 10,19,168,50,15,111
Response: 200 PORT command successful. Consider using PASV.
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing successful

 

 

 


Comment/Reply (w/o sign-up)

yordan
Mar 28 2006, 12:01 PM
What are your directory settings ?
From the logs it seems that the guy doing the ftp (the one who give his username and password) is not the owner of the filesystem, while the filesystem's umask is 022.
Simply, if the guy who wants to perform the ftp is georges just try "chown -R georges ." (don't forget the "." !

Comment/Reply (w/o sign-up)

evought
Mar 28 2006, 12:37 PM
QUOTE(miCRoSCoPiC^eaRthLinG @ Mar 28 2006, 12:20 AM) *

Hey guys,
    I just reinstalled my server with FC4. VSFTPD is enabled on it. When I try to connect to it from my windows system using FileZilla - it connects fine, i.e. VSFTPD accepts the login/pass and shows the welcome message too. Then comes the problem - when it issues a LIST command and tries to show me the default directory it gets stuck for a good while and then times out. This is happening for ANY and EVERY directory. At first I thought it must be something to do with the chmodding - so I tried all the modes +777, +755 etc.. but no avail. Same result in all cases. Can someone point out where I'm going wrong ?

<snip>



Ha Ha Ha. Funny thing is, I have seen this before. It took me weeks to figure this out. Do you have any kind of firewall in between you and your server (it can even be a built in windows or linux firewall)?

If so, it is a problem with either your FTP passive ports setting or your firewall, or both.

When a client connects passively, it uses a transient port requested by the server. This line tells you what the port is:

Response: 227 Entering Passive Mode (10,19,168,5,207,58)

A firewall is blocking this connection. You need to reconfigure your server to request different ports or your firewall(s) to accept different ports, preferably both. See an earlier post of mine with more complete discussion (http://findspforums.com/showpost.php?p=80204&postcount=3). This was for ProFTPd, but the principle is exactly the same.

Comment/Reply (w/o sign-up)

xboxrulz
Mar 28 2006, 10:34 PM
really odd, try disabling FC4's firewall.

It usually helps, if you want firewall, make sure to open port 20 (according to your config; default FTP service usually use port 21)

xboxrulz

Comment/Reply (w/o sign-up)

mastercomputers
Mar 28 2006, 10:36 PM
Hey M^E,

I just did a clean install of FC5 not so long ago (was using FC4), so vsftpd setup will be one of the things on my to do list, although I prefer SSH/SCP/SFTP over this.

Windows usually defaults the FTP Server to Active while Linux defaults usually to Passive.

Firstly I would configure the firewall to allow FTP, which you've probably done. I would also disable SELinux (bad idea I know, but too much hassle in configuring, especially if you want to use an httpd directory as a directory for ftpd, disabling SELinux can sometimes make things work, it was the only possible solution to get my printer working on the network).

I'm going to start from the beginning, for those who may or may not have vsftpd or it even running:

First to check if we have vsftpd:

CODE
whereis vsftpd


If it returns a location like /usr/sbin/vsftpd then we can safely assume we have it, if not, we'll install it:

CODE
su -c "yum -y install vsftpd"


Now to check if it's running:

CODE
pgrep vsftpd


If nothing returns, it's not running, if a (PID) number returns then it's running.

or we could do:

CODE
netstat -a | grep ftp


And if it returns a connection that's listening (LISTEN) then it's running and waiting.

So if it's not running, lets set it up as a service to run everytime our computer starts, and also the one off command to start it for this session we're in:

CODE
su -c "/sbin/chkconfig --level 345 vsftpd on"
su -c "/sbin/service vsftpd start"


Now would probably be a good time to configure the configuration file for vsftpd, vsftpd.conf: (I use vim as my editor, use whichever one you like)

CODE
su -c "vim /etc/vsftpd/vsftpd.conf"


The lines that I altered:

anonymous_enabled=NO
ftpd_banner=Whatever Welcome Message You Want To Present
chroot_local_users=YES
chroot_list_enabled=YES
chroot_list_file=/etc/vsftpd/chroot_list

Next I create the chroot_list_file, which contains local users that are allowed to get out of their home directory:

CODE
su -c "vim /etc/vsftpd/chroot_list"


Add whatever users you want to allow access outside of their home directory, or just save it and leave it blank.

If SELinux is enabled, there's more steps you would need to take, but I'm leaving it disabled, so won't provide configuration for it, but if you're wanting to look into this, then "chcon" is the command you'll be looking for.

Actually, "chcon" would only work if you actually created the policy for it, though you should be looking at using "public_content_t", so instead I'll just give an alternative that should allow uploading from the allowed users:

the alternative

CODE
su -c "/usr/sbin/setsebool -P ftpd_disable_trans 1"


What setsebool does and you could do manually is creates or appends ftpd_disable_trans 1 to /etc/selinux/targeted/booleans.local, so you could create this file manually, or append that line onto it.

Let's restart vsftpd:

CODE
su -c "/sbin/service vsftpd restart"


Next is creating our public FTP location for additional users, which they're required to login, as there's no anonymous users allowed. This will only be read-only for these users, so it's a means of controlling who goes on your FTP server, and also so you can place files here so that these users can access them.

First lets create the group:

CODE
su -c "groudadd ftp-users"


Next lets create the directory:

CODE
su -c "mkdir /home/public_ftp"


Now to make it accessible to the ftp-users:

CODE
su -c "chmod 750 /home/public_ftp"
su -c "chown root:ftp-users /home/public_ftp"


Next would be adding users you want to be able to access this directory and setting their password:

CODE
su -c "useradd -g ftp-users -d /home/public_ftp UserNameHere"
su -c "passwd UserNameHere"


Run this command as many times as you need to create additional users.

Now all you would need to do is place some files into it for it to be accessed by these created users. We change the permission of these files to read-only:

CODE
su -c "chown root:ftp-users /home/public_ftp/*"
su -c "chmod 740 /home/public_ftp/*"


Restarting vsftpd would be a good idea now. I think I've covered most of the general things, I will later talk about how we can create our FTP for making modifications for our web hosted files but will leave that till another time.


Cheers,


MC

Comment/Reply (w/o sign-up)

miCRoSCoPiC^eaRthLinG
Mar 29 2006, 10:54 AM
Thanks for all the help guys smile.gif

Am not done with it yet - gotta finish today's work and then sit with it.

yordan: The home folder /home/abcd is owned by the login (abcd) and it's own group (abcd) I'm using.. I tried doing a whole bunch of chown's on it, e.g.:
chown -R abcd:abcd /home/abcd
Then I even tried various chmod's on /home/abcd.. +777, +755, +775 - nothing seemed to be able to make it write to the dir.

MC: Yep - you're right, this is FC4 with selinux. I had a feeling that selinux was at the root of all this evil but couldn't get my fingers on the right spot. Will follow all these directions and try to get it working tonight.

One last note - there IS a firewall on my WinXP system - it's the integrated firewall that came with my AV BitDefender Pro 9. It's a relatively painless firewall, that asks you whether to ALLOW/DISALLOW incoming/outgoing connections when you launch some new network client. Once ALLOWED with the "Remember Settings" option - it never bother's you for that client again.

And while you can specify incoming/outgoing ports for it - you can select an option to allow a client to make connections to ANY port. So I don't think the firewall at my end is the issue.

Comment/Reply (w/o sign-up)

mastercomputers
Mar 29 2006, 12:12 PM
Hey M^E,

Well since you have SELinux, I updated the above just to help you out in that situation, but SELinux is quite a lot to take in and even with everything I've read about it, sometimes it's easier just to turn the thing off, but one day I'll be comfortable with it, just have to keep learning more and more about it.

As for those chmod permissions, I think it's silly to actually allow things like 777, either 775 would be sensible or 755 on directories/executables (750 on cgi-bin, 700 on your home directory) and 664 or 644 on images/text files/archives, becauser user/group are the same, but in some cases you may have a users in the same group that you don't want to allow writing to that directory.

Cheers,


MC

Comment/Reply (w/o sign-up)

yordan
Mar 29 2006, 05:47 PM
QUOTE
I think it's silly to actually allow things like 777

Correct. However, for debugging purposes, it could be suitable to do it temporarily. Like today, this showed that these "permission denied" problems are not due to real user rights, because chmod 777 changed nothing. This allowed to go to the right direction.

Comment/Reply (w/o sign-up)

Latest Entries

yordan
Apr 9 2006, 10:53 AM
QUOTE
If you pretend to be unix user, you have to know what you are doing!

Nope ! I you want to be a Unix network security admin, you need to know that. If you are a unix administrator you may know this. If you are a unix user, you don't have to worry about that.

Comment/Reply (w/o sign-up)

Val-Amart
Apr 8 2006, 06:14 PM
Ohhh, God!

If you pretend to be unix user, you have to know what you are doing! Does anyone here know that FTP doesn't use TCP port 20 or 21 - it uses BOTH! One for command mode, another for datamode respectively.

Look, your client opens TCP connection to port 20 of the server from a randomly chosen port, for example, 65535. Then it sends FTP command USER and PASS to authorize. You can send FEAT to see all features supported by server, and HELP for commands. Than, for example, you want to retrieve a file. You send RETR "filename". Server opens TCP connection to port 65535 from port 21. It sends data, then closes the connection.

If there is a firewall on server, it should have port 20 opened for incoming and port 21 for outgoing traffic.
If there is a firewall on client, it should have destination port 20 opened. And accept connections from port 21, of course.

In passive mode, which is entered in by using PASV command, server doesn't open data itself, it waits for an income connection. In that case, firewall on the client side may have port 21 destination blocked. But then port 21 should be opened for ingiong connections on server.

That's about ports, now about data transfer modes. There two: binary and ascii. Most modern servers and clients use binary, as it transfers all 8 bits from a byte. ASCII mode is saved for some older ones. Historically, it was used for transferring directory listings, as only 7 bits where send in this case.

vsftpd, as many other modern secure ftp servers don't allow ascii connections for transferring anything else then LIST, although it is not recommended now to use it for any perpose at all!

Guys, you really should contact documentation before asking such questions... And you definately should read this: RFC 959 and RFC 1579.

Comment/Reply (w/o sign-up)

Got an Opinion! Express your Views! (no registration):-
Add your Reply/ Opinion/ Views/ Comments/ Suggestion/ Questions/ Queries etc.
Posts with decent grammar & English will be accepted and please refrain from profanities.
For asking a Question, We recommend you to sign-up (for free) so that you can track the topic easily.
Nature of your Post*: Opinion/ Reply/ Comments
Question/Query
Feedback to us.
       
Name   Email
Title/Question*

This textarea will convert to Rich-Text automatically (IE, Firefox, Chrome)

Pages: 1, 2
Similar Topics

Keywords : problems, vsftpd, fc4

  1. Mysql Build/install Problems
    (4)
  2. Names Hacking
    Names scheme problems, especially LVM (1)
    I'd like to have a little talk about names. All of us who stick with IT industry repeatedly deal
    with various names, labels, arbitrary strings and such. Starting from variables, procedures and
    functions names in programming languages, continuing with logins, users, computers names and finally
    finishing with passwords and passphrases. I notice one interesting fact. At first, when super new
    cool named thing introduced, the finest in the universe manual sad: the name of the_thing is
    arbitrary string consisting of alphanumeric characters and underscores .... bla-bla-bl....
  3. Red Hat 9 Dual Ethernet Problems?
    (2)
    Hello, A while ago before I installed Fedora Core 5, I tried installing Red Hat Linux 9 on the
    following system: -Intel Pentium III 900 MHz CPU -512 RAM -Dual Ethernet (10/100) However, during
    installation, the Ethernet cards were never found so I couldn't get online. Now, I'm
    installing Red Hat 9 on this (much) older computer, Pentium II and I don't remember the CPU
    speed, 128 RAM (I think) and this time during install, Red Hat found the Ethernet. This system has
    an 3Com card that was taken out of my other system. I was just wondering if Red Hat had any ....
  4. Fedora Core 5 Problems
    Installing packages (5)
    Whenever I try to install a package, I get the following error message in the shell: QUOTE
    Loading "installonlyn" plugin Setting up Install Process Setting up repositories updates Cannot find
    a valid baseurl for repo: updates Error: cannot find a valid baseurl for repo: updates Thanks
    for any help trying to fix this! F Edit: This was linked to an ISP problem that I verified with
    a friend on the same ISP. Apparently they were having some problems because I also couldn't
    access SourceForge or Photobucket. They've seem to have fixed the problem. F....
  5. Kmixer Causing Problems With Fluxbox
    Reseting the settings.... (5)
    Hi, I'm using Slackware 10.1. I've been using mostly KDE. But for the past couple of
    months I've started using fluxbox. It's great actually... lightweight and all that...
    I'm just having one small problem with kmix. Everytime I logout and login, kmix resets the
    values back to the default values. This happens only with fluxbox. In KDE, it restores the settings
    I kept previously. I've tried both checking and unchecking the 'Restore volumes on
    login' option in the settings.... but it still resets the volume to somewhere near half. Any
    ideas....
  6. Minor Knoppix Problems
    will they stay in a proper install (6)
    there are the occational problem that i have on knoppix that i would like to know if i will have
    them when i install linux. i.e. file format issues - especially music files .wma? dvd player wont
    play one of my dvd's some of the programs on the menu dont start when i click on them gaim wont
    work just wondering....
  7. Need Help With Apache Configuration Problems
    (3)
    Hello I have some problem with my apache - I want to configure it to work, when I write in my
    browser 'http://localhost' I have LAN in my house and I set an adress 192.168.0.6, and when
    I want to use it, I have to write my IP, what is annoying :] Maby I have broke something in setting
    of my IP or something? And what I have to do, to have a local serwer on linux (I use Aurox 10.0)
    Maby that distribution isn't good for a local serwer? maby I should change it for something
    ealse? Please help....
  8. Drivers Problems In Linux
    Drivers aren't always ok in Linux (8)
    I open this topic because I have already a problem! My Linux (Fedora Core 3) doesn't accept
    drivers of my modem... what can I do? My modem is an IPM Datacom Dataway USB. Help me, please!
    Anysoftware NDWeb....


      9. Looking for problems, vsftpd, fc4

See Also,

*SIMILAR VIDEOS*
Searching Video's for problems, vsftpd, fc4
advertisement



Problems With VS-FTPD Under FC4

Affordable Web Hosting, Low cost Web Hosting - ComputingHost.com