VSFTPD problem accessing from outside of the router without SSL

Issues related to configuring your network
Post Reply
ClaudioxPT
Posts: 5
Joined: 2011/08/07 01:26:04

VSFTPD problem accessing from outside of the router without SSL

Post by ClaudioxPT » 2011/12/03 21:00:52

I have VSFTPD running with anonymous users allowed, but strangely using the network ip adress ( 192.168.xxx.xxx ) i can access to everything in the server (ftp,sftp,http,https etc...), but when accessing from the outside ( same pc, but isp adress ), i can access http(s) and others normally, but not FTP without SSL ( SFTP ).

When i try to open the address in the browser (opera or chrome), 95% doesn't retrieves an answer and ends saying: "Could not open remote FTP channel
Check that the address is spelled correctly, or try searching for the site."
But strangely, sometime works ( like after 5 minutes, trying it successfully retrieves the "Folder Listing" ), but in the next try, it doesn't works again.

I've opened filezilla to see what happens, and the results are the following:
- Anonymous in the local network
[quote]Status: Connecting to 192.168.1.3:21...
Status: Connection established, waiting for welcome message...
Response: 220 Sucessfuly connected!
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS **************
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,3,39,27).
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing successful[/quote]

- Local user in the local network
[quote]Status: Connecting to 192.168.1.3:21...
Status: Connection established, waiting for welcome message...
Response: 220 Sucessfuly connected!
Command: USER sysadmin
Response: 331 Please specify the password.
Command: PASS *****
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Status: Directory listing successful[/quote]
- Anonymous, using the outside adress (when works (5% of the time)):
[quote]Status: Connecting to 84.90.6.201:21...
Status: Connection established, waiting for welcome message...
Response: 220 Sucessfuly connected!
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS **************
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (84,90,6,201,211,13).
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Calculating timezone offset of server...
Command: MDTM Drivelapse USA - 5 Minute Roadtrip Timelapse Around America.mp4
Response: 213 20111201222329
Status: Timezone offsets: Server: 0 seconds. Local: 0 seconds. Difference: 0 seconds.
Status: Directory listing successful[/quote]
- Anonymous, using the outside adress (when doesn't):
[quote]Status: Connecting to 84.90.6.201:21...
Status: Connection established, waiting for welcome message...
Response: 220 Sucessfuly connected!
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS **************
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: UTF8
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (84,90,6,201,21,106).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing[/quote]
- Local user, using the outside adress:
[quote]Status: Connecting to 84.90.6.201:21...
Status: Connection established, waiting for welcome message...
Response: 220 Sucessfuly connected!
Command: USER sysadmin
Response: 331 Please specify the password.
Command: PASS *****
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (84,90,6,201,166,232).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing[/quote]
- Anonymous, using the outside adress and SSL:
[quote]Status: Connecting to 84.90.6.201...
Response: fzSftp started
Command: open "anonymous@84.90.6.201" 22
Command: Trust changed Hostkey: Once
Command: Pass: **************
Error: Authentication failed.
Error: Critical error
Error: Could not connect to server[/quote]
- Local user, using the outside adress and SSL:
[quote]Status: Connecting to 84.90.6.201...
Response: fzSftp started
Command: open "sysadmin@84.90.6.201" 22
Command: Trust changed Hostkey: Once
Command: Pass: *****
Status: Connected to 84.90.6.201
Status: Retrieving directory listing...
Command: pwd
Response: Current directory is: "/home/sysadmin"
Status: Directory listing successful[/quote]





I have VSFTPD installed with the following configuration files:

-/etc/vsftpd/vsftpd.conf

[quote] # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
chown_username=sysadmin
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=7200
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Sucessfuly connected!
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

force_local_data_ssl=NO
force_local_logins_ssl=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
tcp_wrappers=YES[/quote]

- Both userlists ( ftpusers and user_list) have:
[quote]root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody[/quote]

What should be the cause of this strange problem? It only happens with FTP, and is not allways, as sometimes works.
And why does FTP under SSL works always and quick while the unencrypted one doesn't?
EDIT: I forgot to say, firewall is disabled and SElinux on permissive mode.

Regards
Top
User avatar
TrevorH
Site Admin
Posts: 33249
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

VSFTPD problem accessing from outside of the router without

Post by TrevorH » 2011/12/03 22:34:40

Sftp works because it's a completely different protocol and actually uses ssh under the covers. Plain ftp uses two separate ports - you need to open both port 21 and 20. If you are using iptables then I find that opening only port 21, making sure that ip_conntrack_ftp and having an RELATED,ESTABLISHED line in your iptables rules works most of the time.
Top
Post Reply

Return to “CentOS 6 - Networking Support”