Hi all,
since three days I tried to configure on centos 6 an vsftp server.
here is the config:
#########################################################
[root@localhost pub]# cat /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
check_shell=NO
# User to run daemon as
nopriv_user=ftp
ftp_username=ftp#
#anon_root=/var/ftp/pub
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
anon_umask=0022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=NO
#
pasv_enable=yes
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
log_ftp_protocol=YES
#local_root=/var/ftp/pup
pam_service_name=vsftpd
#userlist_enable=YES
#userlist_file=/etc/vsftpd/user_list
#tcp_wrappers=YES
#userlist_deny=NO
setproctitle_enable=YES
anon_upload_enable=YES
guest_enable=YES
guest_username=ftp
#########################################################################################
I login with user udo which works. Also I can download files. But it's not possible to upload files.
There is also interesting if I login with the user ftp or loging with my "normal" user always I come into the default directory:
Here are the rights on the directories:
/var/ftp/
drwxrwxrwx. 3 ftpuser ftpusers 4096 6. Jul 19:41 ftp
[root@localhost ftp]# ls -al /var/ftp/
insgesamt 12
drwxrwxrwx. 3 ftpuser ftpusers 4096 6. Jul 19:41 .
drwxr-xr-x. 21 root root 4096 4. Jul 19:58 ..
drwxrwxrwx. 3 ftpuser ftpusers 4096 6. Jul 20:04 pub
################################################################
/etc/passwd
udo:x:500:500::/home/udo:/bin/bash
ftp1:x:501:501::/home/ftp-docs:/bin/bash
ftp2:x:502:501::/home/ftp-docs:/bin/bash
ftpuser:x:503:503::/home/ftpuser/:/sbin/nologin
#################################################################
/etc/group
udo:x:500:
ftp-users:x:501:
ftpuser:x:503:
ftpusers:x:504:ftpuser
Any help for me ?
Thanks
ukon
VSFTP Problem - 553 Could not create file
Re: VSFTP Problem - 553 Could not create file
Any related output in /var/log/xferlog or /var/log/vsftpd.log regarding FTP config/operational errors?
Check /etc/vsftpd/ftpusers and /etc/vsftpd/user_list. There could be a default access restriction in place.
Check /etc/vsftpd/ftpusers and /etc/vsftpd/user_list. There could be a default access restriction in place.
VSFTP Problem - 553 Could not create file
Do you have SELinux enabled?
To check: sestatus
If SELinuxstatus = on & Current mode = enforcing, it's all enabled... so lets turn it to permissive mode.
Permissive mode: setenforce 0
Check sestatus again, and it should be Current mode = permissive. This basically leaves SELinux on, but in a log only manner.
With selinux in permissive mode, try your FTP things again, and see if the problems have magically gone away. If they have, you have issues with SELinux. Check /var/log/audit for reasons. Best thing to do is clear the log files, do your FTP thing, then check the logs as they'll then only contain what's related to your FTP issue.
If SELinux is to blame, there's a few SELinux booleans worth looking at.
Best start is: getsebool -a | grep ftp
You'll see something like
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Not all of these are relevant to vsftpd, for example the httpd_enable_ftp_server is for Apache running FTP, and tftp_anon_write is for tftpd. I'd start with:
setsebool -P allow_ftpd_full_access on
setsebool -P ftp_home_dir on
The first one of allow_ftpd_anon_write is needed if you want every joe blow out there to be able to upload files to the anonymous folder... seriously discourage you doing that, unless it's internal only. If this is publicly accessibly, it will be found and it will be abused.
Next you'll need to make sure that the home folders have the right settings enabled.
Check policy bits: ls -alZ /home
Chances are if you just created the home folders they have the wrong settings, so you can just reset them as follows:
First run it to see what it'll change, but without it changing anything: restorecon -nvvr /home
-n = don't do anything, report only
-vv = very verbose
-r = recursive (do /home and everything under it)
You might want to run this on /home/udo, /home/ftp-docs and /home/ftpuser instead of all of /home
If you're happy with what it wants to do: restorecon -vvr /home
Same command with no -n, so it'll do it's actions.
Next stick SELinux back into enforcing mode:
setenforce 1
Check it is with sestatus (current mode = enforcing).
Try FTP again, and if it's broken once more check the audit logs to see what else is going on. Might be missing some settings, which you can sort out using chcon. Use -Z on various commands to work out what the current selinux policies in play are (ps -Z, ls -Z, and so on).
There's a few tools out there to turn the audit log into something more human readable, together with suggestions on what to do to fix it. Never used any of them so I can't speak much about them in anyway.
Alex.
To check: sestatus
If SELinuxstatus = on & Current mode = enforcing, it's all enabled... so lets turn it to permissive mode.
Permissive mode: setenforce 0
Check sestatus again, and it should be Current mode = permissive. This basically leaves SELinux on, but in a log only manner.
With selinux in permissive mode, try your FTP things again, and see if the problems have magically gone away. If they have, you have issues with SELinux. Check /var/log/audit for reasons. Best thing to do is clear the log files, do your FTP thing, then check the logs as they'll then only contain what's related to your FTP issue.
If SELinux is to blame, there's a few SELinux booleans worth looking at.
Best start is: getsebool -a | grep ftp
You'll see something like
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Not all of these are relevant to vsftpd, for example the httpd_enable_ftp_server is for Apache running FTP, and tftp_anon_write is for tftpd. I'd start with:
setsebool -P allow_ftpd_full_access on
setsebool -P ftp_home_dir on
The first one of allow_ftpd_anon_write is needed if you want every joe blow out there to be able to upload files to the anonymous folder... seriously discourage you doing that, unless it's internal only. If this is publicly accessibly, it will be found and it will be abused.
Next you'll need to make sure that the home folders have the right settings enabled.
Check policy bits: ls -alZ /home
Chances are if you just created the home folders they have the wrong settings, so you can just reset them as follows:
First run it to see what it'll change, but without it changing anything: restorecon -nvvr /home
-n = don't do anything, report only
-vv = very verbose
-r = recursive (do /home and everything under it)
You might want to run this on /home/udo, /home/ftp-docs and /home/ftpuser instead of all of /home
If you're happy with what it wants to do: restorecon -vvr /home
Same command with no -n, so it'll do it's actions.
Next stick SELinux back into enforcing mode:
setenforce 1
Check it is with sestatus (current mode = enforcing).
Try FTP again, and if it's broken once more check the audit logs to see what else is going on. Might be missing some settings, which you can sort out using chcon. Use -Z on various commands to work out what the current selinux policies in play are (ps -Z, ls -Z, and so on).
There's a few tools out there to turn the audit log into something more human readable, together with suggestions on what to do to fix it. Never used any of them so I can't speak much about them in anyway.
Alex.
Re: VSFTP Problem - 553 Could not create file
[quote]
nwtgpdx wrote:
Any related output in /var/log/xferlog or /var/log/vsftpd.log regarding FTP config/operational errors?
Check /etc/vsftpd/ftpusers and /etc/vsftpd/user_list. There could be a default access restriction in place.[/quote]
Hi,
regarding the vsftpd.log I saw the following output after the failed transfer:
Sat Jul 7 06:50:52 2012 1 192.168.178.20 0 /2012-06-29-17-34-40.052-VirtualBox-22059.log b _ i g udo ftp 0 * i
And the ftpusers and userlist looks like :
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
########################################################
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
udo
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
ftpuser
It seems to be normal ?!
Any idea ?
ukon
nwtgpdx wrote:
Any related output in /var/log/xferlog or /var/log/vsftpd.log regarding FTP config/operational errors?
Check /etc/vsftpd/ftpusers and /etc/vsftpd/user_list. There could be a default access restriction in place.[/quote]
Hi,
regarding the vsftpd.log I saw the following output after the failed transfer:
Sat Jul 7 06:50:52 2012 1 192.168.178.20 0 /2012-06-29-17-34-40.052-VirtualBox-22059.log b _ i g udo ftp 0 * i
And the ftpusers and userlist looks like :
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
########################################################
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
udo
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
ftpuser
It seems to be normal ?!
Any idea ?
ukon
Re: VSFTP Problem - 553 Could not create file
Alex,
thanks a lot....your explanation helps to solve my problem.
It was an issue with SELinux. I have done your config changes as mentioned and right now it works as expected .
So there is just another issue where I want to figure out.
When I login with user udo I always come into the directory
/var/ftp
Is this a normal behaviour ?
Thanks again
Udo
thanks a lot....your explanation helps to solve my problem.
It was an issue with SELinux. I have done your config changes as mentioned and right now it works as expected .
So there is just another issue where I want to figure out.
When I login with user udo I always come into the directory
/var/ftp
Is this a normal behaviour ?
Thanks again
Udo
Re: VSFTP Problem - 553 Could not create file
In CentOS 6.6, the below listed steps are what I used to allow anonymous FTP upload. My situation may be different than others. I didn't want everyone to have access to upload and I didn't want the people who would be uploading files to have local accts. I only wanted two people to have access, so I restricted ftp to two IPS.
One add'l step I could have taken would be to create an acct chroot'd to the ftp folder, but I don't think there was much difference between that and what I did.
Set up anonymous ftp (with upload/download and delete ability)
1. Install vsftpd
a. yum install –y vsftpd
2. Configure /etc/vsftpd/vsftpd.conf
a. Make backup first, cp vsftpd.conf vsftpd.conf.20150105
b. Nano vsftpd.conf and make following changes
i. anon_upload_enable=YES (remove #)
ii. change xferlog_file setting to xferlog_file=/var/log/vsftpd.log
iii. change xferlog_std_format to xferlog_std_format=NO
iv. anon_other_write_enable=YES (add at bottom)
v. anon_umask=022 (add at bottom)
c. Start vsftpd service
i. start vsftpd start
d. Set vsftpd services to survive a reboot
i. chkconfig vsftpd on
3. Configure /etc/sysconfig/iptables-config, to load ftp module
a. Change IPTABLES_MODULES="" to IPTABLES_MODULES="nf_conntrack_ftp"
4. Configure /etc/sysconfig/iptables (if multiple, use two lines)
a. -A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 21 -j ACCEPT
b. -A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 21 -j ACCEPT
c. To make sure the commands are in effect, do:
i. Service iptables reload
5. Change ftp home directory, from /var/ftp, when anonymous user logs in, this will be where they are place.
a. ftp
14:50:FTP User:/var/ftp/pub:/sbin/nologin
6. Make directory for Upload (steps won't work if the upload/download folder is /var/ftp/pub)
a. mkdir /var/ftp/pub/Guides
b. chmod 777 Guides
7. Enable SELinux Booleans
a. setsebool -P allow_ftpd_anon_write on
8. Set SELinux context to MedGuides folder
a. If semanage command is unavailable, install it
i. yum install -y policycoreutils-python
b. semanage fcontext -a -t public_content_rw_t "/var/ftp/pub/Guides(/.*)?"
c. Then restore SELinux contexts, this allows the folder to survive a relabel
i. restorecon -FR Guides/
d. Ftp logs stored in /var/log/vsftpd.log
One add'l step I could have taken would be to create an acct chroot'd to the ftp folder, but I don't think there was much difference between that and what I did.
Set up anonymous ftp (with upload/download and delete ability)
1. Install vsftpd
a. yum install –y vsftpd
2. Configure /etc/vsftpd/vsftpd.conf
a. Make backup first, cp vsftpd.conf vsftpd.conf.20150105
b. Nano vsftpd.conf and make following changes
i. anon_upload_enable=YES (remove #)
ii. change xferlog_file setting to xferlog_file=/var/log/vsftpd.log
iii. change xferlog_std_format to xferlog_std_format=NO
iv. anon_other_write_enable=YES (add at bottom)
v. anon_umask=022 (add at bottom)
c. Start vsftpd service
i. start vsftpd start
d. Set vsftpd services to survive a reboot
i. chkconfig vsftpd on
3. Configure /etc/sysconfig/iptables-config, to load ftp module
a. Change IPTABLES_MODULES="" to IPTABLES_MODULES="nf_conntrack_ftp"
4. Configure /etc/sysconfig/iptables (if multiple, use two lines)
a. -A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 21 -j ACCEPT
b. -A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 21 -j ACCEPT
c. To make sure the commands are in effect, do:
i. Service iptables reload
5. Change ftp home directory, from /var/ftp, when anonymous user logs in, this will be where they are place.
a. ftp
14:50:FTP User:/var/ftp/pub:/sbin/nologin6. Make directory for Upload (steps won't work if the upload/download folder is /var/ftp/pub)
a. mkdir /var/ftp/pub/Guides
b. chmod 777 Guides
7. Enable SELinux Booleans
a. setsebool -P allow_ftpd_anon_write on
8. Set SELinux context to MedGuides folder
a. If semanage command is unavailable, install it
i. yum install -y policycoreutils-python
b. semanage fcontext -a -t public_content_rw_t "/var/ftp/pub/Guides(/.*)?"
c. Then restore SELinux contexts, this allows the folder to survive a relabel
i. restorecon -FR Guides/
d. Ftp logs stored in /var/log/vsftpd.log