FTP on CentOS

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

FTP on CentOS

Postby cjgrif » 2006/07/30 10:04:38

Hello everyone. I have been working on getting a web server up and running for the past few days, and as of now the only thing that I have not been able to get up and running is an FTP server. The only reason I need this is so I can upload files remotely to the html directory; I have no plans of using it to allow access to files from web visitors. I know that I can use SCP (and I do) for this functionality, but it would be more convenient at times to use FTP, or neccessary to use FTP (such as with free web services which only support FTP, i.e., Blogger, etc.)
When I installed the latest version of CentOS, I let it install everything that came on the 4 install disks. I have tried vsftpd and ggcftp, and neither of them work properly. I am able to log in using my user name and password, but that is about it. The ls and dir commands don't work, giving various error messages (usually a 500: Invalid PORT command error). I then installed ProFTP and have had absoutely no luck with that; I can't even log into the server.
Additionally, I am no longer able to stop or start vsftpd via the GUI, and I am not really sure how to do it otherwise. At this point I am running in so many different directions I have no idea what is going on anymore. All I really want is to have FTP up and running so one user can upload (username & password verification) to the html folder apache uses. It doesn't matter which one it is as long as it works. I don't know a lot about Linux, so I am at a major disadvantage there; hopefully someone will be able to help me.

Thank you,

Chris
cjgrif
 
Posts: 9
Joined: 2006/07/30 09:28:05
Location: Hebron, Maryland

FTP on CentOS

Postby ixten » 2006/08/03 04:50:44

Hey,

Ok first of all we need to get the daemons working again. You said you couldn't stop or start it anymore but you also said you installed and ran multiple daemons! This probable means another FTP daemon is still running and using port 21 (the FTP port).
First of all stop and remove all other FTP daemons. (I prefer to use Vsftpd specially cause it also comes with CentOS so it's easily installed and updated with YUM).

To start / stop a daemon in the shell use these commands:
service ....... start
service ....... stop
service ....... restart
...... is the daemon name in this case Vsftpd.
But after stopping and removing all other FTP daemons this shouldn't be a problem anymore in the GUI.

You can find the config files for apache here: /etc/httpd/conf/
And the config files for vsftpd here: /etc/vsftpd/

Now first of all you need to know which directory's Apache is configured too. Standard its configured to /var/www/html.
Then check which user and user group Apache runs on cause the FTP daemon has to be able to read and write the files and you don't want R/W access for everybody. Standard this is apache : apache. You have to change this to something like apache : ftp-users. And then make a group ftp-users and put there the members that have access to FTP.
It’s also good to know which rights the files and directory’s must have. Mostly it’s 400 / 440 but where gone change this to 460. 4 = read access for the user apache so the server can read the site, 6 = read and write access for the FTP users and 0 = no access for other people.
This way your server is secure cause its limited to just a few users. And the FTP users will have access to edit, change and make files. (you can also give apache R/W access what it needs in some cases but it’s a security risk, you can do this by making it 660.)

Here is a vsftpd config:

#listen on ports for connections?
listen=yes
#listen on ports for connections from IPv6 users?
listen_ipv6=yes
#which port do you want vsftpd to listen to?
listen_port=21
#if your server has IP addresses then on which address do you want vsftpd to listen to?
#standard it listens on all addresses. To make it listen to 1 address remove the # in front and type the IP address behind the =.
#listen_address=
#IPv6 IP addresses to listen on
#listen_address6=
#Want Vsftpd to run in the background?
background=yes
#Want Vsftpd to print a welcome banner when a user connects?
ftpd_banner=Welcome to my FTP server
#Vsftpd can also print a text from a file as a welcome banner.
#banner_file=/etc/vsftpd/vsftpd.msg
#Check if the user has a shell before letting him/her connect
check_shell=no
#Want to allow anonymous users?
anonymous_enable=no
no_anon_password=no
guest_enable=no
#Allow ASCII ?
ascii_download_enable=yes
ascii_upload_enable=yes
#Allow users to chmod files?
#This is very handy if a file access needs to be changed like making a file write enabled for apache (for log files etc.)
chmod_enable=yes
#Which directory does Vsftpd need to open for users?
local_root=/var/www/html
#Want Vsftpd to chroot users?
#This puts users in a jail so that they can’t get out of the /var/www/html directory and see other files.
chroot_list_enable=yes
chroot_local_user=yes
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
#Name of the PAM service vsftpd will use
pam_service_name=vsftpd
#Want Vsftp to use data connections on port 20?
connect_from_port_20=no
#Here you can change the data connection port from the previous option
ftp_data_port=20
#This makes Vsftpd use OpenSSL for a more secure connection
#ssl_enable=yes
#Allow users to use directory listing commands
dirlist_enable=yes
#Shows a message when a user enters a directory by printing text out .message from the directory the user entered.
dirmessage_enable=yes
#Here you can change which file in the directorys will contain the message text
message_file=.message
#Allows users to download files
download_enable=yes
#This makes Vsftpd show files that start with a dot which you need to show .htpasswd and .htaccess
force_dot_files=yes
#Force to use OpenSSL on connection for more security
#force_local_data_ssl=yes
#force_local_logins_ssl=yes
#Replace all user and group names with FTP in directory listing
hide_ids=yes
#Allows local users with there local passwords to login to the FTP server
local_enable=yes
#Allows recursive listing of directory’s this can take up resources of your server on large directory’s
ls_recurse_enable=no
#Enable passive data connection
pasv_enable=yes
#Change the passive data connection ports. Standard these are random ports.
pasv_min_port=33201
pasv_max_port=33210
#This shows session info in the system process listing
setproctitle_enable=yes
#Deny users that are in the user list
userlist_deny=no
#Only allow users from the user list
userlist_enable=yes
#Path and name of the user list
userlist_file=/etc/vsftpd/vsftpd.user_list
#Allow users to write
write_enable=yes
#Make a detailed log of files that are downloaded and uploaded
xferlog_enable=yes
xferlog_std_format=yes
#some timeout settings…
data_connection_timeout=300
idle_session_timeout=600
accept_timeout=60
#this timeout made my daemon crash so be careful with enabling it
#connection_timeout=120
#Permissions of the created files
file_open_mode=0460
#Maximum data transfer rate permitted in bytes per second.
#local_max_rate=0
#Maximal count of clients that can connect at the same time to the server
max_clients=5
#Maximal count of clients that can connect from 1 IP address
max_per_ip=2


Now make a file called /etc/vsftpd/vsftpd.user_list and put the names of the local users that are allowed to access the FTP server.
Make the file called /etc/vsftpd/vsftpd.chroot_list and put here the names of local users that are not chrooted to a jail. It’s best to leave this empty and chroot all users.
By chrooting them they won’t be able to go out of the directory you provided them and change settings.

For more information about the options or for more options see this page:
http://vsftpd.beasts.org/vsftpd_conf.html
This is my configuration that I use for my Vsftpd server but then a little changed for you.
Well I hope you can work it out with this information!

Good luck! And I’ll hear it when it works or if you have more questions.
ixten
 
Posts: 18
Joined: 2006/07/21 19:03:05

Re: FTP on CentOS

Postby cjgrif » 2006/08/03 13:13:49

Thank you for the help! vsftpd is up and running, and I am able to connect to it from the computers on my home network via its LAN IP address (192.168.1.200). Now if I try to connect via the internet, using a command such as ' ftp www.christophergriffin.net ', I am able to log into the server, but if I try to 'ls', I get a message '500: Illegal PORT command' followed by '425: Use PORT or PASV first'. If I quote PORT, I get more illegal port command errors; if I quote PASV, and try 'ls', it hangs for a moment and then reports that it was unable to connect or that there is no route to the host. I have some ports forwarded in my Netgear router (20,21) to 192.168.1.200 - is this correct? Should there be other ports? Not these ports? Obviously it must be possible to configure an FTP server behind a router/firewall, but how?

Thanks for all the help,

Chris
cjgrif
 
Posts: 9
Joined: 2006/07/30 09:28:05
Location: Hebron, Maryland

Re: FTP on CentOS

Postby ixten » 2006/08/03 17:55:08

It depends on which client you use. Does the client support PASV mode? (PASV is for servers behind a firewall) And if it does is it activated? I know its weird but sometimes it even helped to turn PASV mode off. And check if port 21/20 is forwarded correctly.
If that still didn't work then try this setting:

#Enable passive data connection
pasv_enable=yes

Did you enable it? and if it is then try this:

#Change the passive data connection ports. Standard these are random ports.
pasv_min_port=33201
pasv_max_port=33210

I showed you how to change the data connection ports. Try forwarding these ports in your router to your server and try again.

I forgot something yesterday though.. yeah I know it was late so I guess I was little sleepy...
First of all you might wane change /var/www/html in Vsftpd config to /var/www. This way you also have access to the CGI-BIN.
And I forgot to force user and group name cause normally if you write a file you will become owned by the user and not apache. To do this open a shell and make sure your root. The command to become root is:
#su -
Then you have to change user access of the group by this command:
#chown -R apache:ftp-user /var/www
And this one:
#chmod -R 460 /var/www
Now Apache can read and ftp-users can read/write in /var/www but if you write as a user the file will be owned by your username and not apache so we do this:
#chmod g+s /var/www
Now all files and directory's that are made in /var/www will always get owner apache:ftp-user! But be careful if you write files in shell or GUI cause they will write as apache:ftp-user but will not give it the 460 access. Only Vsftpd will give files the 460 access! So if you write a file with the shell/GUI then you have to change it to 460 manually.

good luck!
ixten
 
Posts: 18
Joined: 2006/07/21 19:03:05

Re: FTP on CentOS

Postby cjgrif » 2006/08/04 16:02:28

Well, it seems that I can only get a fully functional connection over the LAN using PORT mode. If I understand correctly, PORT mode should not work from the internet, since the server is behind a firewall? In either case, is it possible that there is something in Linux or CentOS in particular acting as a firewall (some part of SELinux?); I remember when I installed CentOS it asked me what types of services I would be hosting (I chose HTTP, SSH, and FTP). I would assume that this would open port 80 for http, 22 for ssh and 20-21 for ftp. Would I need to somehow open up ports 33201-33210 as well? How would I do this if this is required?

Otherwise, I pretty much followed the sample conf file provided, except that I did not enable listen ipv6 because it caused vsftpd to crash.

Another thing I was wondering about: when I get the message "Entering PASV mode etc..." the IP address is the 192.168.1.200 address. Intuitively, I would think that this should be my external IP address. I have set this with the pasv_address option in vsftpd.conf. The address shown then is the external address. Should this be done? (Note that at this point it still does not solve my connectivity issues.)

Thanks again for your help,

Chris
cjgrif
 
Posts: 9
Joined: 2006/07/30 09:28:05
Location: Hebron, Maryland

Re: FTP on CentOS

Postby ixten » 2006/08/04 23:35:04

CentOS has it's own firewall check if it's on and else turn it off.
SElinux can be a big bully once it has full access. Best is to try to turn it of or turn it in warn-only. Just to make sure it’s not interfering with Vsftpd.

The internal IP address that you see should be fixed by your NAT network, explain us a bit about your network and how you are connected to the internet.

And it could be possible that you need to open the port 33201 till 33210 too. This depends if your firewall will let the server connect over these ports or not. If you think you firewall is blocking these ports you can open them the same way as you did with port 21 / 20. (notice it’s port 33201 till 33210 not just 2 ports.)
These ports are needed for data transfer. Also try explaining us which clients you use on which OS. I've encountered allot of still recent clients that won't work with allot of FTP servers. Specially as some clients try to open about 10 connections at the same time for a task and them keep them open while they try to open another 10 connections for another task like the M$ internet explorer does.
ixten
 
Posts: 18
Joined: 2006/07/21 19:03:05

Re: FTP on CentOS

Postby rayman » 2006/08/09 17:54:23

I've been having trouble with ftp too i can upload my files to web server but can't access the ftp from the web so I'll be reading up as much as i can over the next few days and if i figure it out I'll post the answer
rayman
 
Posts: 45
Joined: 2006/08/05 06:14:15


Return to CentOS 4 - Server Support

Who is online

Users browsing this forum: No registered users and 1 guest