Results 1 to 8 of 8

Thread: vsftpd failed connection

  1. #1

    Default vsftpd failed connection

    I am trying to set up an ftp server using opensuse.

    I can connect to the server, but can not get listings, put, nor get files

    How must I change the set up so ftp will work?

    This is what I see from a Clent PC:
    Code:
        $ ftp tommythegeek.com
        Connected to tommythegeek.com.
        220 Welcome to Tommy The Geek's FTP service.
        User (tommythegeek.com:(none)): anonymous
        331 Please specify the password.
        Password:
        230 Login successful.
        ftp> ls
        200 PORT command successful. Consider using PASV.
        425 Failed to establish connection.
        ftp> bye
    ----------------------------------------------------
    This is my vsftpd.conf file:
    Code:
        write_enable=NO
        dirmessage_enable=YES
        nopriv_user=ftpsecure
        ftpd_banner=Welcome to Tommy The Geek's FTP service.
        deny_email_enable=YES
        banned_email_file=/etc/vsftpd.banned_emails
        local_enable=YES
        anonymous_enable=YES
        anon_root=/srv/ftp
        no_anon_password=NO
        anon_world_readable_only=YES
        anon_umask=022
        anon_upload_enable=YES
        anon_mkdir_write_enable=YES
        anon_other_write_enable=YES
        log_ftp_protocol=YES
        xferlog_enable=YES
        vsftpd_log_file=/var/log/vsftpd.log
        xferlog_std_format=YES
        xferlog_file=/var/log/vsftpd.log
        dual_log_enable=YES
        ascii_upload_enable=YES
        pasv_enable=YES
        pam_service_name=vsftpd
        listen=YES
        ssl_enable=NO
        rsa_cert_file=
        dsa_cert_file=
        pasv_min_port=30000
        pasv_max_port=30100
    ---------------------------------
    The contents of vsftpd log for this transaction:
    Code:
        Tue Dec 31 15:04:07 2019 [pid 11845] CONNECT: Client "107.77.168.122"
        Tue Dec 31 15:04:07 2019 [pid 11845] FTP response: Client "107.77.168.122", "220 Welcome to Tommy The Geek's FTP service."
        Tue Dec 31 15:04:14 2019 [pid 11845] FTP command: Client "107.77.168.122", "USER anonymous"
        Tue Dec 31 15:04:14 2019 [pid 11845] [anonymous] FTP response: Client "107.77.168.122", "331 Please specify the password."
        Tue Dec 31 15:04:25 2019 [pid 11845] [anonymous] FTP command: Client "107.77.168.122", "PASS <password>"
        Tue Dec 31 15:04:25 2019 [pid 11842] [ftp] OK LOGIN: Client "107.77.168.122", anon password "fred@somwhere.com"
        Tue Dec 31 15:04:25 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "230 Login successful."
        Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP command: Client "107.77.168.122", "PORT 107,77,168,122,166,152"
        Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "200 PORT command successful. Consider using PASV."
        Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP command: Client "107.77.168.122", "NLST"
        Tue Dec 31 15:05:34 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "425 Failed to establish connection."
    Thanks & Regards Tom Bodine

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,949

    Default Re: vsftpd failed connection

    Is the firewall correctly configured (when switched on)? You need two ports to be open: ftp (21) and ftp-data (20).

    In any case, a test with a switched off firewall is always a good thing with such types of problems.
    Henk van Velden

  3. #3
    Join Date
    Sep 2012
    Posts
    5,366

    Default Re: vsftpd failed connection

    Quote Originally Posted by hcvv View Post
    You need two ports to be open: ftp (21) and ftp-data (20).
    Data direction is from server to client, so there is no need to open port 20 on FTP server. It is client firewall that must allow connection from port 20 on server to local FTP client port.

    Or use PASV mode as suggested by server already.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,949

    Default Re: vsftpd failed connection

    Quote Originally Posted by arvidjaar View Post
    Data direction is from server to client, so there is no need to open port 20 on FTP server. It is client firewall that must allow connection from port 20 on server to local FTP client port.

    Or use PASV mode as suggested by server already.
    I did not mention the server or the client specificaly, but your addition may help in the OPs understanding.
    Henk van Velden

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,034
    Blog Entries
    2

    Default Re: vsftpd failed connection

    All FTP servers must have both port 21 (the "control" ie initial session setup) and port 20 (the "data" for the actual transfer of data) open, no exceptions unless you're encrypting (highly recommended if connecting over an unmanaged network). Has nothing to do with uploading and downloading, both have to be open.

    The banner should include a brief TOS because there have been cases where a simple "welcome" like what is displayed here could become the basis for legalizing all sorts of nefarious behavior. Yes, there are ancient court cases and legal precedents on specifically this subject.

    The @OP didn't post his client-side logs which are equally necessary to troubleshoot, and he has to describe the client used (web browser? CLI FTP client? Special Managed FTP client?)

    At this point I suspect that the client is trying to connect using an Active FTP connection while the server is configured to support PASV. You can look up the difference, with an Active connection, all clients are going to transfer data over port 20. With a PASV connection, the server will assign at least one port from a "high range" (greater than port 1024) for each data connection/transfer. Curiously, I'm not sure but I think the FTP server could be misconfigured here, could be assigning ports from a low range (below 1024). Needless to say, the firewall has to be configured correctly to support PASV FTP and many firewalls can't because the secondary connection by a dynamically assigned port is not something they can do, it typically requires a pre-built rule so the User doesn't have to figure it out. Otherwise, the User can simply open the entire range but this is not typically advisable because then those ports won't be blocked even when not used by a valid connection.

    The alternative is to configure the FTP server for Active connections (say no to PASV), and of course configure the FW accordingly. Active FTP is simpler and generally the default when a web browser is used as an FTP client. Active FTP should be fine for most low volume FTP Servers, PASV is preferred if you have a large number of simultaneous connections.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6

    Default Re: vsftpd failed connection

    Quote Originally Posted by hcvv View Post
    Is the firewall correctly configured (when switched on)? You need two ports to be open: ftp (21) and ftp-data (20).

    In any case, a test with a switched off firewall is always a good thing with such types of problems.
    It would appear that this may be the problem since the service file in /usr/lib/firewalld/services/ftp.xml only defines port 21:
    Code:
       <service>
         <short>FTP</short>
         <port protocol="tcp" port="21" />
         <module name="nf_contrack_ftp"/>
       </service>

  7. #7

    Default Re: vsftpd failed connection

    I messed around a bit trying to fix this before I got back to reading this Forum sorry, I wish I had tried fixing the firewall but instead I have a sort of working solution:

    I tried proftpd with the same result. I could log in but not list, get or put anonymously.

    I successfully got pure-ftpd working. I can login anonymously w/o password. I wish It would ask for a email as a password as the other servers do, but I find no setting for that. I can down and upload anonymously and as an authenticated user.


    Thanks for your help.

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,034
    Blog Entries
    2

    Default Re: vsftpd failed connection

    Quote Originally Posted by tbodine88 View Post
    I messed around a bit trying to fix this before I got back to reading this Forum sorry, I wish I had tried fixing the firewall but instead I have a sort of working solution:

    I tried proftpd with the same result. I could log in but not list, get or put anonymously.

    I successfully got pure-ftpd working. I can login anonymously w/o password. I wish It would ask for a email as a password as the other servers do, but I find no setting for that. I can down and upload anonymously and as an authenticated user.


    Thanks for your help.
    Simplest likely solution for any default FTP server on openSUSE...
    Assume is configured for, or modify to support Active only which means opening ports 21 and 20.
    Don't open the FW ports yourself, any/all decent FW managers like what is in openSUSE will have an FTP pre-configured rule. Inspect the rule to verify it opens at least ports 21 and 20, and enable.
    Naturally, if you do the above you can use ONLY Active FTP clients... I mentioned web browsers are generally configured this way. Actual, dedicated FTP clients will need to be configured properly.

    As for authentication,
    By default (unless something has changed), openSUSE sets up all FTP apps to integrate with your local *NIX accounts using Username and Password. If you have no reason to change or simply want to support Anonymous connections only, just use as configured (likely).
    If you do decide to change, then you can follow the documentation in the application (always installed) or online guides or copies of what is installed. FTP apps <always> have their own separate authentication system but can be sync-d or integrate with something else. It's actually not that common in my experience to use email accounts but is entirely possible... Just specify a bunch of FTP accounts with email Usernames, Or, get fancy and reference some network Authority and use whatever it provides.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •