VSFTP Not Allowing External Connections.

jkraw90 · October 6, 2011, 8:13am

I have vsftpd setup on my system to act as an FTP server. It works perfectly as an internal connection but it rejects any external connections. I’m using custom port 5602, and it is forwarded on my router. I am trying to connect via a dyndns hostname, but get the same result when trying via direct IP. The error returned from client FileZilla (but also everything other client I have tried, both Linux and Windows) is;

Status:	Resolving address of EDITED.OUT.HOSTNAME
Status:	Connecting to EDITED.OUT.IP:5602...
Status:	Connection established, waiting for welcome message...
Response:	220 Welcome To FTP Server.
Command:	USER akks
Response:	331 Please specify the password.
Command:	PASS **********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 EPRT
Response:	 MDTM
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	 UTF8
Response:	211 End
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	550 Permission denied.
Command:	PORT 192,168,1,101,162,72
Response:	500 Illegal PORT command.
Error:	Failed to retrieve directory listing

The current vsftpd config file is.

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# ################
# General Settings
# ################
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
ftpd_banner=Welcome To Flatlines FTP Server.
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# If  enabled,  all  user  and  group  information in
# directory listings will be displayed as "ftp".
#hide_ids=YES
#
# #######################
# Local FTP user Settings
# #######################
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#local_max_rate=7200
#
# ##########################
# Anonymus FTP user Settings
# ##########################
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#anon_max_rate=7200
#
# Anonymous users will only be allowed to download files which are
# world readable.
anon_world_readable_only=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#anon_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# ############
# Log Settings
# ############
#
# Log to the syslog daemon instead of using an logfile.
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#setproctitle_enable=YES
#
# #################
# Transfer Settings
# #################
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the  PASV  method of obtaining a data
# connection.
pasv_enable=NO
#
#
# PAM setting. Do NOT change this unless you know what you do!
pam_service_name=vsftpd
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
#
# Limit passive ports to this range to assis firewalling
pasv_min_port=0

pasv_max_port=0

listen_port=5602

pasv is currently disabled cause I was getting numerous errors trying to connect with it turned on so was experimenting with it turned off.

ken_yap · October 6, 2011, 11:24am

The clue is the PORT command that failed at the end. As you see it asked the client to connect to a private address 192,168,1,101 for the data connection. This obviously doesn’t work for clients that are outside the firewall. What the client should see is a PORT command to connect to the externally visible address of the FTP server + port that is NATed to the internal address + port.

Normally this is taken care of by the firewall by a NAT module that modifies the command stream and transparently replaces the internal IP with the external IP. Linux firewalls use the nf_conntrack_ftp iptables module, but if you have some other kind of firewall, it may or may not be supported.

Here is an explanation of active and passive FTP. This also shows you why FTP is a pain to support through firewalls.

http://slacksite.com/other/ftp.html

jkraw90 · October 6, 2011, 10:37pm

Manged to fix this myself, here is the updated/changed vsftpd.conf file.

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# ################
# General Settings
# ################
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
ftpd_banner=Welcome FTP Server.
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# If  enabled,  all  user  and  group  information in
# directory listings will be displayed as "ftp".
#hide_ids=YES
#
# #######################
# Local FTP user Settings
# #######################
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#local_max_rate=7200
#
# ##########################
# Anonymus FTP user Settings
# ##########################
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#anon_max_rate=7200
#
# Anonymous users will only be allowed to download files which are
# world readable.
anon_world_readable_only=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#anon_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# ############
# Log Settings
# ############
#
# Log to the syslog daemon instead of using an logfile.
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#setproctitle_enable=YES
#
# #################
# Transfer Settings
# #################
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# Set to NO if you want to disallow the  PASV  method of obtaining a data
# connection.
pasv_enable=YES
#
# PAM setting. Do NOT change this unless you know what you do!
pam_service_name=vsftpd
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
#
# Limit passive ports to this range to assis firewalling
pasv_min_port=7000

pasv_max_port=7050

listen_port=5602

pasv_address=example.hostname.com

pasv_addr_resolve=YES

Run down of the changes;

Removed option

connect_from_port_20

as I’m not using default port 20 for security reasons.

Enabled passive mode with option

pasv_enable=YES

Set a range for passive ports with the two options

pasv_min_port=7000

and

pasv_max_port=7050

, reason for having 50 ports is to accommodate multiple connections, and/or transfers of lots of small files, since TCP protocol can’t use the same port again instantly after using it, it needs a small delay.

Defined the hostname I’m using in the option

pasv_address=example.hostname.com

, note I used a hostname here, not an IP address as my connection uses a dynamic IP. This option can only work with a hostname if the next option is enabled.

Then added option

pasv_addr_resolve=YES

, so I could use hostname rather than IP above.

Lastly I added the range 7000 to 7050 into my Port Forwarding on my router.

Connections now work perfectly.

robin_listas · October 7, 2011, 12:53am

On 2011-10-06 22:46, jkraw90 wrote:
> Connections now work perfectly.

Glad to know. Thanks for posting your solution.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

tsu2 · October 7, 2011, 1:00am

Interesting,
But I have a question why you believe that changing port 20 to something else significantly improves security. Port 21 is the port used for initializing an FTP session, port 20 is only used for the secondary connection (data transfer) for Active FTP. Unless some idiot is banging away trying to cause a Denial of Service, I don’t see how changing the port improves security. Also, port 20 should be irrelevant for PASV FTP, I think you should know this already because you’ve configured your range of ports for data connections.

If you really meant you were not using port 21, the improved security is still likely minimal at best. It’s trivial nowadays for port scanners and exploits to test ports for the actual service behind so it’s probably makes more sense to just leave Services configured with their default settings.

Would be interested in your idea behind this port change.

TIA,
Tony

jkraw90 · October 7, 2011, 5:35am

Everything you say is perfectly correct. With most good port scanners these days it ain’t going to make a slight bit of difference. However from security experience, I’ve found most script kiddies will mass scan IP ranges and because of the time involved in scanning every port, will tend to limit the search to 1 - 1024 range, as they are looking for a “quick attack”. It’s also partly habit as when I used to run a FTP server under Windows I used to get a fair amount of abuse traffic mainly from Russian IP ranges, although I wouldn’t really class it as DoS level, from default ports, so got into habit of changing them.

Basically it doesn’t really cost me anything, but has a slight chance of making attackers job harder, or dettered, so why not?

offenSuse · April 8, 2013, 5:59pm

Sorry for reopen this thread so later but is the first in a google search and i want to add information.

I have configured an vsftpd with openSUSE 12.2 32bit. I configured automatically FTP Server with Yast but for a few days i couldn’t connect externally from from my local network. I tried all and this is the best thread to configure it but i have to add that the order in the configuration file is so important. I tried pure-ftpd but without sucess, always timeout without welcome message.

First I add at the end of configuration file the pasv_address and pasv_resolve but this not solve the problem. The order in the file must be first configuration and then enable:


listen_port=2121
pasv_min_port=30000               #configuration of min_port
pasv_max_port=30100              #configuration of max_port
pasv_address=200.90.98.246     #configuration of pasv_address
pasv_addr_resolve=YES            #configuration of addr_resolve
pasv_enable=YES                    #pasv ENABLE  

#pasv_enable must be inserted at the end of pasv configuration and before
#of the rest of configuration, i don't know the reason but i can imagine it

anon_mkdir_write_enable=NO
anon_upload_enable=NO
chroot_local_user=YES
ftpd_banner=Mensaje de bienvenida
idle_session_timeout=900
log_ftp_protocol=YES
max_clients=10
max_per_ip=3  
ssl_sslv2=NO  
ssl_sslv3=NO  
ssl_tlsv1=NO  
anon_root=/srv/ftp
local_max_rate=20480

Regards