vsftpd failed connection

tbodine88 · December 31, 2019, 10:31pm

I am trying to set up an ftp server using opensuse.

I can connect to the server, but can not get listings, put, nor get files

How must I change the set up so ftp will work?

This is what I see from a Clent PC:


    $ ftp tommythegeek.com
    Connected to tommythegeek.com.
    220 Welcome to Tommy The Geek's FTP service.
    User (tommythegeek.com:(none)): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    425 Failed to establish connection.
    ftp> bye

This is my vsftpd.conf file:


    write_enable=NO
    dirmessage_enable=YES
    nopriv_user=ftpsecure
    ftpd_banner=Welcome to Tommy The Geek's FTP service.
    deny_email_enable=YES
    banned_email_file=/etc/vsftpd.banned_emails
    local_enable=YES
    anonymous_enable=YES
    anon_root=/srv/ftp
    no_anon_password=NO
    anon_world_readable_only=YES
    anon_umask=022
    anon_upload_enable=YES
    anon_mkdir_write_enable=YES
    anon_other_write_enable=YES
    log_ftp_protocol=YES
    xferlog_enable=YES
    vsftpd_log_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    xferlog_file=/var/log/vsftpd.log
    dual_log_enable=YES
    ascii_upload_enable=YES
    pasv_enable=YES
    pam_service_name=vsftpd
    listen=YES
    ssl_enable=NO
    rsa_cert_file=
    dsa_cert_file=
    pasv_min_port=30000
    pasv_max_port=30100

The contents of vsftpd log for this transaction:


    Tue Dec 31 15:04:07 2019 [pid 11845] CONNECT: Client "107.77.168.122"
    Tue Dec 31 15:04:07 2019 [pid 11845] FTP response: Client "107.77.168.122", "220 Welcome to Tommy The Geek's FTP service."
    Tue Dec 31 15:04:14 2019 [pid 11845] FTP command: Client "107.77.168.122", "USER anonymous"
    Tue Dec 31 15:04:14 2019 [pid 11845] [anonymous] FTP response: Client "107.77.168.122", "331 Please specify the password."
    Tue Dec 31 15:04:25 2019 [pid 11845] [anonymous] FTP command: Client "107.77.168.122", "PASS <password>"
    Tue Dec 31 15:04:25 2019 [pid 11842] [ftp] OK LOGIN: Client "107.77.168.122", anon password "fred@somwhere.com"
    Tue Dec 31 15:04:25 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "230 Login successful."
    Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP command: Client "107.77.168.122", "PORT 107,77,168,122,166,152"
    Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "200 PORT command successful. Consider using PASV."
    Tue Dec 31 15:04:33 2019 [pid 11852] [ftp] FTP command: Client "107.77.168.122", "NLST"
    Tue Dec 31 15:05:34 2019 [pid 11852] [ftp] FTP response: Client "107.77.168.122", "425 Failed to establish connection."

Thanks & Regards Tom Bodine

hcvv · January 1, 2020, 10:45am

Is the firewall correctly configured (when switched on)? You need two ports to be open: ftp (21) and ftp-data (20).

In any case, a test with a switched off firewall is always a good thing with such types of problems.

arvidjaar · January 1, 2020, 11:19am

Data direction is from server to client, so there is no need to open port 20 on FTP server. It is client firewall that must allow connection from port 20 on server to local FTP client port.

Or use PASV mode as suggested by server already.

hcvv · January 1, 2020, 2:10pm

I did not mention the server or the client specificaly, but your addition may help in the OPs understanding.

tsu2 · January 1, 2020, 4:47pm

All FTP servers must have both port 21 (the “control” ie initial session setup) and port 20 (the “data” for the actual transfer of data) open, no exceptions unless you’re encrypting (highly recommended if connecting over an unmanaged network). Has nothing to do with uploading and downloading, both have to be open.

The banner should include a brief TOS because there have been cases where a simple “welcome” like what is displayed here could become the basis for legalizing all sorts of nefarious behavior. Yes, there are ancient court cases and legal precedents on specifically this subject.

The @OP didn’t post his client-side logs which are equally necessary to troubleshoot, and he has to describe the client used (web browser? CLI FTP client? Special Managed FTP client?)

At this point I suspect that the client is trying to connect using an Active FTP connection while the server is configured to support PASV. You can look up the difference, with an Active connection, all clients are going to transfer data over port 20. With a PASV connection, the server will assign at least one port from a “high range” (greater than port 1024) for each data connection/transfer. Curiously, I’m not sure but I think the FTP server could be misconfigured here, could be assigning ports from a low range (below 1024). Needless to say, the firewall has to be configured correctly to support PASV FTP and many firewalls can’t because the secondary connection by a dynamically assigned port is not something they can do, it typically requires a pre-built rule so the User doesn’t have to figure it out. Otherwise, the User can simply open the entire range but this is not typically advisable because then those ports won’t be blocked even when not used by a valid connection.

The alternative is to configure the FTP server for Active connections (say no to PASV), and of course configure the FW accordingly. Active FTP is simpler and generally the default when a web browser is used as an FTP client. Active FTP should be fine for most low volume FTP Servers, PASV is preferred if you have a large number of simultaneous connections.

TSU

tbodine88 · January 1, 2020, 8:50pm

It would appear that this may be the problem since the service file in /usr/lib/firewalld/services/ftp.xml only defines port 21:


   <service>
     <short>FTP</short>
     <port protocol="tcp" port="21" />
     <module name="nf_contrack_ftp"/>
   </service>

tbodine88 · January 1, 2020, 9:01pm

I messed around a bit trying to fix this before I got back to reading this Forum sorry, I wish I had tried fixing the firewall but instead I have a sort of working solution:

I tried proftpd with the same result. I could log in but not list, get or put anonymously.

I successfully got pure-ftpd working. I can login anonymously w/o password. I wish It would ask for a email as a password as the other servers do, but I find no setting for that. I can down and upload anonymously and as an authenticated user.

Thanks for your help.

tsu2 · January 1, 2020, 10:06pm

Simplest likely solution for any default FTP server on openSUSE…
Assume is configured for, or modify to support Active only which means opening ports 21 and 20.
Don’t open the FW ports yourself, any/all decent FW managers like what is in openSUSE will have an FTP pre-configured rule. Inspect the rule to verify it opens at least ports 21 and 20, and enable.
Naturally, if you do the above you can use ONLY Active FTP clients… I mentioned web browsers are generally configured this way. Actual, dedicated FTP clients will need to be configured properly.

As for authentication,
By default (unless something has changed), openSUSE sets up all FTP apps to integrate with your local *NIX accounts using Username and Password. If you have no reason to change or simply want to support Anonymous connections only, just use as configured (likely).
If you do decide to change, then you can follow the documentation in the application (always installed) or online guides or copies of what is installed. FTP apps <always> have their own separate authentication system but can be sync-d or integrate with something else. It’s actually not that common in my experience to use email accounts but is entirely possible… Just specify a bunch of FTP accounts with email Usernames, Or, get fancy and reference some network Authority and use whatever it provides.

HTH,
TSU