I set up an FTP service using vsftpd on one of my Ubuntu servers. When the data was transmitted in plaintext, everything worked fine. But I need the data transmission to be encrypted, so I tried to enable TLS in vsftpd.conf. Then it will not work properly.
The version of vsftpd I installed is 3.0.3-12. The SSL certificate is self-signed by me with openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048. Here's vsftpd.conf.
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=NO
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ascii_upload_enable=YES
ascii_download_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
utf8_filesystem=YES
port_enable=NO
pasv_enable=YES
pasv_address=xxx.xx.xx.xxx(static internet ip of my server)
pasv_addr_resolve=NO
pasv_min_port=30399
pasv_max_port=30621
local_root=/var/ftp
allow_writeable_chroot=YES
The specific error is this:
When I use FileZilla in Windows, I cannot list directories after logging in correctly. It will definitely time out. I manually selected FileZilla to use passive mode.
Status: Connecting to xxx.xx.xx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/var/ftp" is the current directory
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xx,xx,xxx,119,157).
Command: LIST
Response: 150 Here comes the directory listing.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
I also tried on another Ubuntu server with ftp-ssl.
Connected to xxx.xx.xx.xxx.
220 (vsFTPd 3.0.3)
Name (xxx.xx.xx.xxx:root): xxx
234 Proceed with negotiation.
[SSL Cipher TLS_AES_256_GCM_SHA384]
200 PBSZ set to 0.
200 PROT now Private.
[Encrypted data transfer.]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
550 Permission denied.
ftp: bind: Address already in use
After a few tries, I checked these things:
ufw allow 20,21/tcp
ufw allow 30399:30621/tcp
set the permissions of the FTP root directory to 777
disabled the firewall on my Windows client
I cannot find out where the problem is and it still cannot use TLS to transmit data.
Related
I am trying to connect to my server using FTP but every time I try to connect I get the below error.
Status: Resolving address of ftp.bhuumi.com
Status: Connecting to 160.153.245.204:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (64,202,160,248,195,178)
Command: MLSD
Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out
I have tried changing encryption to only use plain FTP but still getting the sam error
Once, Try with SFTP. For SSH select 22 port, mine got connected.
When I am connecting using localhost on the computer the filezilla server lies on it works perfectly fine, but when I connect with IP-Adress (It is port-forwarded correctly, im 100% sure of that) this happens:
Status: Connecting to **.**.**.**:800...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (**,**,**,**,***,***)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED -
Connection refused by server
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing
When this happens, it's usually a firewall configuration problem.
Besides a control connection, FTP also uses a data connection on a different port that needs to be assigned before data trasfers.
This means that you must open ports on your firewall to allow data transfers and, of course, you should make FileZilla Server aware of that.
For passive mode transfers, you should set a range of ports from the window below:
Of course those ports should be open at the firewall too. A longer discussion can be find here.
I have a ubuntu server (on Azure) running proftpd, when I try to connect to that server using FileZilla sometimes it works, sometimes it doesn't (usually it doesn't work at first... and I need to keep trying several random times before it works... and once it does it works for good...), now this is the error I receive it FileZilla logs:
Status: Resolving address of ftp.myserver.com
Status: Connecting to xx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Command: USER my_user
Response: 331 Password required for my_user
Command: PASS *******
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of ftp.myserver.com
Status: Connecting to xx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.5a Server (Debian) [xx.xx.xx.xx]
Command: AUTH TLS
Response: 500 AUTH not understood
Command: AUTH SSL
Response: 500 AUTH not understood
Status: Insecure server, it does not support FTP over TLS.
Command: USER my_user
Response: 331 Password required for my_user
Command: PASS *******
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
and this is what I see in proftpd logs:
2016-08-09 10:26:37,263 FTP proftpd[33961] 10.0.0.6 (yy.yy.yy.yy[yy.yy.yy.yy]): USER my_user: Login successful.
2016-08-09 10:26:37,264 FTP proftpd[33961] 10.0.0.6 (yy.yy.yy.yy[yy.yy.yy.yy]): FTP session closed.
2016-08-09 10:26:37,468 FTP proftpd[33970] 10.0.0.6 (yy.yy.yy.yy[yy.yy.yy.yy]): FTP session opened.
I don't know why the server closes and reopens the connection after the login but I am no FTP expert...
Any thoughts on how to fix this?
Edit:
This is the content of proftpd.conf file
There are multiple possible causes for a delay at login time with ProFTPD. The most common causes are the mod_delay module (see its FAQ), or IdentLookups or UseReverseDNS.
However, since your delay happens after the PASS command has been sent, that rules out the IdentLookups or UseReverseDNS directives, as those pertain to the initial connection establishment, before any commands are sent.
Per discussion with the reporter, any latency added by mod_delay was ruled out. That leaves PAM, which, depending on the configuration (e.g. in /etc/pam.d/ftp) and the modules used, can add its own latency (over which ProFTPD has little control). To disable ProFTPD's use of PAM, you would use the following in the config:
<IfModule mod_auth_pam.c>
AuthPAM off
</IfModule>
The reporter mentioned that disabling the use of PAM did indeed remove the delay -- thus pointing out that one of the PAM modules was the root cause.
Hope this helps!
I ported vsftpd on my ARM based board running under linux 3.0.8 kernel.
When I try to establish a ftp connection to the board using Filezilla (3.7.3), I get the following error:
Status: Connecting to XXX.XXX.XXX.XXX:21
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.2)
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS **************
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 500 OOPS: socket
Error: Failed to retrieve directory listing
Error: Connection closed by server
Command: PASV
Response: 500 OOPS: socket
Error: Failed to retrieve directory listing
Error: Connection closed by server
The configuration used for my server is as follow:
listen=YES
max_clients=2
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_enable=yes
pasv_min_port=0
pasv_max_port=0
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
pam_service_name=vsftpd
port_enable=YES
log_ftp_protocol=YES
There is no firewall installed in my board.
When I force the ftp connection mode to ACTIVE mode, I can connect to the server, retrieve data, upload files ...
I tried with several ftp server, but I always face the same issue.
Any idea what could be the issue?
Could be that there is some kernel module missing?
I'm currently connected to my FTP server using FTPES.
I'm wondering: when I connect to the FTP server is the data transferred between my PC and the server encrypted? From the log I can see it is authenticated.
Here is my server log. From it, can I tell if it was encrypted?:
Status: Retrieving directory listing...
Command: CWD MyS03
Response: 250 CWD command successful
Command: PWD
Response: 257 "/MyFiles" is the current directory
Command: PASV
Response: 227 Entering Passive Mode (37,58,52,72,195,33).
Command: MLSD
Response: 150 Opening ASCII mode data connection for MLSD
Response: 226 Transfer complete
Status: Directory listing successful
Error: Connection timed out
Error: File transfer failed after transferring 155,893,760 bytes in 247 seconds
Status: Resolving address of 192.168.10.111
Status: Connecting to 11.135.156.147:21210...
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 2.3.5)
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER darklord
Status: TLS/SSL connection established.
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Command: PBSZ 0
Response: 200 PBSZ set to 0.
Command: PROT P
Response: 200 PROT now Private.
Status: Connected
Status: Starting download of /test.mov
Command: CWD /rtorrent/data
Response: 250 Directory successfully changed.
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (5,135,156,147,78,83).
Command: REST 155893760
Response: 350 Restart position accepted (55893760).
Command: RETR test.mov
Response: 150 Opening BINARY mode data connection for test.mov (197992856 bytes).
In general the FTPS (FTPES) does not necessarily mean that data is encrypted. Though typically it is encrypted (as is in this particular instance).
Your client requested Private Data Channel Protection Level using the PROT P command. The Private level means that the data will be integrity and confidentiality protected.
As the server acknowledged the request (the response 200 PROT now Private), the data are encrypted (= confidentiality protection).
For details see the RFC 2228.