vsftpd is being a bitch

Post by **ayu** » 04 Sep 2008, 12:17

I figured using Samba to get files from home when I'm in school isn't very secured, so I installed vsftpd with SSL support. The problem is that I can't seem to list the directories. Here's what I get from trying to connect and list....

clare:/home/cats# ftp-ssl
ftp> o
(to) 192.168.0.6
Connected to 192.168.0.6.
220 (vsFTPd 2.0.6)
Name (192.168.0.6:cats): cats
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

Post by **bad_brain** » 04 Sep 2008, 15:01

200 PORT command successful. Consider using PASV.

as it says, use "passive (port) mode", simply look for it in the ftp client settings...

Post by **ayu** » 04 Sep 2008, 15:27

bad_brain wrote:
200 PORT command successful. Consider using PASV.
as it says, use "passive (port) mode", simply look for it in the ftp client settings...

yeah ^^ doesn't work

here's my config....(removed the commented parts)

ssl_enable=YES
pasv_enable=YES
pasv_promiscuous=YES
tcp_wrappers=YES
listen=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=cats
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/apache2/apache.pem

Post by **bad_brain** » 05 Sep 2008, 04:31

um, tried it with forcing active mode in the ftp client settings? I (or better people using ftp accounts on my servers) experienced this too, and using "the other" mode always worked...I simply can't remember if it was active or passive mode that had to be used because I never use ftp (using SSH).

the only thing that looks a little strange in your config is maybe the use of SSL, possible your client don't support it...so try it with disabled SSL too. in case nothing works kick vsftpd off the box and use proftpd instead, it's more stable and afaik there haven't been such nasty security flaws for it like for vsftpd....and I also can supply you with a working config for it...

Post by **ayu** » 05 Sep 2008, 05:22

bad_brain wrote:um, tried it with forcing active mode in the ftp client settings? I (or better people using ftp accounts on my servers) experienced this too, and using "the other" mode always worked...I simply can't remember if it was active or passive mode that had to be used because I never use ftp (using SSH).

the only thing that looks a little strange in your config is maybe the use of SSL, possible your client don't support it...so try it with disabled SSL too. in case nothing works kick vsftpd off the box and use proftpd instead, it's more stable and afaik there haven't been such nasty security flaws for it like for vsftpd....and I also can supply you with a working config for it...

Thanks, I'll look into proftpd later =)

Well, the reason that I installed vsftpd with SSL was that I wanted a safe way to get stuff from home when I'm in school, since Samba doesn't cope well with SSL, nor does it support changing ports since the clients seems to be forced to use the 139,445 ports.

So removing SSL would be killing the purpose of the project ^^ and I read on a blog that vsftpd would work well with it. And I found a client that supports SSL so it's not that (ftp-ssl, simply)

But yeah I'll read up on proftpd then. Does it support SSL?

Post by **bad_brain** » 05 Sep 2008, 05:48

oh, if you want to use SSL I have to ask you if you have generated the keys (all in one line):

Code: Select all

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

then you also need to edit your conf:

Code: Select all

ssl_enable=YES
 allow_anon_ssl=NO
 force_local_data_ssl=NO
 force_local_logins_ssl=NO
 ssl_tlsv1=YES
 ssl_sslv2=NO
 ssl_sslv3=NO
 rsa_cert_file=/etc/vsftpd/vsftpd.pem

don't forget to restart the service afterwards...

Post by **ayu** » 05 Sep 2008, 06:26

yeah I tried some of that before, not all of it though because it wasn't present at the site where I read about it. But I'll give it a shot =)

Thanks man ^^

PS: yeah I generated the keys all in one

Post by **ayu** » 06 Sep 2008, 14:34

*bumper post*

Connected to xxx.xx.x.202.
220 (vsFTPd 2.0.6)
Name (xxx.xx.x.202:cats): cats
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> cd /mnt
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,6,96,144)
150 Here comes the directory listing.
drwxrwxrwx 1 0 0 4096 Aug 25 15:29 gb100
drwxrwxrwx 1 0 0 16384 Aug 31 13:16 gb500
226 Directory send OK.
ftp>

Works with SSL now =D, AND trigger ports ^^

Post by **bad_brain** » 07 Sep 2008, 06:55

um, so it was the key? or the port mode? or both?

Post by **ayu** » 07 Sep 2008, 06:57

bad_brain wrote:um, so it was the key? or the port mode? or both?

must have been the port mode =/ because the key that I used before worked for apache2 without any issues. And it was the same type of key with the same info, but I changed just in case.