Sorry to post this here but I run F9 at home and Centos 5.2 at work. I'm working on building our website on the company server. The Fedora community is much larger and many use CentOS also so I'm hoping that someone can help.

Cory


Hello all and thanks for help!

I'm trying to set up vsftpd on CentOS 5.2. I want to be able to update our website remotely using Kompozer.

I don't want to allow any other access beyond that. I can't seem to get it working. At one point I was able to see the FTP server from home with no available files but with no changes when I try to refresh the pages it says the the connection was reset.

I have the firewall on the Centos turned off for now and forwarding all traffic through the router on ports 20-22 to the server. I am using a different port for ssh (that may be the problem) but, the router already forwards traffic on that port correctly.

I can still open the http side of the server remotely but, I can't get ftp side to open even with no file options.

Can someone point me to a tutorial to set up vsftp to grant access remotely with credentials to my website and home files (hopefully).

Thanks

Cory

If your website are still in /var/www/html, I use ssh for that, no exception. ftp server is for the public purposes.

Besides that, I use ssh cause it retains the file timestamp when file transfer, vsftpd doesn't.

FYI, my website used to be in /var/www in the begining. I moved it over to my $HOME so I can use Quanta Plus, didn't feel comfortable to login as root just to mess with my /var/www files.

Sorry to post this here but I run F9 at home and Centos 5.2 at work. I'm working on building our website on the company server. The Fedora community is much larger and many use CentOS also so I'm hoping that someone can help.

Cory


Hello all and thanks for help!

I'm trying to set up vsftpd on CentOS 5.2. I want to be able to update our website remotely using Kompozer.

I don't want to allow any other access beyond that. I can't seem to get it working. At one point I was able to see the FTP server from home with no available files but with no changes when I try to refresh the pages it says the the connection was reset.

I have the firewall on the Centos turned off for now and forwarding all traffic through the router on ports 20-22 to the server. I am using a different port for ssh (that may be the problem) but, the router already forwards traffic on that port correctly.

I can still open the http side of the server remotely but, I can't get ftp side to open even with no file options.

Can someone point me to a tutorial to set up vsftp to grant access remotely with credentials to my website and home files (hopefully).

Thanks

Cory

The issue sounds suspiciously like port 20 (FTP-Data) is not enabled. I am certain you do have the firewall off and everything ok on the centOS side. I wonder if the problem is not on the home side? Are you logging in from your fedora box at home? what happens if you disable the firewall on the home side.

if you are inside your "home network" do you have port forwarding setup on your router for both port TCP 20 and TCP 21

if that does not work, can you "scrub" and post your vsftpd.conf file? scrub == remove IPs hostnames etc....

also, you can install wireshark, yum -y install wireshark and capture the packets from one side and then the other. see where the connection problem resides. it could be on the home side or on the work side.

if your work system is behind any firewalls one of them may be blocking ftp-data.

sniff the traffic on both sides and see where the traffic gets lost

No firewall on my home. My ISP setup has a weird way of doing things. Best I can calculate, I'm on a subnetted private network on their router. Their router has the public IP address and I have a private IP under that..

The linksys router at work it forwarding all port 80, traffic to the server. I temporarily allowed 20, 21 while I was working on it Port 80 works fine. The router forwards webmin traffic and VNC traffic to the server fine. I changed the port for ssh and it works fine with root login disabled. It's just the whole FTP thing I can't figure.

Because of my ISP's weird way of doing it, I can't play with my test box at home because I can do all of the port forwarding in the world on my router but the connection falls apart on their router (unless you want to donate $10 a month to me for a static IP?)

Thanks!
Cory

I guess the bright side of the ISP thing is, their router is an extra layer of security between me and the cruel cruel world.

are you able to ftp to "any site" you can test with ftp.redhat.com
login anonymously and ls... if you get a good return both 20 and 21 are open on your ISPs side and we need to look closer at either side.

also, from the server can you ftp to yourself... i.e ftp localhost and login successfully and get a data transfer?

yes I have used ftp from both machines to connect to other servers.

I just checked with canyouseeme.org the sever is visible on port 21 but not port 20. I have the router set to forward ports 20-21 to the server.

Could it be that ATT/SBC Yahoo DSL blocks port 20?

my vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=077
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

I never set up any specifics of what is available anywhere but wasn't sure how. That's why I was looking for a good tutorial of how to set it up.

I'm flashing back to my college days and relational databases trying hard to remember how to do it all. Don't use it, you lose it. When I'm done, we will be quickbooks free. Doubt I'll ever allow customer ordering off of the the local server but, would like to be able to set it up now so my graphics designer and I can access the html files remotely. I think by the time we paid ATT for the bandwidth, we could get it hosted offsite cheaper.

Once I get the FTP server working and the website basic idea working, biggest problem I have is. We sell office machines and supplies. We also do service and have parts. I haven't figured out in my head how to receive a machine into inventory with a serial number and then have that be linked properly to the purchasing customer.

ok, I can log in command line I guess I need to learn a little more about apache maybe.

I was trying to use Firefox and ftp://website

when it just type ftp website at CLI it asks for username and password.

enter those and all is good.

well, I don't see anything in you config file that would prohibit the transfers.
I didn't expect to, but trying to be thorough in troubleshooting.

I use ATT/SBC Yahoo and I am able to ftp to redhat's site and to sunsolve.sun.com
and push files via ftp.

do you have tcp wrappers enabled? I have seen weird problems with tcp wrappers and ftp.
t

You mentioned Linksys router? are you using stock firmware or third party?

try setting up a port trigger,
I had to setup port trigger for identd to enable DCC chats and file transfers via xchat. as well as setting up the port forward

my forward range looks like

appname start end protocol IP enabled
DCC 5050 5059 both "my IP" chk

my Identd trigger looks like
appname port range protocol forwarded port IP
start end start end
IdentD 6060 7000 both 113 113 "my IP"

ok, good, I thought I was going crazy everything was looking good, I never thought to ask what client or cli you were using....
FTP apache config example (https://www.covalent.net/resource/documentation/ftp/3/html/ch03s02.html)

Thanks ValHolla,

I think that's exactly what I'm looking for. haven't read the whole page yet but, the first part makes sense.

You save me again!

right now I just want to be very careful. I don't want to allow access to anything that could cause damage and I'm still learning. I have very limited ports forwarded to the server and the services that aren't required at this point are shut down immediately after my experimenting at night. I was messing around with IPTables at home the other night and locked myself out. Went in to work early to fix it and the one day my boss shows up way early would be that day. She couldn't get into the company file from her XP computer locally.

I have the IP range that I could potentially have at home. My boss has a static IP at home. Our office manager has dynamic IP with ATT at home (she's the one I can't figure out). If I restrict Web access to the important ports to my little range of addresses, my bosses static address, it's easy. The other one has me baffled at this point.. She wants to be able to work at home. Her husband is a deputy sheriff and works nights a lot. She'd rather work at home at night when he isn't there. I don't want to put a Windows Machine facing the internet and I don't want to put our Samba Server facing the internet. She is my bosses daughter maybe he would pay to get her a static IP at home then life would be good.

Once again thanks for your help in this problem.

for the work at home solution. look into OpenVPN (http://openvpn.net/) That should allow for secure access from home users either static or dynamic addresses.

Good post...
could any one tell how to block ftp access based on user, group, hostname and domain name?

Thanks in advance...

could any one tell how to block ftp access based on user, group, hostname and domain name?

Look at host.deny file.
More info:

man hosts.deny

Good post...
could any one tell how to block ftp access based on user, group, hostname and domain name?

Thanks in advance...

hosts.deny, hosts.allow are one way to filter traffic. be sure to keep a privileged window open while you are tinkering with hosts.allow/deny as you can lock yourself out completely with a typo. the man page for hosts.allow or deny are complete and relativly easy to understand for those with at least some experience with *nix operating systems.

if you are just trying to filter ftp users, you can vi /etc/ftpusers and add users to that file that are NOT allowed to ftp. it however is not universal, although wuftpd and proftpd will use it. I am not sure about vsftpd.

Thanks for the replay... I do have some basic idea about tcpwrappers and /etc/ftpusers.... but do you know how to deny / filter based on domain name and hostname?
like
1) user X cannot login to server S from Domain D1
2) user X cannot login to server S from his m/c M if M is in Domain D1
3) user X can login to server S from his m/c M only if M is in Domain D1

like that ....

this is fairly easy to do and is outlined fairly well in the man pages. ;)

for a quick reference:

it is a good practice to deny everything at the start and only
allow the protocols/sites/users you want.

from man hosts_access(5)
o A string that begins with a `.' character. A host name
is matched if the last components of its name match the
specified pattern. For example, the pattern `.tue.nl'
matches the host name `wzv.win.tue.nl'.

o A string that ends with a `.' character. A host address
is matched if its first numeric fields match the given
string. For example, the pattern `131.155.' matches
the address of (almost) every host on the Eindhoven
University network (131.155.x.x).

o A string that begins with an `@' character is treated
as an NIS (formerly YP) netgroup name. A host name is
matched if it is a host member of the specified net-
group. Netgroup matches are not supported for daemon
process names or for client user names.

o An expression of the form `n.n.n.n/m.m.m.m' is inter-
preted as a `net/mask' pair. A host address is matched
if `net' is equal to the bitwise AND of the address and
the `mask'. For example, the net/mask pattern
`131.155.72.0/255.255.254.0' matches every address in
the range `131.155.72.0' through `131.155.73.255'.
...
...
...
A user pattern has the same syntax as a daemon process pat-
tern, so the same wildcards apply (netgroup membership is
not supported). One should not get carried away with user-
name lookups, though.

o The client username information cannot be trusted when
it is needed most, i.e. when the client system has been
compromised. In general, ALL and (UN)KNOWN are the
only user name patterns that make sense.

o Username lookups are possible only with TCP-based ser-
vices, and only when the client host runs a suitable
daemon; in all other cases the result is "unknown".

o A well-known UNIX kernel bug may cause loss of service
when username lookups are blocked by a firewall. The
wrapper README document describes a procedure to find
out if your kernel has this bug.

o Username lookups may cause noticeable delays for non-
UNIX users. The default timeout for username lookups
is 10 seconds: too short to cope with slow networks,
but long enough to irritate PC users.



/etc/hosts.deny:
ALL: ALL




/etc/hosts.allow:
ALL: LOCAL @NIS-netgroup
sshd: .foobar.edu EXCEPT foo.foobar.edu
ftpd: user1@foobar.edu user2.foobar.edu EXCEPT foo.foobar.edu


the 2 code blocks above should provide you with the answer you are looking for.

Explanation:
ALL:ALL in the /etc/hosts.deny block stops ALL traffic from EVERYWHERE

the ALL:LOCAL @NIS-netgroup
allows all protocols from the local machine for any user in the NIS group @NIS-netgroup

the sshd: .foobar.edu EXCEPT foo.foobar.edu
allows SSH from all hosts with domain foobar.edu except those coming from foo.foobar.edu

the ftpd: user1@.foobar.edu user2@.foobar.edu EXCEPT foo.foobar.edu
allows user1 and user2 to ftp ONLY from a host in the foobar.edu domain excluding host foo.foobar.edu

That was a nice post...
Thx for that...