vsftpd, iptables and tcp_wrappers

hichmoul · #1 19th November 2009, 07:55 PM

Hello,

ftp from vista64 connects to fedora10 vsftpd but won't allow mput on all files.

1. cat /etc/redhat-release => Fedora release 10 (Cambridge)
2. ps auxww |grep vsftpd => root ... /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
3. ls -la /etc/vsftpd/vsftpd.conf => -rw-r--r-- 1 root root
4. rpm -qa |grep vsftpd => vsftpd-2.0.7-2.fc10.i386
5. cat /etc/hosts.allow => vsftpd: 192.168.1.
6. cat /etc/hosts.deny => sshd: ALL EXCEPT 192.168.1. <work IP>
7. cat /etc/hosts => 127.0.0.1 localhost.localdomain localhost localhost
::1 localhost6.localdomain6 localhost6
192.168.1.xxx servername servername.lan.
192.168.1.yyy vistapcname
8. cat /etc/host.conf => order hosts,bind
9. /etc/rc.d/init.d/iptables stop (stopped now)
10. grep -v \# /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ascii_upload_enable=NO
ascii_download_enable=NO
chroot_local_user=NO
chroot_list_enable=NO
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
pasv_enable=YES

11. cat chroot_list => my username
12. cat ftpusers => doesn't include my username
13. cat user_list => my username

Problem 1: An ftp session from my vista64 PC goes like:
ftp servername
Connected to servername.lan.
220 (vsFTPd 2.0.7)
User (servername.lan

none)): myusername
331 Please specify the password.
Password:
230 Login successful.
ftp: connect
msdos prompt>

Problem 2: sometimes connect succeeds and I get the ftp prompt
230 Login successful.
ftp>
ftp> bin
200 Switching to Binary mode.
ftp> mput *.JPG
mput 1.JPG? y
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 File receive OK.
ftp: 251201 bytes sent in 0.05Seconds 5126.55Kbytes/sec.
mput 2.JPG? y
500 Illegal PORT command.
425 Use PORT or PASV first.
mput 3.JPG? y
425 Use PORT or PASV first.

It works sometimes but not always.

I just changed pasv_enable=YES to pasv_enable=NO, it logs in but I can't send files.

I debugged vista's ftp client and at some stage:
PORT 0,0,0,0,205,197
500 Illegal PORT command

I checked vista64's firewall:
On (This setting blocks all outside sources from connection ... except ..unblocked Exceptinons)
Block all incoming... UNCHECKED

In the Exceptions tab:
File Transfer Program is CHECKED => Properties Path C:\windows\system32\ftp.exe
Scope: Any computer

Can anyone bring light on this behaviour?

regards,

hichmoul · #2 17th December 2009, 07:19 PM

hello

does anyone have any ideas about what's going on?

regards,

jpollard · #3 17th December 2009, 07:37 PM

It sounds like a misuse/limit on the ports available for the data channel.

This might be corrected by using the passive mode FTP (the "Use PORT or PASV
first." is a hint.

One reason this can happen is that some data ports that would normally be used
are also used by botnets for communication. Frequently these ports are
automatically blocked by firewalls. In other cases, this can happen if the server
is overloaded (unlikely in this case).

vsftpd has a configuration file that defines the limits on the ports it will use,
but since I don't use ftpd I don't know offhand where that is.

blittle · #4 21st December 2009, 05:41 AM

have you tried using a different ftp client?

lensman3 · #5 27th December 2009, 05:52 AM

Try the sftp client interface for ssh. Works very well, and data stream is encrypted. Ssh is already running on a standard F12 install.

Filezilla is free and works both from Linux and Windows into a sftp/ssh server.