vsftpd problem

Beralus · #1 15th June 2010, 04:50 PM

vsftpd works fine ( i 've tested in LAN aloso)
but nobody could not connect fromi nternet (WAN)
router configured properly
all servers from ssh to httpd works fine ,except vsftpd
Any ideas? thanks for any attention.
(selinux disabled)
//------------------------

Code:

[root@compname:/var/www/html] # cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
dirlist_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
chroot_local_user=YES
guest_enable=YES
connect_timeout=150
data_connection_timeout=500
dirmessage_enable=YES
connect_from_port_20=YES
pam_service_name=/etc/pam.d/vsftpd
user_sub_token=$USER
guest_username=virtualftp
local_root=/home/vweb/$USER
listen=YES
listen_port=21
#pasv_min_port=30000
pasv_max_port=1024
accept_timeout=200
#listen_ipv6=YES
ftpd_banner=welcome
xferlog_enable=YES

/////------------------------------------------

Code:

[root@compname:/var/www/html] # cat /etc/pam.d/vsftpd
#%PAM-1.0
##session    optional     pam_keyinit.so    force revoke
##auth       required	pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers 
##onerr=succeed
##auth       required	pam_shells.so
##auth       include	password-auth
##account    include	password-auth
##session    required     pam_loginuid.so
##session    include	password-auth
auth    required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#session required pam_loginuid.so
[root@compname:/var/www/html] #

[/code]

Code:

[root@compname:/var/www/html] # service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]
[root@compname:/var/www/html] #

///-----------------------------------

Code:

[root@compname:/var/www/html] # ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 welcome
Name (localhost:me): virt2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,234,252).
150 Here comes the directory listing.
drwx------    2 502      501          4096 Jun 16 09:55 New Folder
-rw-------    1 502      501             0 Jun 16 06:53 virt2.txt
226 Directory send OK.
ftp>

---------- Post added at 07:50 AM CDT ---------- Previous post was at 07:43 AM CDT ----------

b.t.w , i know these
connect_timeout=150
data_connection_timeout=500
pasv_max_port=1024
accept_timeout=200
are not nomal at all ...

Keldorn · #2 15th June 2010, 06:01 PM

What about iptables?
pasv_max_port =1024. So you should run vsftpd with root privileges.

Beralus · #3 15th June 2010, 07:08 PM

Quote:

Originally Posted by Keldorn

What about iptables?
pasv_max_port =1024. So you should run vsftpd with root privileges.

Code:

[root@compname:/etc] # iptables --list |grep 1024
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:1024 
[root@compname:/etc] # iptables --list |grep ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp

nothing changed after next config

anonymous_enable=NO
dirlist_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
chroot_local_user=YES
guest_enable=YES
dirmessage_enable=YES
connect_from_port_20=YES
pam_service_name=/etc/pam.d/vsftpd
user_sub_token=$USER
guest_username=virtualftp
local_root=/home/vweb/$USER
listen=YES
listen_port=21
ftpd_banner=welcome
xferlog_enable=YES

Keldorn · #4 15th June 2010, 07:13 PM

I was talking about nf_conntrack_ftp module for FTP.
While trying to find why something don't work - don't just look at possible causes of things - remove them for a period of testing. So just disable firewall and try to connect.
Do you really understand what I am talking about?
Vsftpd running under VSFTPD user. In order to work with ports below 1024 it should have root privileges

Beralus · #5 15th June 2010, 07:20 PM

ok, i've disabled firewall , please test ftp://virt2:123@213.154.4.24 if you have a litle spare time
SElinux and firewall switched off

---------- Post added at 10:20 AM CDT ---------- Previous post was at 10:17 AM CDT ----------

is there result?

Keldorn · #6 15th June 2010, 07:21 PM

Ok, I have found your problem -) It is in router.
To solve it you should to determine port range in vsftpd with pasv_max_port and pasv_min_port and make forwarding on this ports in your router.
when it will be done everything should be ok.

Beralus · #7 15th June 2010, 07:38 PM

Current config :
may be 20-th port???

anonymous_enable=NO
dirlist_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
chroot_local_user=YES
guest_enable=YES
dirmessage_enable=YES
connect_from_port_20=YES
pam_service_name=/etc/pam.d/vsftpd
user_sub_token=$USER
guest_username=virtualftp
local_root=/home/vweb/$USER
listen=YES
listen_port=21
ftpd_banner=welcome
xferlog_enable=YES

---------- Post added at 10:25 AM CDT ---------- Previous post was at 10:22 AM CDT ----------

forfarding in router:
Server Name External Port Start External Port End Protocol Internal Port Start Internal Port End Server IP Address
FTP20 20 20 TCP 20 20 192.168.1.65
FTP Server 21 2 1 TCP 21 21 192.168.1.65

---------- Post added at 10:27 AM CDT ---------- Previous post was at 10:25 AM CDT ----------

and my only hesistaion is the router, but it does not seems wrong

---------- Post added at 10:37 AM CDT ---------- Previous post was at 10:27 AM CDT ----------

in /var/log/vsftpd.log i see even next lines:

Wed Jun 16 23:17:57 2010 [pid 2] CONNECT: Client ""XX.XXX.XXX.XX1"
Wed Jun 16 23:17:58 2010 [pid 1] [virt2] OK LOGIN: "XX.XXX.XXX.XX1"
Wed Jun 16 23:18:37 2010 [pid 2] CONNECT: Client "XX.XXX.XXX.XX1"
Wed Jun 16 23:18:37 2010 [pid 1] [virt2] OK LOGIN: Client "XX.XXX.XXX.XX1"

---------- Post added at 10:38 AM CDT ---------- Previous post was at 10:37 AM CDT ----------

zaebal moi mozgi et fignya uje s utra

Keldorn · #8 15th June 2010, 08:05 PM

It may look like this

where 20101-20201 used for FTP service.
P.S. Bad idea to use this words here.

Beralus · #9 15th June 2010, 08:29 PM

Quote:

now min/max passive ports configured.
Will you try to connect?

current config:

[root@compname:/var/log] # cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
dirlist_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
chroot_local_user=YES
guest_enable=YES
connect_timeout=120
#data_connection_timeout=500
dirmessage_enable=YES
connect_from_port_20=YES
pam_service_name=/etc/pam.d/vsftpd
user_sub_token=$USER
guest_username=virtualftp
local_root=/home/vweb/$USER
listen=YES
listen_port=21
pasv_min_port=1022
pasv_max_port=1024
#accept_timeout=200
#listen_ipv6=YES
ftpd_banner=welcome
xferlog_enable=YES
#pasv_enable=NO
[root@compname:/var