VSFTPD login failures

[ajveach]

I have had vsftpd running on an external server without issue for months if not over a year, and earlier today I logged on and downloaded a large file (approx. 1 GB). The file took a little while to download, so I went on to other things while the download ran. I thought nothing of it, until later that day a coworker was trying to connect to the server, and he was unable to login. My download had been done for at least an hour or two, and my connection had timed out.

I checked to see if I could login from my computer, and I received a strange error. My attempts to login brought up these responses:

Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 2.0.1)
Command: USER yyyyyyyyyyyyyyy
Error: Could not connect to server
Status: Waiting to retry...

The login information that worked earlier today was saved in the ftp client, but to be safe I tried entering the username and password manually, and I still had no luck.

It doesn't appear to be a connection issue as the server responds when I provide a username. I don't know what could have changed for the users, though, that would cause this to happen. There are 4 FTP accounts that have access to different areas of the server, and they are all experiencing the same issue.

I am the only person with ssh access to this server, and I hadn't logged in today before this happened. I have stumbled around google for hours trying to track down a solution, but everything I have found seems to point to fresh installs missing PAM settings or not being configured properly as a standalone installation. I couldn't find a single reference to a long-standing installation having these types of problems.

Nothing else on the server appears to be having any trouble, so I have to say that I'm completely stumped. Does anyone have any thoughts on the subject?

Thanks!

[Felarin]

Tell me the output of

df -kh

and

service vsftpd status

[ajveach]

Thanks for the response, Felarin. Here's the output for those two commands:

/dev/hda3 74G 14G 57G 19% /
/dev/hda1 160M 50M 102M 33% /boot
none 220M 0 220M 0% /dev/shm


vsftpd (pid 6721) is running...

[Felarin]

What about the output of

telnet localhost 21

telnet [public ip address] 21

and iptables --list

and

cat /etc/vsftpd/vsftpd.conf

[ajveach]

telnet localhost 21

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 (vsFTPd 2.0.1)


telnet [public ip address] 21

Trying xxx.xxx.xxx.xxx...
(hangs here)


iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts :1024:65535
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dptop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT udp -- anywhere anywhere udp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpts:4000:4010
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
ACCEPT udp -- anywhere anywhere udp dpt:tproxy
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
LOG all -- anywhere anywhere LOG level debug pre fix `DROPPED = '
ACCEPT all -- 10.1.1.0/24 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


cat /etc/vsftpd/vsftpd.conf

# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
pasv_enable=YES
pasv_max_port=4010
pasv_min_port=4000
#background=YES



Thanks again for taking the time to look! What would cause the telnet command not to connect when using the public IP address?

[Felarin]

Get rid of the 2 irrelevant rules individually at the top for this. Put them in one rule.

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Insert this command above as root

After that

service iptables save
service iptables restart

Also, it states in your connection that ftp-data originating port is 20. I'd suggest you open this up in your firewall as well.

You can also use pasv port ranges instead. Note that whatever you open up for your service, you must also open up via iptables and your router+firewall if there is one in place. Best way to troubleshoot is to turn off all your firewalls for said ftp machine and test if it works. If it does, it's a policy or a lack of one that's causing the problem.

[ajveach]

My concern with this is that the ftp server is sending a response already, so the connection has to be made. It is only being rejected when the password is sent, and then it doesn't say it's a user authentication error.

Does the response from the ftp server not actually mean that the ftp client is establishing a connection before being closed?