Find the answer to your Linux question:
Results 1 to 3 of 3
Hi All I have set up a Linux redhat server to work as a VSFTP server using the passive mode i have generated a self-signed certificate using the following command: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4

    VSFTP with Explicit SSL Log in problem


    Hi All

    I have set up a Linux redhat server to work as a VSFTP server using the passive mode

    i have generated a self-signed certificate using the following command:

    Code:
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.key -out /vsftpd/vsftpd.pem
    i have tried connecting via coreFTP and WINSCP and both seemigly failed to log in with no apparent error message

    coreftp log:
    Code:
    Connect socket #1380 to ###, port 21...
    220 Welcome to The UAT FTPS service.  
    AUTH SSL  
    234 Proceed with negotiation.  
    TLSv1, cipher TLSv1/SSLv3 (DES-CBC3-SHA) - 168 bit
    USER testP  
    331 Please specify the password.  
    PASS **********
    the server does not seem to respond, or at least this is what i think. to double-check i entered a wrong a password and it actually came back with an error message of incorrect login.

    WINSCP comes back with a different error:

    Code:
    SSL3 alert write: fatal: protocol version
    Disconnected from server
    Connection failed.
    Please specify the password.
    The server log file vsftpd.log does not give much info either
    Code:
    Wed Aug 31 14:33:49 2011 [pid 31520] CONNECT: Client "#.#.#.#"
    Wed Aug 31 14:33:49 2011 [pid 31520] FTP response: Client "#.#.#.#", "220 Welcome to ### FTPS service."
    Wed Aug 31 14:33:49 2011 [pid 31520] FTP command: Client "#.#.#.#", "AUTH SSL"
    Wed Aug 31 14:33:49 2011 [pid 31520] FTP response: Client "#.#.#.#", "234 Proceed with negotiation."
    Wed Aug 31 14:33:51 2011 [pid 31520] FTP command: Client "#.#.#.#", "USER testP"
    Wed Aug 31 14:33:51 2011 [pid 31520] [testP] FTP response: Client "#.#.#.#", "331 Please specify the password."
    Wed Aug 31 14:33:51 2011 [pid 31520] [testP] FTP command: Client "#.#.#.#", "PASS <password>"
    Wed Aug 31 14:33:51 2011 [pid 31519] [testP] OK LOGIN: Client "#.#.#.#"
    as can be seen from the server log, after logging in the server doers not respond.

    Bear in mind that both of the server firewall and SELINUX are disabled.

    i have been trying to look for a solution and searching the internet for almost a full day but with no luck

    your help is greatly appreciated thanks

    Please find below the the /etc/vsftpd/vsftpd.conf file

    Code:
     # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=007
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    #anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    #anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # The target log file can be vsftpd_log_file or xferlog_file.
    # This depends on setting xferlog_std_format parameter
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # The name of log file when xferlog_enable=YES and xferlog_std_format=YES
    # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
    #xferlog_file=/var/log/xferlog
    log_ftp_protocol=YES
    #
    # Switches between logging into vsftpd_log_file and xferlog_file files.
    # NO writes to vsftpd_log_file, YES to xferlog_file
    xferlog_std_format=NO
    #
    # You may change the default value for timing out an idle session.
    idle_session_timeout=300
    #
    # You may change the default value for timing out a data connection.
    data_connection_timeout=300
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    ftpd_banner=Welcome to The UAT FTPS service.
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    #chroot_list_enable=YES
    # (default follows)
    chroot_local_user=YES
    chroot_list_enable=YES
    
    chroot_list_file=/etc/vsftpd/chroot_list
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # When "listen" directive is enabled, vsftpd runs in standalone mode and
    # listens on IPv4 sockets. This directive cannot be used in conjunction
    # with the listen_ipv6 directive.
    listen=YES
    use_localtime=yes
    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_logins_ssl=YES
    force_local_data_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=YES
    ssl_sslv3=YES
    rsa_cert_file=/etc/vsftpd/vsftpd.pem
    rsa_private_key_file=/etc/vsftpd/vsftpd.key
    pasv_enable=YES
    #pasv_promiscuous=YES
    pasv_min_port=#####
    pasv_max_port=#####
    pasv_address=#.#.#.#
    max_per_ip=3
    max_login_fails=2
    delay_failed_login=7

  2. #2
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4
    i managed to find the solution

    i forgot to generate an empty /etc/vsftpd/chroot_list when I set up the vsftpd

    The server is setup so that all users are chroot’d into their home directory unless their username is present in this file, /etc/vsftpd/chroot_list

    What was happening is that after the successful authentication of the FTP user, the VSFTPD starts looking in the chroot_list file which was not present, so the serevr ends up frozen

    it would have really helped if the FTP server and/or clients came back with a useful error message

  3. #3
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Glad you figured it out... your solution might help someone else, so thanks for posting back with it!
    oz

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •