View previous topic :: View next topic |
Author |
Message |
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Fri Jun 18, 2021 4:47 am Post subject: [Solved] vsftpd Command: LIST - Error: Connection timed out |
|
|
Hey guys I'm really pulling my hair out here... Trying to get my ftp server up. I'm testing using ftptest.net
I believe I almost have everything in order (static ip, ports forwarded on router, iptables setup) as it gets as far as "Command: LIST Error: Connection timed out" I'm on port 990 using FTP over TLS in Passive Mode.
Code: | listen=YES
listen_ipv6=NO
listen_port=990
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_root=/mnt
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
log_ftp_protocol=YES
idle_session_timeout=600
data_connection_timeout=120
ftpd_banner=My Banner Goes Here
ssl_enable=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
pasv_address=foo.bar.com
pasv_addr_resolve=YES
port_enable=YES
pasv_enable=YES
pasv_min_port=50100
pasv_max_port=51100 |
Code: | # Generated by iptables-save v1.8.7 on Thu Jun 17 20:59:29 2021
*mangle
:PREROUTING ACCEPT [3393222:1509182188]
:INPUT ACCEPT [3391510:1509143249]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3369645:536014132]
:POSTROUTING ACCEPT [3374851:536295052]
COMMIT
# Completed on Thu Jun 17 20:59:29 2021
# Generated by iptables-save v1.8.7 on Thu Jun 17 20:59:29 2021
*filter
:INPUT ACCEPT [8:3062]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:328]
-A INPUT -p tcp -m tcp --dport 50100:51100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
COMMIT
# Completed on Thu Jun 17 20:59:29 2021 |
Code: | Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 20:34 PDT
Nmap scan report for foo.bar.com
Host is up (0.000036s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
990/tcp open ftps |
ftptest.net result
Code: | Warning: Selected port (990) is not the default port (21) of the selected protocol.
Status: Resolving address of foo.bar.com
Status: Connecting to foo.bar.com
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220 My Banner Goes Here
Command: CLNT https://ftptest.net on behalf of foo.bar.com
Reply: 530 Please login with USER and PASS.
Command: AUTH TLS
Reply: 234 Proceed with negotiation.
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='C=XX,ST=XX,L=XX,O=XX,OU=XX,CN=foo.bar.com,EMAIL=foo@bar.com'
issuer='C=XX,ST=XX,L=XX,O=XX,OU=XX,CN=foo.bar.com,EMAIL=foo@bar.com'
Command: USER test
Reply: 331 Please specify the password.
Command: PASS ********
Reply: 230 Login successful.
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Features:
Reply: AUTH TLS
Reply: EPRT
Reply: EPSV
Reply: MDTM
Reply: PASV
Reply: PBSZ
Reply: PROT
Reply: REST STREAM
Reply: SIZE
Reply: TVFS
Reply: UTF8
Reply: 211 End
Warning: The server does not indicate MLSD support. MLSD uses a well-specified listing format. Without MLSD, directory listings have to be obtained using LIST which uses an unspecified output format.
Command: PBSZ 0
Reply: 200 PBSZ set to 0.
Command: PROT P
Reply: 200 PROT now Private.
Command: PWD
Reply: 257 "/mnt" is the current directory
Status: Current path is /mnt
Command: TYPE I
Reply: 200 Switching to Binary mode.
Command: PASV
Reply: 227 Entering Passive Mode (foo.bar.com,197,150).
Command: LIST
Error: Connection timed out |
I see "Warning: The server does not indicate MLSD support" after checking https://stackoverflow.com/questions/52032468/does-vsftpd-supports-mlsd-command it seems vsftpd does not. Not sure if thats a deal-breaker. Also I would like my local_root to be /mnt. However https://wiki.gentoo.org/wiki/Vsftpd#Configuration tells me to "chown ftp /home/ftp" And I have, Ive tried "local_root=/home/ftp" with the same result as "local_root=/mnt"... Command: LIST Error: Connection timed out....
Any help would be greatly appreciated and slow down my balding...
Last edited by FilthyPitDog on Fri Aug 13, 2021 9:46 am; edited 3 times in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Jun 18, 2021 5:01 pm Post subject: |
|
|
Have you opened and port-forwarded this range of ports in your router?
Code: |
pasv_min_port=50100
pasv_max_port=51100
|
Possibly also these
Code: |
ftp-data 20/tcp # File Transfer [Default Data]
ftp-data 20/udp
ftp 21/tcp # File Transfer [Control]
ftp 21/udp fsp fspd
|
Also you might wish to add these in your vsftpd.conf
Code: |
force_local_data_ssl=YES
force_local_logins_ssl=YES
|
Best to use tor-browser to run
your ftp test online utility. _________________
|
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Fri Jun 18, 2021 9:58 pm Post subject: |
|
|
Yes ports 50100:51100 are forwarded on my router. I added port 20 TCP/UPD to iptables
iptables -L
Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:50100:51100
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftps
ACCEPT udp -- anywhere anywhere udp dpt:ftps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
I aslso added
Code: | force_local_data_ssl=YES
force_local_logins_ssl=YES
|
To my vsftpd.conf, restarted vsftpd and same thing stops at Command: LIST... Ohh brother lol |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Jun 18, 2021 10:21 pm Post subject: |
|
|
Plz comment out
So it will default to ~$USER.
May be makes a difference.
Also try opening a tor-browser and go to
Code: |
ftp://<host> ###or maybe
ftps://<host>
|
_________________
Last edited by alamahant on Fri Jun 18, 2021 10:31 pm; edited 1 time in total |
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Fri Jun 18, 2021 10:30 pm Post subject: |
|
|
Thank you so much for helping out! Commented out line. Tried to connect again here is /var/log/vsftpd.log
Code: | Fri Jun 18 15:23:11 2021 [pid 2] CONNECT: Client "49.12.121.47"
Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "220 My Banner Goes Here"
Fri Jun 18 15:23:11 2021 [pid 2] FTP command: Client "49.12.121.47", "CLNT https://ftptest.net on behalf of foo.bar.com"
Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "530 Please login with USER and PASS."
Fri Jun 18 15:23:11 2021 [pid 2] FTP command: Client "49.12.121.47", "AUTH TLS"
Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "234 Proceed with negotiation."
Fri Jun 18 15:23:12 2021 [pid 2] FTP command: Client "49.12.121.47", "USER mrturcot"
Fri Jun 18 15:23:12 2021 [pid 2] [mrturcot] FTP response: Client "49.12.121.47", "331 Please specify the password."
Fri Jun 18 15:23:12 2021 [pid 2] [mrturcot] FTP command: Client "49.12.121.47", "PASS <password>"
Fri Jun 18 15:23:12 2021 [pid 1] [mrturcot] OK LOGIN: Client "49.12.121.47"
Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "230 Login successful."
Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "SYST"
Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "215 UNIX Type: L8"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "FEAT"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "211-Features:"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " AUTH TLS??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " EPRT??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " EPSV??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " MDTM??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PASV??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PBSZ??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PROT??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " REST STREAM??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " SIZE??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " TVFS??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " UTF8??"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "211 End"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PBSZ 0"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 PBSZ set to 0."
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PROT P"
Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 PROT now Private."
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PWD"
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "257 "/home/mrturcot" is the current directory"
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "TYPE I"
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 Switching to Binary mode."
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PASV"
Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "227 Entering Passive Mode (foo.bar.com)."
Fri Jun 18 15:23:15 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "LIST"
Fri Jun 18 15:24:15 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "425 Failed to establish connection."
Fri Jun 18 15:24:15 2021 [pid 2] [mrturcot] DEBUG: Client "49.12.121.47", "Control connection terminated without SSL shutdown." |
local_root is correct /home/mrturcot I feel like its so close! |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Jun 18, 2021 10:35 pm Post subject: |
|
|
Try disabling iptables.
Maybe some problem with the range of ports.
Do you have this in .config
Code: |
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_NAT_FTP=m
CONFIG_IP_VS_FTP=m
|
?
Also since you are usinf ssl
DONT connect via ip
Plz use domain.
Also this
Code: |
rsa_cert_file=/etc/ssl/private/vsftpd.pem
|
is a self signed certificate.
Unrelated maybe to issue at hand but better Letsencrypt.
Or if you are using a local client like lftp
Code: |
set ssl:verify-certificate no
|
Filezilla also has a setting no? _________________
|
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Fri Jun 18, 2021 11:41 pm Post subject: |
|
|
I've cleared my iptables rules, I checked and I have 2 of those kernel options however I don't have CONFIG_IP_VS_FTP in my .config I'm using 5.12 kernel
Code: | cat /usr/src/linux/.config |grep FTP
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NF_NAT_FTP=m |
Also I do connect via a domain/host name. I would like use letsencrypt for my cert after I get this figured out... I'm at a loss it still wont LIST. Thnx again for troubleshooting alamahant |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Jun 18, 2021 11:45 pm Post subject: |
|
|
Code: |
ls_recurse_enable=YES
|
in vsftpd.conf
? _________________
|
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Fri Jun 18, 2021 11:56 pm Post subject: |
|
|
Appended vsftpd.conf restarted service, with same result |
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Sat Jun 19, 2021 12:37 am Post subject: |
|
|
Wow turns out I needed to setup a DMZ on my firewall for my local PC and now everything works as intended. Not sure if this opens me up for any security risks? Or it just bypasses the real issue... In any case it works now. Cheers |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2956 Location: Edge of marsh USA
|
Posted: Wed Jun 23, 2021 2:38 am Post subject: |
|
|
FilthyPitDog wrote: | Wow turns out I needed to setup a DMZ on my firewall for my local PC and now everything works as intended. Not sure if this opens me up for any security risks? Or it just bypasses the real issue... In any case it works now. Cheers |
Now the entire Internet can invade you. Bad plan. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Wed Jun 23, 2021 3:22 am Post subject: |
|
|
I appreciate the advice and have switched of the DMZ. Just back to same same problem it wont list. Filezilla log shows I'm connecting to port 990 > TLS connection established > Logged in > PWD /mnt is the current directory > switching to binary > entering extended passive mode > Connection timed out.... I'm at my wits end... I have my passive ports forwarded on my router and added the TCP rules in iptables for those ports
Last edited by FilthyPitDog on Wed Jun 23, 2021 4:08 am; edited 1 time in total |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2956 Location: Edge of marsh USA
|
Posted: Wed Jun 23, 2021 3:54 am Post subject: |
|
|
EDIT -- ADDED: Obviously I didn't read the thread closely enough before jumping in. It looks like you hand-jam your own IPTABLES. Good for you!
Reply continues:
OK, if you really just meant a firewall on your PC and the firewall on your router is still in-effect, then DMZ on your PC's firewall is less of a problem. But, you should be able to fine tune your PC's firewall to allow vsftpd to function.
I don't use vsftpd (I use sftp as it meets my use cases), so I can't comment on it specifically, though I may try it. Perhaps post what software firewall runs on your Gentoo PC and someone will already know the trick for your settings.
ALSO ADDED: Your IPTABLES look good to me (I'm no authority.). But, since DMZ allowed vsftpd to work, it seems that's obviously where the problem is. Following with interest. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Wed Jun 23, 2021 4:08 am Post subject: |
|
|
Exactly, the only rules I have in iptables is
Code: | :OUTPUT ACCEPT [48675231:47380521714]
-A INPUT -p tcp -m tcp --dport 50100:51100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT |
And the only ports forward on my router are those that are in iptables. The firewall is active on my router and enabled DMZ for the local ip of the server. I hope this is not that bad. Ill try with sftp with DMZ off see how it goes!
Last edited by FilthyPitDog on Wed Jun 23, 2021 5:28 am; edited 1 time in total |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2956 Location: Edge of marsh USA
|
Posted: Wed Jun 23, 2021 4:57 am Post subject: |
|
|
Wondering, do you also have a firewall mode set on your router other than NAT. That's probably a wild goose chase.
For what it's worth, with ssh/sftp, I only enable/forward my primary, non-standard, sshd port on the router, i.e. 2039 or whatever. I also use fail2ban with very hostile settings, and I get quite a bit less random probing by not using port 22. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Wed Jun 23, 2021 8:26 am Post subject: |
|
|
What dmz host does at the router is open and forward ALL ports. to a particular LAN IP
If that works but your port range doesnt it means that somehow you are not properly forwarding the range from the router to your host. _________________
|
|
Back to top |
|
|
FilthyPitDog Apprentice
Joined: 12 Jan 2021 Posts: 186 Location: South Pacific
|
Posted: Wed Jun 23, 2021 8:52 am Post subject: |
|
|
alamahant wrote: | What dmz host does at the router is open and forward ALL ports. to a particular LAN IP
If that works but your port range doesnt it means that somehow you are not properly forwarding the range from the router to your host. |
Thank you very, very much, this was the issue. Its all working great with dmz off. The issue was not having the all the passive ports forwarded correctly on my router. |
|
Back to top |
|
|
|