aatif786
asked on
FTP on FC4
Dear Expert,
I am getting tired now. I have installed Fedora Core 4 with SELinux Enabled.
I configured vsftp on it.
In firewall section I disabled the SELinux for FTP Daemon. Also include my Local NIC to a trusted device.
In SELinux Section I checked the following.
Allow ftpd to run directly witout inetd
Allow ftp to read/write files in the users home directory
Disable SELinux Protection for ftpd daemon.
Also in Firewall Option I checked ftp for the trusted devices.
When I conect from Local LAN it works perfect.
When I tried to access my ftp server from outside my LAN it give my the Banner and ask username and password accordingly. After that when I issued any command it say's no route to host.
Following the screen shot when i connect from outside LAN
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (137.101.28.132:root): walmart
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (137,101,28,132,198,23)
ftp: connect: No route to host
There is no loging enable for vsftp
Here is my vsftp.conf
###############
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=077
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsft pd.log
xferlog_std_format=YES
ftpd_banner=Welcome to Alkaram FTP service
chroot_list_enable=YES
chroot_list_file=/etc/vsft pd/chroot_ list
chroot_local_user=YES
ls_recurse_enable=YES
pam_service_name=vsftpd
listen=YES
tcp_wrappers=YES
################
When I add my External NIC to a trusted device it works fine but I dont want to add the external NIC to a trusted device.
Please Help
I am getting tired now. I have installed Fedora Core 4 with SELinux Enabled.
I configured vsftp on it.
In firewall section I disabled the SELinux for FTP Daemon. Also include my Local NIC to a trusted device.
In SELinux Section I checked the following.
Allow ftpd to run directly witout inetd
Allow ftp to read/write files in the users home directory
Disable SELinux Protection for ftpd daemon.
Also in Firewall Option I checked ftp for the trusted devices.
When I conect from Local LAN it works perfect.
When I tried to access my ftp server from outside my LAN it give my the Banner and ask username and password accordingly. After that when I issued any command it say's no route to host.
Following the screen shot when i connect from outside LAN
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (137.101.28.132:root): walmart
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (137,101,28,132,198,23)
ftp: connect: No route to host
There is no loging enable for vsftp
Here is my vsftp.conf
###############
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=077
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsft
xferlog_std_format=YES
ftpd_banner=Welcome to Alkaram FTP service
chroot_list_enable=YES
chroot_list_file=/etc/vsft
chroot_local_user=YES
ls_recurse_enable=YES
pam_service_name=vsftpd
listen=YES
tcp_wrappers=YES
################
When I add my External NIC to a trusted device it works fine but I dont want to add the external NIC to a trusted device.
Please Help
ASKER
Dear Kitti,
Thanks for the advise. Please tell me where the Allow Incoming rules can be define. I m using FC4 and in security Level Configuration I found only two tabs one for Firewall Options and the other for SELinux and I already checked the FTP in trusted services firewall tab. Already told about the SELinux settings.
Thanks once again.
Thanks for the advise. Please tell me where the Allow Incoming rules can be define. I m using FC4 and in security Level Configuration I found only two tabs one for Firewall Options and the other for SELinux and I already checked the FTP in trusted services firewall tab. Already told about the SELinux settings.
Thanks once again.
ASKER
Should I increase the points for this question
ASKER
Should I move that question to another area if yes then how?
I notice one line in your config file:-
connect_from_port_20=YES
Try change this to "NO"
connect_from_port_20=YES
Try change this to "NO"
ASKER
Dear Kitti,
Thanks for help. but is still not working. I don't know wat happened no on except u answer the question I think i raised this question in a wrong area or may be the points are not attractive. Please advise in this matter.
But thanks any way.
Thanks for help. but is still not working. I don't know wat happened no on except u answer the question I think i raised this question in a wrong area or may be the points are not attractive. Please advise in this matter.
But thanks any way.
Could you please try thease two?
1. setsebool user_tcp_server true;
This will allow passive mode when connecting to a users account.
2. try writing the word passive in your ft client before you continue with the ftp commands.
1. setsebool user_tcp_server true;
This will allow passive mode when connecting to a users account.
2. try writing the word passive in your ft client before you continue with the ftp commands.
ASKER
Dear Guruyaya,
Thanks for advise but when I issued the command you mentioned the error was
Error setting boolean: Invalid boolean
Please help otherwise i m going to switch my server again on redhat linux 9.
Thanks for advise but when I issued the command you mentioned the error was
Error setting boolean: Invalid boolean
Please help otherwise i m going to switch my server again on redhat linux 9.
Have you tried issuinf "passive" in your ftp client before going on with the server usage?
ASKER
Dear guruyaya,
Thanks for prompt reply. Follwoing are the results.
ftp webemail.alkaram.com
Connected to webemail.alkaram.com.
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (webemail.alkaram.com:root ): walmart
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
After a long time wait there was no response.
Thanks for prompt reply. Follwoing are the results.
ftp webemail.alkaram.com
Connected to webemail.alkaram.com.
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (webemail.alkaram.com:root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
After a long time wait there was no response.
What is the result if you try
# ftp localhost
???
# ftp localhost
???
ASKER
its working perfect.
ASKER
One more thing If i disabled the SELinux then ftp from outside world works fine.
Well, lets try and see whats going on.
1st, ask someone to log into your ftp remotly, while you do "tail -f /var/log/messages". Write down what you see added.
It could give us an idea what SElinux does.
It is reasonable that we find it in the se-booleans. so plz write getsebool -a, to see what parameters are there.
Have a nice day
GuruYaya
1st, ask someone to log into your ftp remotly, while you do "tail -f /var/log/messages". Write down what you see added.
It could give us an idea what SElinux does.
It is reasonable that we find it in the se-booleans. so plz write getsebool -a, to see what parameters are there.
Have a nice day
GuruYaya
ASKER
Hi GuruYaya,
Thanks for help.
There is no special message in /var/log/message
Just login or logout information of root and some messages for cron jobs.
My ftp server locally works fine means inside LAN.
When i conected remotely. It gives me a banner. Login prompt and ask for password. Just see the following results.
ftp x.x.x.x
Connected to x.x.x.x.
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (x.x.x.x:root): UserName
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (x,x,x,x,236,44)
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
and after a long wait when I press Ctrl+C
receive aborted
waiting for remote to finish abort
426 Failure writing network stream.
225 No transfer to ABOR.
ftp>
During this the log messages from /var/log/messages are below
Apr 14 11:35:02 webemail crond(pam_unix)[12899]: session closed for user root
Apr 14 11:40:01 webemail crond(pam_unix)[12941]: session opened for user root by (uid=0)
Apr 14 11:40:01 webemail crond(pam_unix)[12942]: session opened for user root by (uid=0)
Apr 14 11:40:01 webemail crond(pam_unix)[12942]: session closed for user root
Apr 14 11:40:01 webemail crond(pam_unix)[12941]: session closed for user root
Apr 14 11:45:01 webemail crond(pam_unix)[12986]: session opened for user root by (uid=0)
Apr 14 11:45:01 webemail crond(pam_unix)[12986]: session closed for user root
Apr 14 11:50:01 webemail crond(pam_unix)[13031]: session opened for user root by (uid=0)
Apr 14 11:50:01 webemail crond(pam_unix)[13032]: session opened for user root by (uid=0)
Apr 14 11:50:01 webemail crond(pam_unix)[13032]: session closed for user root
Apr 14 11:50:01 webemail crond(pam_unix)[13031]: session closed for user root
Now the answer of your final query.
NetworkManager_disable_tra ns --> inactive
allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_kerberos --> active
allow_write_xshm --> inactive
allow_ypbind --> inactive
apmd_disable_trans --> inactive
arpwatch_disable_trans --> inactive
auditd_disable_trans --> inactive
bluetooth_disable_trans --> inactive
canna_disable_trans --> inactive
cardmgr_disable_trans --> inactive
comsat_disable_trans --> inactive
cupsd_config_disable_trans --> inactive
cupsd_disable_trans --> inactive
cvs_disable_trans --> inactive
cyrus_disable_trans --> inactive
dbskkd_disable_trans --> inactive
dhcpc_disable_trans --> inactive
dhcpd_disable_trans --> inactive
dovecot_disable_trans --> inactive
fingerd_disable_trans --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> active
ftpd_is_daemon --> active
hald_disable_trans --> inactive
hotplug_disable_trans --> inactive
howl_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
i18n_input_disable_trans --> inactive
inetd_child_disable_trans --> inactive
inetd_disable_trans --> inactive
innd_disable_trans --> inactive
kadmind_disable_trans --> inactive
klogd_disable_trans --> inactive
krb5kdc_disable_trans --> inactive
ktalkd_disable_trans --> inactive
lpd_disable_trans --> inactive
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nmbd_disable_trans --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
pppd_disable_trans --> inactive
pppd_for_user --> inactive
privoxy_disable_trans --> inactive
ptal_disable_trans --> inactive
radiusd_disable_trans --> inactive
radvd_disable_trans --> inactive
read_default_t --> active
rlogind_disable_trans --> inactive
rsync_disable_trans --> inactive
samba_enable_home_dirs --> inactive
saslauthd_disable_trans --> inactive
slapd_disable_trans --> inactive
smbd_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
stunnel_disable_trans --> inactive
stunnel_is_daemon --> inactive
syslogd_disable_trans --> inactive
system_dbusd_disable_trans --> inactive
telnetd_disable_trans --> inactive
tftpd_disable_trans --> inactive
udev_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
uucpd_disable_trans --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
ypserv_disable_trans --> inactive
zebra_disable_trans --> inactive
Now waiting for your response.
Regards,
Aatif Ali
Thanks for help.
There is no special message in /var/log/message
Just login or logout information of root and some messages for cron jobs.
My ftp server locally works fine means inside LAN.
When i conected remotely. It gives me a banner. Login prompt and ask for password. Just see the following results.
ftp x.x.x.x
Connected to x.x.x.x.
220 Welcome to Alkaram FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (x.x.x.x:root): UserName
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (x,x,x,x,236,44)
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
and after a long wait when I press Ctrl+C
receive aborted
waiting for remote to finish abort
426 Failure writing network stream.
225 No transfer to ABOR.
ftp>
During this the log messages from /var/log/messages are below
Apr 14 11:35:02 webemail crond(pam_unix)[12899]: session closed for user root
Apr 14 11:40:01 webemail crond(pam_unix)[12941]: session opened for user root by (uid=0)
Apr 14 11:40:01 webemail crond(pam_unix)[12942]: session opened for user root by (uid=0)
Apr 14 11:40:01 webemail crond(pam_unix)[12942]: session closed for user root
Apr 14 11:40:01 webemail crond(pam_unix)[12941]: session closed for user root
Apr 14 11:45:01 webemail crond(pam_unix)[12986]: session opened for user root by (uid=0)
Apr 14 11:45:01 webemail crond(pam_unix)[12986]: session closed for user root
Apr 14 11:50:01 webemail crond(pam_unix)[13031]: session opened for user root by (uid=0)
Apr 14 11:50:01 webemail crond(pam_unix)[13032]: session opened for user root by (uid=0)
Apr 14 11:50:01 webemail crond(pam_unix)[13032]: session closed for user root
Apr 14 11:50:01 webemail crond(pam_unix)[13031]: session closed for user root
Now the answer of your final query.
NetworkManager_disable_tra
allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_kerberos --> active
allow_write_xshm --> inactive
allow_ypbind --> inactive
apmd_disable_trans --> inactive
arpwatch_disable_trans --> inactive
auditd_disable_trans --> inactive
bluetooth_disable_trans --> inactive
canna_disable_trans --> inactive
cardmgr_disable_trans --> inactive
comsat_disable_trans --> inactive
cupsd_config_disable_trans
cupsd_disable_trans --> inactive
cvs_disable_trans --> inactive
cyrus_disable_trans --> inactive
dbskkd_disable_trans --> inactive
dhcpc_disable_trans --> inactive
dhcpd_disable_trans --> inactive
dovecot_disable_trans --> inactive
fingerd_disable_trans --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> active
ftpd_is_daemon --> active
hald_disable_trans --> inactive
hotplug_disable_trans --> inactive
howl_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans
httpd_tty_comm --> inactive
httpd_unified --> active
i18n_input_disable_trans --> inactive
inetd_child_disable_trans --> inactive
inetd_disable_trans --> inactive
innd_disable_trans --> inactive
kadmind_disable_trans --> inactive
klogd_disable_trans --> inactive
krb5kdc_disable_trans --> inactive
ktalkd_disable_trans --> inactive
lpd_disable_trans --> inactive
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nmbd_disable_trans --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
pppd_disable_trans --> inactive
pppd_for_user --> inactive
privoxy_disable_trans --> inactive
ptal_disable_trans --> inactive
radiusd_disable_trans --> inactive
radvd_disable_trans --> inactive
read_default_t --> active
rlogind_disable_trans --> inactive
rsync_disable_trans --> inactive
samba_enable_home_dirs --> inactive
saslauthd_disable_trans --> inactive
slapd_disable_trans --> inactive
smbd_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
stunnel_disable_trans --> inactive
stunnel_is_daemon --> inactive
syslogd_disable_trans --> inactive
system_dbusd_disable_trans
telnetd_disable_trans --> inactive
tftpd_disable_trans --> inactive
udev_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
uucpd_disable_trans --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
ypserv_disable_trans --> inactive
zebra_disable_trans --> inactive
Now waiting for your response.
Regards,
Aatif Ali
ASKER
I m going to increase points for this question please help.
Why people can't take intrest in that question.
Why people can't take intrest in that question.
ASKER
Hurrrrrrray,
I have been solved this myself through fedora forum.
Just issued a following command
# modprobe ip_conntrack_ftp
Thanks every1. Specially kitty and GuruYaya.
Please refund my points and close this question.
Regards,
Aatif Ali
I have been solved this myself through fedora forum.
Just issued a following command
# modprobe ip_conntrack_ftp
Thanks every1. Specially kitty and GuruYaya.
Please refund my points and close this question.
Regards,
Aatif Ali
ASKER
Please tell me how to close this question and how the points will reimbursed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
# system-config-securityleve
Assumption : eth0 Private (LAN), eth1 Public (WAN)
Trusted Devices:
eth0 (Check the box)
Allow incoming:
FTP (check the box)
Save and try restart iptables service.
# service iptables restart
Hope this helps
p.s. i would prefer to create my own firewall rules. :)