Solved

VSFTPD - how do you configure the FTP root directory?

Posted on 2008-10-01
17
4,302 Views
Last Modified: 2012-06-21
I've recently obtained my own dedicated Linux server, and have full root access.

I've verified that I have the VSFTPD sever installed, and that the service is running.

I am able to log in via FTP (using the same username & password that I've been using to connect via SFTP) -- but after connecting, .. I never see a directory or file listing.  It just hands at the "LIST" command and eventually throws an error message (ie: )

I'm assuming that I need to modify the vsftpd.conf file and specify the FTP root directory somehow. I've had a look at the file, but can't seem to figure out where this entry needs to be updated or added.  Please advise.

By the way, I need to get FTP working because I need to configure Joomla with it (since Joomla currently doesn't have built-in SFTP support -- it only has FTP support)

Thanks in advance,
- Yvan



0
Comment
Question by:egoselfaxis
  • 6
  • 4
  • 3
  • +2
17 Comments
 
LVL 3

Expert Comment

by:BigCasino
ID: 22615198
Create a directory /home/"username" with the appropriate privilege.  The user should own the directory and be able to change, add, modify.
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22615236
most likely its a firewall issue...ftp needs two ports for the ftp and ftp-data protocol each
0
 

Author Comment

by:egoselfaxis
ID: 22616182
>> most likely its a firewall issue...ftp needs two ports for the ftp and ftp-data protocol each

Does this still apply if I am able to connect (but just not view directory contents)?  

Also, ... how can I confirm that the needed FTP ports are open?  What ports do I need to make sure are open.  21 and ... ???

Thanks,
- Yvan
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22616547
>>>>>>Does this still apply if I am able to connect (but just not view directory contents)?  

Yes and it most likely is that issue. coz your commands while connecting happen on the ftp port. after the LIST, the directory content listing is actually a data transfer which happens over the ftp-data port. which is port 20.since its blocked(probably) you don't get a response after that command
Actually try disabling the firewall initially and then ensure its a firewall issue first. Then once its working try setting the rules accordingly..
do some read-up on active-ftp and passive ftp..its a little different from normal protocols and its always worth understanding....
0
 
LVL 3

Expert Comment

by:BigCasino
ID: 22617053
I have VSFTP setup on my server, and the only directories each user can see are there own in the given home directory.  If there is nothing there, they will see nothing.
0
 

Author Comment

by:egoselfaxis
ID: 22618242
Well, .. I've added a new "accept" rule for TCP port #23 in iptables (and also clicked on the "Apply Configuration" button)

I've also verified that a home directory of the user I'm logging in as exists on the server, and that it has the appropriate permissions set to it.  

However, .. I am still hanging -- right before retrieving the directory listing:

Command:      LIST
Response:      425 Failed to establish connection.
Error:      Failed to retrieve directory listing

Any thoughts?

- Yvan

 
0
 

Author Comment

by:egoselfaxis
ID: 22618247
(I meant port #20 --- sorry)

- Yvan
0
 
LVL 3

Expert Comment

by:BigCasino
ID: 22618331
I found this...may be old news but something you could try.  I did not have to deal with IPtables in my setup.

Fixes "425 Failed to establish connection" or "Client Error: Failed to retrieve directory listing". If you have not run some sort of automated firewall utility you may need to add the module ip_conntrack_ftp to your iptables configuration. Just make sure your line includes  ip_conntrack_ftp as stated below. If you are not running an iptables based firewall then this can be ignored.
>nano /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"

0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22620893
check if your vsftpd is running in active or passive mode (the following variables decide that : connect_from_port_20 , pasv_enable )

....if you are not sure, post your vsftpd.conf here (strip off comments with | grep -v ^# )

if its active, IIRC the server's port 20 initiates a connection to your system at a port >1024, so you'll need to set the firewall rules accordingly. Actually iptables can take care of the ftp connection tracking. which is why I asked u to first ensure if its a firewall problem. if you can't drop the firewall, try opening up all TCP traffic between the server and your host only.

if you have something like iptraf or tcpdump, you can monitor if the ftp-data port connection is dropping at your end and what ports are exactly being used.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22639521
Here's the vsftpd.conf file i have set up:

----------------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
------------------------------------

There should also be a file called ftpusers that lists all accounts that should not be allowed to ftp into the server ever.

There is also a file calls user_list that specifies users that are allowed to log into the server via ftp, provided you have the "userlist_enable" option set to "YES" in the conf file.

Just out of curiosity, are you running selinux?

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22639531
Sorry for the second post but if you are running SELinux on that box, have a look at this:

http://www.linuxquestions.org/questions/linux-software-2/vsftpd-and-selinux-449313/
0
 

Author Comment

by:egoselfaxis
ID: 22671622
Ckozloski --- my vsftpd.conf file is configured the exact same way (same settings). The only difference is that I have anonymous_enable set to YES. I don't believe that changing this one parameter will have any effect, however.   BTW -- I'm running CentOS 5.

Any thoughts?

-Yvan




0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22671702
Well, as in my above post:
If you have SELinux enabled on that Linux machine you need to have a look at this:
http://www.linuxquestions.org/questions/linux-software-2/vsftpd-and-selinux-449313/
SELinux apparently has issues with vsftp.
Also, if you have enabled firewalling on that machine (i.e. you are using iptables or ipchains), you need to make sure that you set your allows in your iptables on the server so that it will open the ftp for connection. Otherwise the linux firewall will block it.
0
 

Author Comment

by:egoselfaxis
ID: 22671802
I thought SELinux was a distro of somekind.  What is it, and how can I tell if it's installed on my server?

- Yvan
0
 
LVL 4

Accepted Solution

by:
ckozloski earned 500 total points
ID: 22672990
SELinux is a security distribution that comes default with Linux. By default, it is usually turned on unless you select the option to turn it off during install.
The config file for selinux is: /etc/selinux/config
If the line "SELINUX=" is set to "enforcing" or "permissive' then SELinux is running on your machine.
Just do run this from command line to see what it is set to: more /etc/selinux/config | grep SELINUX=
To disable it temporarily, do the following from the shell:
echo 0 > /selinux/enforce
If you need to reenable it, change echo 0 to echo 1
To permanently disable it, you can edit the config file and set the parameter: SELINUX=disabled and reboot. (to reboot from CLI: init 6 or shutdown -r now).
The link above gives you a command to run at the command line in order to make vsftpd work if SELinux is installed and enabled.
0
 

Author Comment

by:egoselfaxis
ID: 22680558
Thanks!  I typed the following at the command line:

/usr/sbin/setsebool  -P ftp_home_dir=1

.. which disabled SELinux, and now I am able to connect via straight FTP.

- Yvan
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 22680583
SELinux is not matured  yet and it is not recommended to enable it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now