Solved

VSFTPD - how do you configure the FTP root directory?

Posted on 2008-10-01
17
4,298 Views
Last Modified: 2012-06-21
I've recently obtained my own dedicated Linux server, and have full root access.

I've verified that I have the VSFTPD sever installed, and that the service is running.

I am able to log in via FTP (using the same username & password that I've been using to connect via SFTP) -- but after connecting, .. I never see a directory or file listing.  It just hands at the "LIST" command and eventually throws an error message (ie: )

I'm assuming that I need to modify the vsftpd.conf file and specify the FTP root directory somehow. I've had a look at the file, but can't seem to figure out where this entry needs to be updated or added.  Please advise.

By the way, I need to get FTP working because I need to configure Joomla with it (since Joomla currently doesn't have built-in SFTP support -- it only has FTP support)

Thanks in advance,
- Yvan



0
Comment
Question by:egoselfaxis
  • 6
  • 4
  • 3
  • +2
17 Comments
 
LVL 3

Expert Comment

by:BigCasino
ID: 22615198
Create a directory /home/"username" with the appropriate privilege.  The user should own the directory and be able to change, add, modify.
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22615236
most likely its a firewall issue...ftp needs two ports for the ftp and ftp-data protocol each
0
 

Author Comment

by:egoselfaxis
ID: 22616182
>> most likely its a firewall issue...ftp needs two ports for the ftp and ftp-data protocol each

Does this still apply if I am able to connect (but just not view directory contents)?  

Also, ... how can I confirm that the needed FTP ports are open?  What ports do I need to make sure are open.  21 and ... ???

Thanks,
- Yvan
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22616547
>>>>>>Does this still apply if I am able to connect (but just not view directory contents)?  

Yes and it most likely is that issue. coz your commands while connecting happen on the ftp port. after the LIST, the directory content listing is actually a data transfer which happens over the ftp-data port. which is port 20.since its blocked(probably) you don't get a response after that command
Actually try disabling the firewall initially and then ensure its a firewall issue first. Then once its working try setting the rules accordingly..
do some read-up on active-ftp and passive ftp..its a little different from normal protocols and its always worth understanding....
0
 
LVL 3

Expert Comment

by:BigCasino
ID: 22617053
I have VSFTP setup on my server, and the only directories each user can see are there own in the given home directory.  If there is nothing there, they will see nothing.
0
 

Author Comment

by:egoselfaxis
ID: 22618242
Well, .. I've added a new "accept" rule for TCP port #23 in iptables (and also clicked on the "Apply Configuration" button)

I've also verified that a home directory of the user I'm logging in as exists on the server, and that it has the appropriate permissions set to it.  

However, .. I am still hanging -- right before retrieving the directory listing:

Command:      LIST
Response:      425 Failed to establish connection.
Error:      Failed to retrieve directory listing

Any thoughts?

- Yvan

 
0
 

Author Comment

by:egoselfaxis
ID: 22618247
(I meant port #20 --- sorry)

- Yvan
0
 
LVL 3

Expert Comment

by:BigCasino
ID: 22618331
I found this...may be old news but something you could try.  I did not have to deal with IPtables in my setup.

Fixes "425 Failed to establish connection" or "Client Error: Failed to retrieve directory listing". If you have not run some sort of automated firewall utility you may need to add the module ip_conntrack_ftp to your iptables configuration. Just make sure your line includes  ip_conntrack_ftp as stated below. If you are not running an iptables based firewall then this can be ignored.
>nano /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 22620893
check if your vsftpd is running in active or passive mode (the following variables decide that : connect_from_port_20 , pasv_enable )

....if you are not sure, post your vsftpd.conf here (strip off comments with | grep -v ^# )

if its active, IIRC the server's port 20 initiates a connection to your system at a port >1024, so you'll need to set the firewall rules accordingly. Actually iptables can take care of the ftp connection tracking. which is why I asked u to first ensure if its a firewall problem. if you can't drop the firewall, try opening up all TCP traffic between the server and your host only.

if you have something like iptraf or tcpdump, you can monitor if the ftp-data port connection is dropping at your end and what ports are exactly being used.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22639521
Here's the vsftpd.conf file i have set up:

----------------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
------------------------------------

There should also be a file called ftpusers that lists all accounts that should not be allowed to ftp into the server ever.

There is also a file calls user_list that specifies users that are allowed to log into the server via ftp, provided you have the "userlist_enable" option set to "YES" in the conf file.

Just out of curiosity, are you running selinux?

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22639531
Sorry for the second post but if you are running SELinux on that box, have a look at this:

http://www.linuxquestions.org/questions/linux-software-2/vsftpd-and-selinux-449313/
0
 

Author Comment

by:egoselfaxis
ID: 22671622
Ckozloski --- my vsftpd.conf file is configured the exact same way (same settings). The only difference is that I have anonymous_enable set to YES. I don't believe that changing this one parameter will have any effect, however.   BTW -- I'm running CentOS 5.

Any thoughts?

-Yvan




0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22671702
Well, as in my above post:
If you have SELinux enabled on that Linux machine you need to have a look at this:
http://www.linuxquestions.org/questions/linux-software-2/vsftpd-and-selinux-449313/
SELinux apparently has issues with vsftp.
Also, if you have enabled firewalling on that machine (i.e. you are using iptables or ipchains), you need to make sure that you set your allows in your iptables on the server so that it will open the ftp for connection. Otherwise the linux firewall will block it.
0
 

Author Comment

by:egoselfaxis
ID: 22671802
I thought SELinux was a distro of somekind.  What is it, and how can I tell if it's installed on my server?

- Yvan
0
 
LVL 4

Accepted Solution

by:
ckozloski earned 500 total points
ID: 22672990
SELinux is a security distribution that comes default with Linux. By default, it is usually turned on unless you select the option to turn it off during install.
The config file for selinux is: /etc/selinux/config
If the line "SELINUX=" is set to "enforcing" or "permissive' then SELinux is running on your machine.
Just do run this from command line to see what it is set to: more /etc/selinux/config | grep SELINUX=
To disable it temporarily, do the following from the shell:
echo 0 > /selinux/enforce
If you need to reenable it, change echo 0 to echo 1
To permanently disable it, you can edit the config file and set the parameter: SELINUX=disabled and reboot. (to reboot from CLI: init 6 or shutdown -r now).
The link above gives you a command to run at the command line in order to make vsftpd work if SELinux is installed and enabled.
0
 

Author Comment

by:egoselfaxis
ID: 22680558
Thanks!  I typed the following at the command line:

/usr/sbin/setsebool  -P ftp_home_dir=1

.. which disabled SELinux, and now I am able to connect via straight FTP.

- Yvan
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 22680583
SELinux is not matured  yet and it is not recommended to enable it.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now