Link to home
Start Free TrialLog in
Avatar of Daniel Wilson
Daniel WilsonFlag for United States of America

asked on

I cannot connect to my Linux-hosted vsftp server via Passive FTP

Consistently, my FTP client (Filezilla) enters Passive Mode, then issues the LIST command ... and the connection times out.

I asked my hosting company about a firewall & they said the problem was on my server.  Fail2Ban was the problem.  They changed a setting for Fail2Ban and all was well for a while.  Now the problem is back.

I have turned Fail2Ban off, but the problem persists.  Below are the results of
sudo ps -A

What should I suspect is the problem?

Thanks!
PID TTY          TIME CMD
    1 ?        00:00:01 init
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 migration/0
    4 ?        00:00:00 ksoftirqd/0
    5 ?        00:00:00 watchdog/0
    6 ?        00:00:01 events/0
    7 ?        00:00:00 cpuset
    8 ?        00:00:00 khelper
    9 ?        00:00:00 async/mgr
   10 ?        00:00:00 pm
   11 ?        00:00:00 sync_supers
   12 ?        00:00:00 bdi-default
   13 ?        00:00:00 kintegrityd/0
   14 ?        00:00:00 kblockd/0
   15 ?        00:00:00 kacpid
   16 ?        00:00:00 kacpi_notify
   17 ?        00:00:00 kacpi_hotplug
   18 ?        00:00:00 ata/0
   19 ?        00:00:00 ata_aux
   20 ?        00:00:00 ksuspend_usbd
   21 ?        00:00:00 khubd
   22 ?        00:00:00 kseriod
   23 ?        00:00:00 kmmcd
   26 ?        00:00:00 khungtaskd
   27 ?        00:00:00 kswapd0
   28 ?        00:00:00 ksmd
   29 ?        00:00:00 aio/0
   30 ?        00:00:00 ecryptfs-kthrea
   31 ?        00:00:00 crypto/0
   34 ?        00:00:00 scsi_eh_0
   35 ?        00:00:00 scsi_eh_1
   38 ?        00:00:00 kstriped
   39 ?        00:00:00 kmpathd/0
   40 ?        00:00:00 kmpath_handlerd
   41 ?        00:00:00 ksnapd
   42 ?        00:00:00 kondemand/0
   43 ?        00:00:00 kconservative/0
  148 ?        00:00:01 mpt_poll_0
  181 ?        00:00:00 mpt/0
  186 ?        00:00:00 scsi_eh_2
  203 ?        00:00:01 jbd2/sda1-8
  204 ?        00:00:00 ext4-dio-unwrit
  247 ?        00:00:00 upstart-udev-br
  268 ?        00:00:00 udevd
  344 ?        00:00:00 udevd
  362 ?        00:00:00 udevd
  464 ?        00:00:01 rsyslogd
  485 ?        00:00:00 kpsmoused
  532 ?        00:00:00 flush-8:0
  655 ?        00:00:00 sshd
  839 ?        00:00:00 vsftpd
  842 ?        00:01:08 vmtoolsd
  870 tty4     00:00:00 getty
  874 tty5     00:00:00 getty
  879 tty2     00:00:00 getty
  880 tty3     00:00:00 getty
  883 tty6     00:00:00 getty
  885 ?        00:00:00 atd
  886 ?        00:00:00 cron
  904 ?        00:00:32 mysqld
  953 ?        00:00:03 apache2
  975 ?        00:00:01 named
 1007 ?        00:00:03 apache2
 1074 ?        00:00:15 miniserv.pl
 1156 ?        00:00:00 master
 1160 ?        00:00:00 qmgr
 1193 ?        00:00:02 amavisd-new
 1445 ?        00:00:00 amavisd-new
 1446 ?        00:00:00 amavisd-new
 1447 ?        00:01:14 clamd
 1552 ?        00:00:01 freshclam
 1612 ?        00:00:00 saslauthd
 1614 ?        00:00:00 saslauthd
 1615 ?        00:00:00 saslauthd
 1616 ?        00:00:00 saslauthd
 1617 ?        00:00:00 saslauthd
 1629 ?        00:00:14 snmpd
 1641 ?        00:00:04 dovecot
 1645 ?        00:00:01 dovecot-auth
 1652 ?        00:00:00 pop3-login
 1654 ?        00:00:00 pop3-login
 1656 ?        00:00:00 imap-login
 1690 tty1     00:00:00 getty
 1716 ?        00:00:00 tlsmgr
 1925 ?        00:00:00 apache2
 6928 ?        00:00:00 apache2
10054 ?        00:00:00 apache2
14116 ?        00:00:00 apache2
15151 ?        00:00:00 apache2
15264 ?        00:00:00 apache2
15588 ?        00:00:00 pop3-login
16086 ?        00:00:00 pickup
16090 ?        00:00:00 apache2
16091 ?        00:00:00 apache2
16092 ?        00:00:00 apache2
16230 ?        00:00:00 imap-login
16235 ?        00:00:00 imap-login
16272 ?        00:00:00 apache2
16335 ?        00:00:00 sshd
16407 ?        00:00:00 sshd
16408 pts/0    00:00:00 bash
16448 pts/0    00:00:00 ps

Open in new window

Avatar of AlexPace
AlexPace
Flag of United States of America image

It sounds like a problem negotiating the data channel.   These are often firewall issues.
Avatar of Daniel Wilson

ASKER

Right, it would be a firewall issue.

Given that it's Passive FTP, I would suspect a firewall involving the server -- a virtual machine running Ubuntu at my hosting company 600 miles away -- not my client network.

If it's a firewall issue on that server, what software/ process should I be looking at?  Is turning Fail2Ban off good enough to get it out of the way?
The server's response to the PASV command should have 6 numbers.  The first 4 are the IP address and the last 2 are the port for the data channel.  To decipher the port, multiply the 5th number by 256 then add the 6th number.  Make sure your local firewall isn't preventing you accessing this port on this IP address.  

If the problem is on the server, most FTP server software allows you to specify a restricted range for passive mode data connections.  Choose a range at least twice as wide as the maximum number of concurrent connections you expect and that should do you for a long while.
Avatar of Jan Bacher
If you are running iptables, then in iptables-config:

IPTABLES_MODULES="ip_conntrack_ftp"

If that still doesn't work then, modprobe ip_conntrack_ftp

service iptables reload
Here's what I have in iptables.up.rules

Is this the place I should look?  where would I put the line you gave me?
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*nat
:PREROUTING ACCEPT [2:392]
:POSTROUTING ACCEPT [1:350]
:OUTPUT ACCEPT [1:350]
COMMIT
# Completed on Sun May  1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*mangle
:PREROUTING ACCEPT [11:2364]
:INPUT ACCEPT [11:2364]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:3931]
:POSTROUTING ACCEPT [9:3931]
COMMIT
# Completed on Sun May  1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
# Allow DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# Allow DNS queries
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
# Allow Connections to snmp (worthwhile monitoring)
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
COMMIT
# Completed on Sun May  1 23:31:23 2011

Open in new window

You need to look in the iptables-config file (or called something similar).  It's a file related to the behavior of iptables itself -- not the specific rules.

If you can't find it and your iptables is in /etc/sysconfig, then:
  # ls -l /etc/sysconfig/*iptables*
I found iptables.conf  in /etc/fail2ban/action.d/

Is this where I add
IPTABLES_MODULES="ip_conntrack_ftp"
?

Thanks!


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 658 $
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

Open in new window

No, this is an iptables configuration file (not for the rules).  What is the physical path to iptables on your distribution?
the iptables executable is in /sbin/

sudo find / -name iptables-config

returns no results.

I'm reading http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ but still confused.

there's also a shell script named iptables under /etc/bash_completion.d ... but that doesn't look like any kind of a config file.
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, that did it!  

Thanks!