Daniel Wilson
asked on
I cannot connect to my Linux-hosted vsftp server via Passive FTP
Consistently, my FTP client (Filezilla) enters Passive Mode, then issues the LIST command ... and the connection times out.
I asked my hosting company about a firewall & they said the problem was on my server. Fail2Ban was the problem. They changed a setting for Fail2Ban and all was well for a while. Now the problem is back.
I have turned Fail2Ban off, but the problem persists. Below are the results of
sudo ps -A
What should I suspect is the problem?
Thanks!
I asked my hosting company about a firewall & they said the problem was on my server. Fail2Ban was the problem. They changed a setting for Fail2Ban and all was well for a while. Now the problem is back.
I have turned Fail2Ban off, but the problem persists. Below are the results of
sudo ps -A
What should I suspect is the problem?
Thanks!
PID TTY TIME CMD
1 ? 00:00:01 init
2 ? 00:00:00 kthreadd
3 ? 00:00:00 migration/0
4 ? 00:00:00 ksoftirqd/0
5 ? 00:00:00 watchdog/0
6 ? 00:00:01 events/0
7 ? 00:00:00 cpuset
8 ? 00:00:00 khelper
9 ? 00:00:00 async/mgr
10 ? 00:00:00 pm
11 ? 00:00:00 sync_supers
12 ? 00:00:00 bdi-default
13 ? 00:00:00 kintegrityd/0
14 ? 00:00:00 kblockd/0
15 ? 00:00:00 kacpid
16 ? 00:00:00 kacpi_notify
17 ? 00:00:00 kacpi_hotplug
18 ? 00:00:00 ata/0
19 ? 00:00:00 ata_aux
20 ? 00:00:00 ksuspend_usbd
21 ? 00:00:00 khubd
22 ? 00:00:00 kseriod
23 ? 00:00:00 kmmcd
26 ? 00:00:00 khungtaskd
27 ? 00:00:00 kswapd0
28 ? 00:00:00 ksmd
29 ? 00:00:00 aio/0
30 ? 00:00:00 ecryptfs-kthrea
31 ? 00:00:00 crypto/0
34 ? 00:00:00 scsi_eh_0
35 ? 00:00:00 scsi_eh_1
38 ? 00:00:00 kstriped
39 ? 00:00:00 kmpathd/0
40 ? 00:00:00 kmpath_handlerd
41 ? 00:00:00 ksnapd
42 ? 00:00:00 kondemand/0
43 ? 00:00:00 kconservative/0
148 ? 00:00:01 mpt_poll_0
181 ? 00:00:00 mpt/0
186 ? 00:00:00 scsi_eh_2
203 ? 00:00:01 jbd2/sda1-8
204 ? 00:00:00 ext4-dio-unwrit
247 ? 00:00:00 upstart-udev-br
268 ? 00:00:00 udevd
344 ? 00:00:00 udevd
362 ? 00:00:00 udevd
464 ? 00:00:01 rsyslogd
485 ? 00:00:00 kpsmoused
532 ? 00:00:00 flush-8:0
655 ? 00:00:00 sshd
839 ? 00:00:00 vsftpd
842 ? 00:01:08 vmtoolsd
870 tty4 00:00:00 getty
874 tty5 00:00:00 getty
879 tty2 00:00:00 getty
880 tty3 00:00:00 getty
883 tty6 00:00:00 getty
885 ? 00:00:00 atd
886 ? 00:00:00 cron
904 ? 00:00:32 mysqld
953 ? 00:00:03 apache2
975 ? 00:00:01 named
1007 ? 00:00:03 apache2
1074 ? 00:00:15 miniserv.pl
1156 ? 00:00:00 master
1160 ? 00:00:00 qmgr
1193 ? 00:00:02 amavisd-new
1445 ? 00:00:00 amavisd-new
1446 ? 00:00:00 amavisd-new
1447 ? 00:01:14 clamd
1552 ? 00:00:01 freshclam
1612 ? 00:00:00 saslauthd
1614 ? 00:00:00 saslauthd
1615 ? 00:00:00 saslauthd
1616 ? 00:00:00 saslauthd
1617 ? 00:00:00 saslauthd
1629 ? 00:00:14 snmpd
1641 ? 00:00:04 dovecot
1645 ? 00:00:01 dovecot-auth
1652 ? 00:00:00 pop3-login
1654 ? 00:00:00 pop3-login
1656 ? 00:00:00 imap-login
1690 tty1 00:00:00 getty
1716 ? 00:00:00 tlsmgr
1925 ? 00:00:00 apache2
6928 ? 00:00:00 apache2
10054 ? 00:00:00 apache2
14116 ? 00:00:00 apache2
15151 ? 00:00:00 apache2
15264 ? 00:00:00 apache2
15588 ? 00:00:00 pop3-login
16086 ? 00:00:00 pickup
16090 ? 00:00:00 apache2
16091 ? 00:00:00 apache2
16092 ? 00:00:00 apache2
16230 ? 00:00:00 imap-login
16235 ? 00:00:00 imap-login
16272 ? 00:00:00 apache2
16335 ? 00:00:00 sshd
16407 ? 00:00:00 sshd
16408 pts/0 00:00:00 bash
16448 pts/0 00:00:00 ps
It sounds like a problem negotiating the data channel. These are often firewall issues.
ASKER
Right, it would be a firewall issue.
Given that it's Passive FTP, I would suspect a firewall involving the server -- a virtual machine running Ubuntu at my hosting company 600 miles away -- not my client network.
If it's a firewall issue on that server, what software/ process should I be looking at? Is turning Fail2Ban off good enough to get it out of the way?
Given that it's Passive FTP, I would suspect a firewall involving the server -- a virtual machine running Ubuntu at my hosting company 600 miles away -- not my client network.
If it's a firewall issue on that server, what software/ process should I be looking at? Is turning Fail2Ban off good enough to get it out of the way?
The server's response to the PASV command should have 6 numbers. The first 4 are the IP address and the last 2 are the port for the data channel. To decipher the port, multiply the 5th number by 256 then add the 6th number. Make sure your local firewall isn't preventing you accessing this port on this IP address.
If the problem is on the server, most FTP server software allows you to specify a restricted range for passive mode data connections. Choose a range at least twice as wide as the maximum number of concurrent connections you expect and that should do you for a long while.
If the problem is on the server, most FTP server software allows you to specify a restricted range for passive mode data connections. Choose a range at least twice as wide as the maximum number of concurrent connections you expect and that should do you for a long while.
If you are running iptables, then in iptables-config:
IPTABLES_MODULES="ip_connt rack_ftp"
If that still doesn't work then, modprobe ip_conntrack_ftp
service iptables reload
IPTABLES_MODULES="ip_connt
If that still doesn't work then, modprobe ip_conntrack_ftp
service iptables reload
ASKER
Here's what I have in iptables.up.rules
Is this the place I should look? where would I put the line you gave me?
Is this the place I should look? where would I put the line you gave me?
# Generated by iptables-save v1.4.4 on Sun May 1 23:31:23 2011
*nat
:PREROUTING ACCEPT [2:392]
:POSTROUTING ACCEPT [1:350]
:OUTPUT ACCEPT [1:350]
COMMIT
# Completed on Sun May 1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May 1 23:31:23 2011
*mangle
:PREROUTING ACCEPT [11:2364]
:INPUT ACCEPT [11:2364]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:3931]
:POSTROUTING ACCEPT [9:3931]
COMMIT
# Completed on Sun May 1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May 1 23:31:23 2011
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
# Allow DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# Allow DNS queries
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
# Allow Connections to snmp (worthwhile monitoring)
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
COMMIT
# Completed on Sun May 1 23:31:23 2011
You need to look in the iptables-config file (or called something similar). It's a file related to the behavior of iptables itself -- not the specific rules.
If you can't find it and your iptables is in /etc/sysconfig, then:
# ls -l /etc/sysconfig/*iptables*
If you can't find it and your iptables is in /etc/sysconfig, then:
# ls -l /etc/sysconfig/*iptables*
ASKER
I found iptables.conf in /etc/fail2ban/action.d/
Is this where I add
IPTABLES_MODULES="ip_connt rack_ftp"
?
Thanks!
Is this where I add
IPTABLES_MODULES="ip_connt
?
Thanks!
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 658 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
No, this is an iptables configuration file (not for the rules). What is the physical path to iptables on your distribution?
ASKER
the iptables executable is in /sbin/
sudo find / -name iptables-config
returns no results.
I'm reading http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ but still confused.
there's also a shell script named iptables under /etc/bash_completion.d ... but that doesn't look like any kind of a config file.
sudo find / -name iptables-config
returns no results.
I'm reading http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ but still confused.
there's also a shell script named iptables under /etc/bash_completion.d ... but that doesn't look like any kind of a config file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, that did it!
Thanks!
Thanks!