Solved

I cannot connect to my Linux-hosted vsftp server via Passive FTP

Posted on 2011-09-07
11
599 Views
Last Modified: 2012-05-12
Consistently, my FTP client (Filezilla) enters Passive Mode, then issues the LIST command ... and the connection times out.

I asked my hosting company about a firewall & they said the problem was on my server.  Fail2Ban was the problem.  They changed a setting for Fail2Ban and all was well for a while.  Now the problem is back.

I have turned Fail2Ban off, but the problem persists.  Below are the results of
sudo ps -A

What should I suspect is the problem?

Thanks!
PID TTY          TIME CMD
    1 ?        00:00:01 init
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 migration/0
    4 ?        00:00:00 ksoftirqd/0
    5 ?        00:00:00 watchdog/0
    6 ?        00:00:01 events/0
    7 ?        00:00:00 cpuset
    8 ?        00:00:00 khelper
    9 ?        00:00:00 async/mgr
   10 ?        00:00:00 pm
   11 ?        00:00:00 sync_supers
   12 ?        00:00:00 bdi-default
   13 ?        00:00:00 kintegrityd/0
   14 ?        00:00:00 kblockd/0
   15 ?        00:00:00 kacpid
   16 ?        00:00:00 kacpi_notify
   17 ?        00:00:00 kacpi_hotplug
   18 ?        00:00:00 ata/0
   19 ?        00:00:00 ata_aux
   20 ?        00:00:00 ksuspend_usbd
   21 ?        00:00:00 khubd
   22 ?        00:00:00 kseriod
   23 ?        00:00:00 kmmcd
   26 ?        00:00:00 khungtaskd
   27 ?        00:00:00 kswapd0
   28 ?        00:00:00 ksmd
   29 ?        00:00:00 aio/0
   30 ?        00:00:00 ecryptfs-kthrea
   31 ?        00:00:00 crypto/0
   34 ?        00:00:00 scsi_eh_0
   35 ?        00:00:00 scsi_eh_1
   38 ?        00:00:00 kstriped
   39 ?        00:00:00 kmpathd/0
   40 ?        00:00:00 kmpath_handlerd
   41 ?        00:00:00 ksnapd
   42 ?        00:00:00 kondemand/0
   43 ?        00:00:00 kconservative/0
  148 ?        00:00:01 mpt_poll_0
  181 ?        00:00:00 mpt/0
  186 ?        00:00:00 scsi_eh_2
  203 ?        00:00:01 jbd2/sda1-8
  204 ?        00:00:00 ext4-dio-unwrit
  247 ?        00:00:00 upstart-udev-br
  268 ?        00:00:00 udevd
  344 ?        00:00:00 udevd
  362 ?        00:00:00 udevd
  464 ?        00:00:01 rsyslogd
  485 ?        00:00:00 kpsmoused
  532 ?        00:00:00 flush-8:0
  655 ?        00:00:00 sshd
  839 ?        00:00:00 vsftpd
  842 ?        00:01:08 vmtoolsd
  870 tty4     00:00:00 getty
  874 tty5     00:00:00 getty
  879 tty2     00:00:00 getty
  880 tty3     00:00:00 getty
  883 tty6     00:00:00 getty
  885 ?        00:00:00 atd
  886 ?        00:00:00 cron
  904 ?        00:00:32 mysqld
  953 ?        00:00:03 apache2
  975 ?        00:00:01 named
 1007 ?        00:00:03 apache2
 1074 ?        00:00:15 miniserv.pl
 1156 ?        00:00:00 master
 1160 ?        00:00:00 qmgr
 1193 ?        00:00:02 amavisd-new
 1445 ?        00:00:00 amavisd-new
 1446 ?        00:00:00 amavisd-new
 1447 ?        00:01:14 clamd
 1552 ?        00:00:01 freshclam
 1612 ?        00:00:00 saslauthd
 1614 ?        00:00:00 saslauthd
 1615 ?        00:00:00 saslauthd
 1616 ?        00:00:00 saslauthd
 1617 ?        00:00:00 saslauthd
 1629 ?        00:00:14 snmpd
 1641 ?        00:00:04 dovecot
 1645 ?        00:00:01 dovecot-auth
 1652 ?        00:00:00 pop3-login
 1654 ?        00:00:00 pop3-login
 1656 ?        00:00:00 imap-login
 1690 tty1     00:00:00 getty
 1716 ?        00:00:00 tlsmgr
 1925 ?        00:00:00 apache2
 6928 ?        00:00:00 apache2
10054 ?        00:00:00 apache2
14116 ?        00:00:00 apache2
15151 ?        00:00:00 apache2
15264 ?        00:00:00 apache2
15588 ?        00:00:00 pop3-login
16086 ?        00:00:00 pickup
16090 ?        00:00:00 apache2
16091 ?        00:00:00 apache2
16092 ?        00:00:00 apache2
16230 ?        00:00:00 imap-login
16235 ?        00:00:00 imap-login
16272 ?        00:00:00 apache2
16335 ?        00:00:00 sshd
16407 ?        00:00:00 sshd
16408 pts/0    00:00:00 bash
16448 pts/0    00:00:00 ps

Open in new window

0
Comment
Question by:Daniel Wilson
  • 5
  • 4
  • 2
11 Comments
 
LVL 16

Expert Comment

by:AlexPace
ID: 36497951
It sounds like a problem negotiating the data channel.   These are often firewall issues.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498049
Right, it would be a firewall issue.

Given that it's Passive FTP, I would suspect a firewall involving the server -- a virtual machine running Ubuntu at my hosting company 600 miles away -- not my client network.

If it's a firewall issue on that server, what software/ process should I be looking at?  Is turning Fail2Ban off good enough to get it out of the way?
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 36498093
The server's response to the PASV command should have 6 numbers.  The first 4 are the IP address and the last 2 are the port for the data channel.  To decipher the port, multiply the 5th number by 256 then add the 6th number.  Make sure your local firewall isn't preventing you accessing this port on this IP address.  

If the problem is on the server, most FTP server software allows you to specify a restricted range for passive mode data connections.  Choose a range at least twice as wide as the maximum number of concurrent connections you expect and that should do you for a long while.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36498200
If you are running iptables, then in iptables-config:

IPTABLES_MODULES="ip_conntrack_ftp"

If that still doesn't work then, modprobe ip_conntrack_ftp

service iptables reload
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498524
Here's what I have in iptables.up.rules

Is this the place I should look?  where would I put the line you gave me?
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*nat
:PREROUTING ACCEPT [2:392]
:POSTROUTING ACCEPT [1:350]
:OUTPUT ACCEPT [1:350]
COMMIT
# Completed on Sun May  1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*mangle
:PREROUTING ACCEPT [11:2364]
:INPUT ACCEPT [11:2364]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:3931]
:POSTROUTING ACCEPT [9:3931]
COMMIT
# Completed on Sun May  1 23:31:23 2011
# Generated by iptables-save v1.4.4 on Sun May  1 23:31:23 2011
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
# Allow DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# Allow DNS queries
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
# Allow Connections to snmp (worthwhile monitoring)
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
COMMIT
# Completed on Sun May  1 23:31:23 2011

Open in new window

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 36498615
You need to look in the iptables-config file (or called something similar).  It's a file related to the behavior of iptables itself -- not the specific rules.

If you can't find it and your iptables is in /etc/sysconfig, then:
  # ls -l /etc/sysconfig/*iptables*
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36499210
I found iptables.conf  in /etc/fail2ban/action.d/

Is this where I add
IPTABLES_MODULES="ip_conntrack_ftp"
?

Thanks!


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 658 $
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 36499229
No, this is an iptables configuration file (not for the rules).  What is the physical path to iptables on your distribution?
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36499274
the iptables executable is in /sbin/

sudo find / -name iptables-config

returns no results.

I'm reading http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ but still confused.

there's also a shell script named iptables under /etc/bash_completion.d ... but that doesn't look like any kind of a config file.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 36499303
I am unfamiliar with the unbuntu distribution.

First add the module:

modprobe -a ip_conntrack_ftp

Does it automatically update the iptables configuration for you?
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36499355
Yes, that did it!  

Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now