Dalexan
asked on
cannot connect to ubuntu/vsftpd via ftps call from Filezilla
I have vsftpd set up on a Linux server running ubuntu and can connect from a WinXP client with FileZilla v. 3.5.1 using ftp and sftp. However, ftps will not work...all we can get is Connection attempt failed with "ECONNREFUSED - Connection refused by server". I've been through several postings on the web to get things configured properly, but nothing works. Client and server are on a local network, firewalls are turned off, conf file is:
listen=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsft pd.log
ftpd_banner=Welcome to FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsft pd.chroot_ list
secure_chroot_dir=/var/run /vsftpd/em pty
pam_service_name=vsftpd
setproctitle_enable=YES
session_support=YES
rsa_cert_file=/etc/ssl/cer ts/vsftpd. pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
Implicit_SSL=YES
listen_port=990
I'm at a loss as to what to try next...Can anyone please help?
listen=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsft
ftpd_banner=Welcome to FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsft
secure_chroot_dir=/var/run
pam_service_name=vsftpd
setproctitle_enable=YES
session_support=YES
rsa_cert_file=/etc/ssl/cer
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
Implicit_SSL=YES
listen_port=990
I'm at a loss as to what to try next...Can anyone please help?
SFTP normally connects on port 22. ??
I didn't see that you had already checked that. I can not find anything in the Filezilla or VSFTP docs that says either one supports FTPS.
ASKER
Yes, I've looked over the wiki site...there are other blogs, etc, that define the steps to configure vsftpd for ftps transfers, so I assume it does in fact support this, and FileZilla has the option in the list for a site if you go into the menu options to manage sites. Given all this, it appears it should be supported and should work; however, I have yet to get it to cooperate.
Did you see this about firewalls? http://blog.joshua.net/2006/07/ftps-and-vsftpd-part-2-firewalls.html
ASKER
iptables is empty (iptables -F). Windows Firewall is disabled. Server and Client are on the same local network.
What do the logs on the server show for this?
Does /etc/ssl/certs/vsftpd.pem contain the private key as well?
Try turning debug_ssl on as well.
Does /etc/ssl/certs/vsftpd.pem contain the private key as well?
Try turning debug_ssl on as well.
debug_ssl=YES
ASKER
vsftpd.log, user.log and messages are empty. vsftpd.pem has private key and certificate. setting debug_ssl=YES made no difference in logs after restart.
Are you sure the server is running and listening on 21?
/etc/init.d/vsftpd status
netstat -an|grep :21
ASKER
hmmm...looks like something is amiss...
root@PE860:/etc# start vsftpd
vsftpd start/running, process 8744
root@PE860:/etc#
root@PE860:/etc# status vsftpd
vsftpd stop/waiting
root@PE860:/etc# netstat -an|grep :21
root@PE860:/etc# netstat -an|grep :990
root@PE860:/etc#
appears that even though is says it started, it didn't. Since I have the listen_port=990, I tried both...neither is showing. ps -ef|vsftpd doesn't show anything either...now, with the log files empty, how do I figure out why it is not starting???
root@PE860:/etc# start vsftpd
vsftpd start/running, process 8744
root@PE860:/etc#
root@PE860:/etc# status vsftpd
vsftpd stop/waiting
root@PE860:/etc# netstat -an|grep :21
root@PE860:/etc# netstat -an|grep :990
root@PE860:/etc#
appears that even though is says it started, it didn't. Since I have the listen_port=990, I tried both...neither is showing. ps -ef|vsftpd doesn't show anything either...now, with the log files empty, how do I figure out why it is not starting???
ASKER
but then, if that is the case, why would sftp work?
ASKER
openssh/sftp-server is running...??
Oh woops yeah it would be running on 990.
Which distro are you running?
but then, if that is the case, why would sftp work?sftp uses SSH
Which distro are you running?
Try splitting up your key and cert and adding the rsa_private_key_file option.
If the server still does not stay running after that, disable SSL and comment out listen_port and restart/test.
If the server still does not stay running after that, disable SSL and comment out listen_port and restart/test.
ASKER
split the file...no go.
comment out listen_port and disable SSL...still won't stay running.
comment out listen_port and disable SSL...still won't stay running.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I purged and reinstalled and have it running now with the default configuration. I will work with the settings a few at a time to see if I can get it working tonight and let you know tomorrow.
Thanks for your help so far.
Thanks for your help so far.
ASKER
I am getting closer, I think, today. After restarting from the generic install, I found that the implicit_ssl=YES was the cause for the restart failure.
Below are my current config settings, and the result showing a gnuTLS error:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsft pd.log
ftpd_banner=Welcome to NCTS FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsft pd.chroot_ list
secure_chroot_dir=/var/run /vsftpd/em pty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/pri vate/vsftp d_cert.pem
rsa_private_key_file=/etc/ ssl/privat e/vsftpd_k ey.pem
ssl_enable=YES
implicit_ssl=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990
I am now getting:
Status: Connecting to 10.20.254.14:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220 Welcome to NCTS FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ********
Error: GnuTLS error -8: A record packet with illegal version was received.
Error: Could not connect to server
Below are my current config settings, and the result showing a gnuTLS error:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsft
ftpd_banner=Welcome to NCTS FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsft
secure_chroot_dir=/var/run
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/pri
rsa_private_key_file=/etc/
ssl_enable=YES
implicit_ssl=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990
I am now getting:
Status: Connecting to 10.20.254.14:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220 Welcome to NCTS FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ********
Error: GnuTLS error -8: A record packet with illegal version was received.
Error: Could not connect to server
Does the client know to use SSL for that connection?
ASKER
Yes. We have figured out the issue. I will post our solution and award points tomorrow.
ASKER
We have given up on FTPS and reverted to using SFTP which works and is secure. Papertrip was helpful and this could possibly work FTPS but our time is limited.