Solved

Ubuntu vsftpd not loging in from public ip

Posted on 2014-04-09
16
562 Views
Last Modified: 2014-05-15
Hello experts,

I have setup the vsftpd in my Ubuntu instalation.
I have the users set up, and everything works fine when i login from the local network.

But when i login from outside using our public ip, the login doesn't work, asks for password saying:
550 Permission denied
Requested action not taken (e.g., file or directory not found, no access).

What am i doing wrong? Or what should i be doing?

Thx in advanced,
Miguel
0
Comment
Question by:justaphase
  • 9
  • 3
  • 2
  • +2
16 Comments
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 300 total points
ID: 39989743
Is your iptables setup for FTP?  There are some special rules for FTP because it switches ports after you connect.

Try connecting from the outside using PASV mode and see if it works.
0
 
LVL 1

Author Comment

by:justaphase
ID: 39990099
i tried pasv and didn't work.
iptables? didn't try that. i'm a novice installing linux servers..

goona google it to know how to, and let u know.

Thx :)
0
 
LVL 61

Expert Comment

by:gheist
ID: 39990232
Any kind of firewall between you outside and the server?
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 300 total points
ID: 39990441
This has an example:

http://unix.stackexchange.com/questions/93554/iptables-to-allow-incoming-ftp

The example only shows entries for FTP... the important rules are:

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
0
 
LVL 13

Accepted Solution

by:
Sandy earned 200 total points
ID: 39990875
remove below option from /etc/vsfptd/vsftpd.conf

connect_from_port_20

And restart the service.

TY/SA
0
 
LVL 1

Author Comment

by:justaphase
ID: 39991074
My current iptable config is this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Open in new window

Shouldn't this be enough?

the line connect_from_port_20 was already removed and didn't work.

I'm running Ubuntu 13.10.
And my vsftpd.conf is like this:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
file_open_mode=0644
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=20
pasv_max_port=7050
pasv_address=my_public_ip
pasv_addr_resolve=YES
chroot_local_user=NO
chroot_list_enable=YES
allow_writeable_chroot=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Open in new window

And my vsftpd.chroot_list file as one user.

All works fine in local network. But from outside using our public ip, gives 550 permission error :(
0
 
LVL 1

Author Comment

by:justaphase
ID: 39991169
mattvmotas,

After i made the changes you told, the problem maintains :(
When i make "$ iptables -L" i get this configuration:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data

Open in new window

Some entry's seems duplicated because i executed the command more than once...

Isn't there a file where i can edit iptables instead of change it by "iptables" command?
0
 
LVL 1

Author Comment

by:justaphase
ID: 39992256
Help anyone? :\
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 13

Expert Comment

by:Sandy
ID: 39994022
/etc/sysconfig/iptables is the file location

By the way.. can you give a try by stopping the iptables temporarily ?

TY/SA
0
 
LVL 1

Author Comment

by:justaphase
ID: 39994167
I have Ubuntu 13.10, that sysconfig folder with iptables doesn't exist.

I have stoped the firewall like this:
sudo ufw disable

Open in new window

And flushed iptables like this
sudo iptables -F

Open in new window

And it's the same:
550 Permission denied
Requested action not taken (e.g., file or directory not found, no access).

Open in new window


Is if i had to give some sort of permission to the user to use the external Ip..
Like: username@local and username@publicip....
0
 
LVL 1

Author Comment

by:justaphase
ID: 39994797
And as i mentioned.. The ftp doesn't give the permission error right away.
It keeps asking for login over and over and doesn't accept it..
Gives a 550 error permission when using a ftp software tool in the info pain and by browser, doesn't give any error, only keeps asking for login..
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 39994876
Please see below link for vsftpd config on ubuntu:

https://help.ubuntu.com/community/vsftpd

in another question, the user just changed below line to get his issue resolved:


pam_service_name=vsftpd


to

pam_service_name=ftp
0
 
LVL 1

Author Comment

by:justaphase
ID: 40003971
I all,

I tried to change the port to 2121, because i think the problem was the router, it was not using the port 21 on my linux server.
Then, changed the configuration to this:
listen=YES
port_enable=YES
listen_port=2121
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
file_open_mode=0644
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=2000
pasv_max_port=7050
pasv_address=my_public_ip
#pasv_addr_resolve=YES
#chroot_local_user=NO
#chroot_list_enable=YES
#allow_writeable_chroot=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

#userlist_enable=YES
tcp_wrappers=YES

Open in new window

And the login works!
but... now i'm receiving another error :(
The folder list doesn't show and gives this error:
500 Illegal PORT command.
Syntax error: command unrecognized.
Failed to establish data socket.

Open in new window

What should i change?
0
 
LVL 13

Expert Comment

by:Sandy
ID: 40003989
could be ISPConfig firewall was blocking the PASV ports. try opening up ports 60000 to 60005 to get it worked.

TY/SA
0
 
LVL 1

Author Comment

by:justaphase
ID: 40004061
ISPConfig firewall? Router firewall?
0
 
LVL 1

Author Comment

by:justaphase
ID: 40066654
I found the problem, and shame on the techs of my company..
They didn't fully disabled the ftp option from the router as i asked them. I had to go by telnet to really disable that option, and finally i had my 21 port free and the ftp running...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now