• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 621
  • Last Modified:

Ubuntu vsftpd not loging in from public ip

Hello experts,

I have setup the vsftpd in my Ubuntu instalation.
I have the users set up, and everything works fine when i login from the local network.

But when i login from outside using our public ip, the login doesn't work, asks for password saying:
550 Permission denied
Requested action not taken (e.g., file or directory not found, no access).

What am i doing wrong? Or what should i be doing?

Thx in advanced,
Miguel
0
justaphase
Asked:
justaphase
  • 9
  • 3
  • 2
  • +2
3 Solutions
 
Matt VCommented:
Is your iptables setup for FTP?  There are some special rules for FTP because it switches ports after you connect.

Try connecting from the outside using PASV mode and see if it works.
0
 
justaphaseAuthor Commented:
i tried pasv and didn't work.
iptables? didn't try that. i'm a novice installing linux servers..

goona google it to know how to, and let u know.

Thx :)
0
 
gheistCommented:
Any kind of firewall between you outside and the server?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Matt VCommented:
This has an example:

http://unix.stackexchange.com/questions/93554/iptables-to-allow-incoming-ftp

The example only shows entries for FTP... the important rules are:

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
0
 
SandyCommented:
remove below option from /etc/vsfptd/vsftpd.conf

connect_from_port_20

And restart the service.

TY/SA
0
 
justaphaseAuthor Commented:
My current iptable config is this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Open in new window

Shouldn't this be enough?

the line connect_from_port_20 was already removed and didn't work.

I'm running Ubuntu 13.10.
And my vsftpd.conf is like this:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
file_open_mode=0644
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=20
pasv_max_port=7050
pasv_address=my_public_ip
pasv_addr_resolve=YES
chroot_local_user=NO
chroot_list_enable=YES
allow_writeable_chroot=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Open in new window

And my vsftpd.chroot_list file as one user.

All works fine in local network. But from outside using our public ip, gives 550 permission error :(
0
 
justaphaseAuthor Commented:
mattvmotas,

After i made the changes you told, the problem maintains :(
When i make "$ iptables -L" i get this configuration:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data

Open in new window

Some entry's seems duplicated because i executed the command more than once...

Isn't there a file where i can edit iptables instead of change it by "iptables" command?
0
 
justaphaseAuthor Commented:
Help anyone? :\
0
 
SandyCommented:
/etc/sysconfig/iptables is the file location

By the way.. can you give a try by stopping the iptables temporarily ?

TY/SA
0
 
justaphaseAuthor Commented:
I have Ubuntu 13.10, that sysconfig folder with iptables doesn't exist.

I have stoped the firewall like this:
sudo ufw disable

Open in new window

And flushed iptables like this
sudo iptables -F

Open in new window

And it's the same:
550 Permission denied
Requested action not taken (e.g., file or directory not found, no access).

Open in new window


Is if i had to give some sort of permission to the user to use the external Ip..
Like: username@local and username@publicip....
0
 
justaphaseAuthor Commented:
And as i mentioned.. The ftp doesn't give the permission error right away.
It keeps asking for login over and over and doesn't accept it..
Gives a 550 error permission when using a ftp software tool in the info pain and by browser, doesn't give any error, only keeps asking for login..
0
 
omarfaridCommented:
Please see below link for vsftpd config on ubuntu:

https://help.ubuntu.com/community/vsftpd 

in another question, the user just changed below line to get his issue resolved:


pam_service_name=vsftpd


to

pam_service_name=ftp
0
 
justaphaseAuthor Commented:
I all,

I tried to change the port to 2121, because i think the problem was the router, it was not using the port 21 on my linux server.
Then, changed the configuration to this:
listen=YES
port_enable=YES
listen_port=2121
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
file_open_mode=0644
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=2000
pasv_max_port=7050
pasv_address=my_public_ip
#pasv_addr_resolve=YES
#chroot_local_user=NO
#chroot_list_enable=YES
#allow_writeable_chroot=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

#userlist_enable=YES
tcp_wrappers=YES

Open in new window

And the login works!
but... now i'm receiving another error :(
The folder list doesn't show and gives this error:
500 Illegal PORT command.
Syntax error: command unrecognized.
Failed to establish data socket.

Open in new window

What should i change?
0
 
SandyCommented:
could be ISPConfig firewall was blocking the PASV ports. try opening up ports 60000 to 60005 to get it worked.

TY/SA
0
 
justaphaseAuthor Commented:
ISPConfig firewall? Router firewall?
0
 
justaphaseAuthor Commented:
I found the problem, and shame on the techs of my company..
They didn't fully disabled the ftp option from the router as i asked them. I had to go by telnet to really disable that option, and finally i had my 21 port free and the ftp running...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 9
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now