PDA

View Full Version : Can't find a way to FXP between 2 vsftpd running on debian


audric
10-05-2011, 01:07 AM
I have 2 dedicated servers. Each run the same configuration: a debian host OS and a debian guest OS (virtual machine). Both are setup so that their 10021 host port is forwarded to 21 guest port. I changed ips and names in the following log so that my 1st is 1.2.3.4.com (user1234, guest vm ip 192.168.12.11) and my 2nd is 5.6.7.8 (user5678, guest vm ip 192.168.56.11).

What do I do wrong please?

Summary :

Box 1 :
PI public ip : 1.2.3.4
HI host ip : 192.168.12.1
VI vm ip : 192.168.12.11
Net flow comes PI:10021 (or 20 or 50000-60000 ports range) and goes to VI:21 (or 20 or 50000-60000 ports range) through HI.

Box 2 :
PI public ip : 5.6.7.8
HI host ip : 192.168.56.1
VI vm ip : 192.168.56.11
Net flow comes PI:10021 (or 20 or 50000-60000 ports range) and goes to VI:21 (or 20 or 50000-60000 ports range) through HI.

I think I allowed all tcp connections between box1 and box2 either sides.

[07:24:39] [L] Connecting to 1234.com -> DNS=1234.com IP=1.2.3.4 PORT=10021
[07:24:39] [L] Connected to 1234.com
[07:24:39] [L] 220 Welcome to my VerySecureFTPD
[07:24:39] [L] AUTH TLS
[07:24:39] [L] 234 Proceed with negotiation.
[07:24:39] [L] Connected. Negotiating TLSv1 session
[07:24:39] [L] TLSv1 negotiation successful...
[07:24:39] [L] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[07:24:39] [L] PBSZ 0
[07:24:39] [L] 200 PBSZ set to 0.
[07:24:39] [L] USER user1234
[07:24:39] [L] 331 Please specify the password.
[07:24:39] [L] PASS (hidden)
[07:24:39] [L] 230 Login successful.
[07:24:39] [L] SYST
[07:24:39] [L] 215 UNIX Type: L8
[07:24:39] [L] FEAT
[07:24:39] [L] 211-Features:
[07:24:39] [L] AUTH SSL
[07:24:39] [L] AUTH TLS
[07:24:39] [L] EPRT
[07:24:39] [L] EPSV
[07:24:39] [L] MDTM
[07:24:39] [L] PASV
[07:24:39] [L] PBSZ
[07:24:39] [L] PROT
[07:24:39] [L] REST STREAM
[07:24:39] [L] SIZE
[07:24:39] [L] TVFS
[07:24:39] [L] UTF8
[07:24:39] [L] 211 End
[07:24:39] [L] PWD
[07:24:39] [L] 257 "/"

[07:25:04] [R] Connecting to 5678.com -> DNS=5678.com IP=5.6.7.8 PORT=10021
[07:25:04] [R] Connected to 5678.com
[07:25:04] [R] 220 Welcome to my VerySecureFTPD
[07:25:04] [R] AUTH TLS
[07:25:04] [R] 234 Proceed with negotiation.
[07:25:04] [R] Connected. Negotiating TLSv1 session
[07:25:04] [R] TLSv1 negotiation successful...
[07:25:04] [R] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[07:25:04] [R] PBSZ 0
[07:25:05] [R] 200 PBSZ set to 0.
[07:25:05] [R] USER user5678
[07:25:05] [R] 331 Please specify the password.
[07:25:05] [R] PASS (hidden)
[07:25:05] [R] 230 Login successful.
[07:25:05] [R] SYST
[07:25:05] [R] 215 UNIX Type: L8
[07:25:05] [R] FEAT
[07:25:05] [R] 211-Features:
[07:25:05] [R] AUTH SSL
[07:25:05] [R] AUTH TLS
[07:25:05] [R] EPRT
[07:25:05] [R] EPSV
[07:25:05] [R] MDTM
[07:25:05] [R] PASV
[07:25:05] [R] PBSZ
[07:25:05] [R] PROT
[07:25:05] [R] REST STREAM
[07:25:05] [R] SIZE
[07:25:05] [R] TVFS
[07:25:05] [R] UTF8
[07:25:05] [R] 211 End
[07:25:05] [R] PWD
[07:25:05] [R] 257 "/"

[07:25:15] [L] CWD /admin
[07:25:15] [L] 250 Directory successfully changed.
[07:25:15] [L] PWD
[07:25:15] [L] 257 "/admin"
[07:25:15] [L] TYPE A
[07:25:15] [L] 200 Switching to ASCII mode.
[07:25:15] [L] SIZE phpinfo.php
[07:25:15] [L] 213 21
[07:25:15] [L] MDTM phpinfo.php
[07:25:15] [L] 213 20081212190451
[07:25:15] [R] TYPE A
[07:25:15] [R] 200 Switching to ASCII mode.
[07:25:15] [R] SIZE phpinfo.php
[07:25:15] [R] 550 Could not get file size.
[07:25:15] [R] PROT P
[07:25:15] [R] 200 PROT now Private.
[07:25:15] [L] PROT P
[07:25:16] [L] 200 PROT now Private.
[07:25:16] [L] CPSV
[07:25:16] [L] 500 Unknown command.
[07:25:16] [L] SSCN ON
[07:25:16] [L] 500 Unknown command.
[07:25:16] [L] PASV
[07:25:16] [L] 227 Entering Passive Mode (192,168,12,11,218,129).
[07:25:16] [R] PORT 192,168,12,11,218,129
[07:25:16] [R] 200 PORT command successful. Consider using PASV.
[07:25:16] [R] STOR phpinfo.php
[07:25:16] [R] 553 Could not create file.
[07:25:16] [R] Transfer Failed!
[07:25:16] [L] PASV
[07:25:16] [L] 227 Entering Passive Mode (192,168,12,11,218,152).
[07:25:16] [L] Opening data connection IP: 1.2.3.4 PORT: 55960
[07:25:16] [L] LIST -al
[07:25:16] [L] Connected. Negotiating TLSv1 session
[07:25:16] [L] TLSv1 negotiation successful...
[07:25:16] [L] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[07:25:16] [L] 150 Here comes the directory listing.
[07:25:16] [L] 226 Directory send OK.
[07:25:16] [L] List Complete: 313 bytes in 0,36 seconds (0,3 KB/s)
[07:25:16] [R] PASV
[07:25:16] [R] 227 Entering Passive Mode (192,168,56,11,197,199).
[07:25:16] [R] Opening data connection IP: 5.6.7.8 PORT: 55631
[07:25:16] [R] LIST -al
[07:25:16] [R] Connected. Negotiating TLSv1 session
[07:25:16] [R] TLSv1 negotiation successful...
[07:25:16] [R] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[07:25:16] [R] 150 Here comes the directory listing.
[07:25:16] [R] 226 Directory send OK.
[07:25:16] [R] List Complete: 245 bytes in 0,38 seconds (0,2 KB/s)
[07:25:16] Transfer queue completed
[07:25:16] Transferred 0 Files (0 bytes) in 1 seconds (0,0 KB/s)
[07:25:16] 1 File Failed

MxxCon
10-05-2011, 08:18 AM
[07:25:16] [R] STOR phpinfo.php
[07:25:16] [R] 553 Could not create file.Unless i'm mistaken this error means you don't have permission to write/upload file...

audric
10-09-2011, 06:12 AM
I tried to put ftp root directories in 777 ... then it creates 0 sized files... and the transfer freezes in the end with all files in the queue.

[13:07:15] [L] CWD /admin
[13:07:15] [L] 250 Directory successfully changed.
[13:07:15] [L] PWD
[13:07:15] [L] 257 "/admin"
[13:07:15] [L] PASV
[13:07:15] [L] 227 Entering Passive Mode (192,168,12,11,212,44).
[13:07:15] [L] Opening data connection IP: 1.2.3.4 PORT: 54316
[13:07:15] [L] LIST -al
[13:07:15] [L] Connected. Negotiating TLSv1 session
[13:07:15] [L] TLSv1 negotiation successful...
[13:07:15] [L] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[13:07:15] [L] 150 Here comes the directory listing.
[13:07:15] [L] 226 Directory send OK.
[13:07:15] [L] List Complete: 313 bytes in 0,37 seconds (0,3 KB/s)
[13:07:15] [L] Calculating timezone offset of server...
[13:07:15] [L] MDTM .htaccess
[13:07:15] [L] 213 20110921220232
[13:07:15] [L] Timezone offsets: Server: 0 seconds. Local: 7200 seconds. Difference: 7200 seconds.
[13:07:15] [R] MKD /admin
[13:07:15] [R] 257 "/admin" created
[13:07:15] [R] CWD /admin
[13:07:15] [R] 250 Directory successfully changed.
[13:07:15] [R] PWD
[13:07:15] [R] 257 "/admin"
[13:07:15] [R] PASV
[13:07:15] [R] 227 Entering Passive Mode (192,168,56,11,215,211).
[13:07:15] [R] Opening data connection IP: 5.6.7.8 PORT: 55251
[13:07:15] [R] LIST -al
[13:07:15] [R] Connected. Negotiating TLSv1 session
[13:07:15] [R] TLSv1 negotiation successful...
[13:07:15] [R] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[13:07:15] [R] 150 Here comes the directory listing.
[13:07:16] [R] 226 Directory send OK.
[13:07:16] [R] List Complete: 115 bytes in 0,37 seconds (0,1 KB/s)
[13:07:16] [L] TYPE I
[13:07:16] [L] 200 Switching to Binary mode.
[13:07:16] [L] SIZE .htaccess
[13:07:16] [L] 213 144
[13:07:16] [L] MDTM .htaccess
[13:07:16] [L] 213 20110921220232
[13:07:16] [R] PROT C
[13:07:16] [R] 200 PROT now Clear.
[13:07:16] [L] PROT C
[13:07:16] [L] 200 PROT now Clear.
[13:07:16] [R] TYPE I
[13:07:16] [R] 200 Switching to Binary mode.
[13:07:16] [R] PASV
[13:07:16] [R] 227 Entering Passive Mode (192,168,56,11,213,59).
[13:07:16] [L] PORT 192,168,56,11,213,59
[13:07:16] [L] 200 PORT command successful. Consider using PASV.
[13:07:16] [R] STOR .htaccess
[13:07:16] [L] RETR .htaccess
[13:07:16] [L] Connection lost: sukinet.com
[13:07:18] [L] Attempting to Reconnect.
[13:07:18] [L] Connecting to 1234.com -> DNS=1234.com IP=1.2.3.4 PORT=42021 (attempt # 1)
[13:07:18] [L] Connected to 1234.com
[13:07:18] [L] 220 Welcome to my VerySecureFTPD
[13:07:18] [L] AUTH TLS
[13:07:18] [L] 234 Proceed with negotiation.
[13:07:18] [L] Connected. Negotiating TLSv1 session
[13:07:18] [L] TLSv1 negotiation successful...
[13:07:18] [L] TLSv1 encrypted session using cipher DES-CBC3-SHA (168 bits)
[13:07:18] [L] PBSZ 0
[13:07:18] [L] 200 PBSZ set to 0.
[13:07:18] [L] USER user1234
[13:07:18] [L] 331 Please specify the password.
[13:07:18] [L] PASS (hidden)
[13:07:18] [L] 230 Login successful.
[13:07:18] [L] SYST
[13:07:18] [L] 215 UNIX Type: L8
[13:07:18] [L] FEAT
[13:07:18] [L] 211-Features:
[13:07:18] [L] AUTH SSL
[13:07:18] [L] AUTH TLS
[13:07:18] [L] EPRT
[13:07:18] [L] EPSV
[13:07:18] [L] MDTM
[13:07:18] [L] PASV
[13:07:18] [L] PBSZ
[13:07:18] [L] PROT
[13:07:18] [L] REST STREAM
[13:07:18] [L] SIZE
[13:07:18] [L] TVFS
[13:07:18] [L] UTF8
[13:07:18] [L] 211 End
[13:08:16] [R] 425 Failed to establish connection.
[13:08:16] [R] Transfer Failed!

audric
10-09-2011, 06:20 AM
Only "Indirect" mode works more or less (lots of failures) at the moment... I guess it means it makes me download then upload.... which is not of course what i'd like to do...

MxxCon
10-09-2011, 07:47 PM
[13:07:16] [R] PASV
[13:07:16] [R] 227 Entering Passive Mode (192,168,56,11,213,59).
[13:07:16] [L] PORT 192,168,56,11,213,59
[13:07:16] [L] 200 PORT command successful. Consider using PASV.Did you incorrectly edit this line or is this actually what happened?
If this is actually what happened then it is wrong.
with properly configured servers, [R] server should've replied with its public IP.
In general FlashFXP is smart enough to realize that this IP is wrong and should've sent [L] PORT command with the correct public IP, alas it didn't..

I wonder if this is also because SSL is involved. Can you try disabling SSL and try fxp transfers again?

X3
10-10-2011, 04:28 AM
can you post your vsftpd.conf contents please

and within site manager on the fxp setting as in screenshot try to check them or test with one checked and other unchecked and so on.

audric
10-10-2011, 12:36 PM
I tried with or without SSL... same issue. I tried uploading in PASV.... same issue. I tried adding :
pasv_addr=public server ip
to the following config... nothing better.

Comments are in french but here we are, both servers have the same conf:
# Fichier par defaut (pour memoire): /etc/vsftpd.conf.default

# SERVEUR
# Mode standalone
listen=YES
# Messages : bienvenue et .message de chaque repertoire
ftpd_banner=Welcome to my VerySecureFTPD
dirmessage_enable=YES
# port et range de ports des connexions data actif/passif
connect_from_port_20=YES
pasv_min_port=50000
pasv_max_port=60000
# Autoriser le FXP
pasv_promiscuous=YES
port_promiscuous=YES
setproctitle_enable=YES
# Acceptation des uploads
write_enable=YES
# Toutes les informations d'utilisateur et de groupe seront masquees en temps que ftp
hide_ids=YES
# Activation des 2 formats de log en simultane
xferlog_enable=YES
dual_log_enable=YES
# Parametres de securite SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

# UTILISATEURS
# utilisateur restreint et repertoire vide ou il ne PEUT PAS ecrire
nopriv_user=ftp
secure_chroot_dir=/var/run/vsftpd
# Donne les memes privileges aux utilisateurs virtuels et locaux
virtual_use_local_privs=YES
# Accès anonyme
anonymous_enable=NO
# Necessaire pour les utilisateurs virtuels
local_enable=YES
guest_enable=YES
# Nom du service PAM utilise et repertoire contenant 1 fichier par utilisateur donnant le reperto$
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd/users
chroot_local_user=YES
# masques par defaut (umask et fichiers uploades)
local_umask=0002
file_open_mode=0664

X3
10-10-2011, 01:26 PM
I use VSFTPD

hers my config

listen=YES
pasv_min_port=49152
pasv_max_port=65535
pasv_promiscuous=YES
local_max_rate=0
local_enable=YES
write_enable=YES
local_umask=077
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
port_enable=NO
chown_uploads=YES
chown_username=myusername
ftpd_banner=Welcome to FTP Server
chroot_local_user=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
async_abor_enable=YES
cmds_allowed=ABOR,APPE,CWD,DELE,HELP,LIST,MDTM,MKD ,NLST,PASS,PASV,PWD,QUIT,RETR,RMD,RNFR,RNTO,SIZE,S TOR,TYPE,USER
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
force_dot_files=YES
tcp_wrappers=YES
xferlog_file=/home/vsftpd/xferlog.log
vsftpd_log_file=/home/vsftpd/vsftpd.log

and that works a treat with FXP

You are enabling TLSv1 SSLv2 and SSLv3 yet when you connect the server responds with PROT C which disables any security, you should enable only the Security you use in this case TLSV1

Se thers a few things for you to look at and change play with, but your issue is not with flashFXP its a server configuration issue.

Also as a last note dont forget to open the Ports on the router if your planning on accessing the servers with the external IP and you also may need to setup a NOIP or Dyn DNS and configure your router properly.

MxxCon
10-10-2011, 06:37 PM
X3, in the original message he stated that he forwarded ports 50000-60000.

audric (https://oss.azurewebsites.net/forum/member.php?u=72751), have you tried fxp'ing with a known working server? not to work on 2 variables at once, but work on each server at a time..

audric
10-11-2011, 02:35 AM
I wonder if it's even possible to do what i try to do....

I have a flow like this :
VM1 192.168.12.11 <-> 192.168.12.1 HOST1 1.2.3.4 <-> INTERNET <-> 5.6.7.8 HOST2 192.168.56.1 <-> 192.168.56.11 VM2

Do you think this should work?

This questionning hit me after I read Irc's Vsftpd topic : http://mywiki.wooledge.org/FtpMustDie?highlight=(\bCategoryRant\b)

audric
10-17-2011, 04:39 AM
got it working setting those values (over my inital settings) in Vsftpd on the 2 VMs :

pasv_address=1.2.3.4
connect_from_port_20=NO

and

pasv_address=5.6.7.8
connect_from_port_20=NO

Also make sure both Vms firewalls allow connections and transfers with the other one.

Then it started to work whatever the settings in FlashFXP (SSL or not, PASV upload or not).