1

I am trying to setup several ftp users, each with its own subfolder (so the user can see only he his root folder, and nothing else).

current issue is that on filezilla I am getting 

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Error:  GnuTLS error -15: An unexpected TLS packet was received.
Error:  Disconnected from server: ECONNABORTED - Connection aborted
Error:  Failed to retrieve directory listing

I tried all options of the FTP in Filezilla (TLS explicit or implicit). Error in all the options.

/etc/vsftpd.conf

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/home/ftpmain/ftp/$USER
hide_ids=YES
guest_username=vsftpd
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
ssl_enable=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
pasv_address=123.123.123.123
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
chroot_local_user=YES
chroot_list_enable=NO

/etc/pam.d/vsftpd

auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so

the user1 folder looks like this (after chmod+chown):

/home/ftpmain/ftp/user1$ ll
total 12
dr-xr-xr-x 3 root   root    4096 Mar 18 19:17 ./
dr-xr-xr-x 4 nobody nogroup 4096 Mar 18 19:09 ../
drwxr-xr-x 2 vsftpd nogroup 4096 Mar 18 19:17 folder1/

Any idea?

UPDATE

From what I am reading, this can be related to folder doesn't exist, or wrong permissions. I added 'allow_writeable_chroot=YES' i the conf file. I also added 'log_ftp_protocol=YES'.

This is the current log (/var/log/vsftpd.log):

Wed May  1 08:44:28 2019 [pid 2310] CONNECT: Client "111.111.111.111"
Wed May  1 08:44:28 2019 [pid 2310] FTP response: Client "111.111.111.111", "220 (vsFTPd 3.0.3)"
Wed May  1 08:44:28 2019 [pid 2310] FTP command: Client "111.111.111.111", "AUTH TLS"
Wed May  1 08:44:28 2019 [pid 2310] FTP response: Client "111.111.111.111", "234 Proceed with negotiation."
Wed May  1 08:44:29 2019 [pid 2310] FTP command: Client "111.111.111.111", "USER user1"
Wed May  1 08:44:29 2019 [pid 2310] [user1] FTP response: Client "111.111.111.111", "331 Please specify the password."
Wed May  1 08:44:29 2019 [pid 2310] [user1] FTP command: Client "111.111.111.111", "PASS <password>"
Wed May  1 08:44:29 2019 [pid 2309] [user1] OK LOGIN: Client "111.111.111.111"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "230 Login successful."
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PBSZ 0"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 PBSZ set to 0."
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PROT P"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 PROT now Private."
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PWD"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "257 "/" is the current directory"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "TYPE I"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 Switching to Binary mode."
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PASV"

after chown for the 'user1' folder:

$ ll
dr-xr-xr-x 4 nobody nogroup 4096 Mar 18 19:09 ./
drwxr-xr-x 5 ftpmain  ftpmain   4096 Mar 18 16:09 ../
dr-xr-xr-x 3 vsftpd    1002 4096 Mar 18 19:17 user1/

/home/ftpmain/ftp is owned by 'nobody:nogroup'

UPDATE #2

current situation is that I made sure that I can connect to the FTP using plain FTP-active mode. For plain FTP-passive mode I am still getting an error:

Status: Resolving address of .....
Status: Connecting to 111.111.111.111:21...
Status: Connection established, waiting for welcome message...
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Response:   500 OOPS: invalid pasv_address
Command:    PORT 10,0,0,15,253,199
Response:   500 OOPS: priv_sock_get_cmd
Error:  Failed to retrieve directory listing
Error:  Connection closed by server

When trying with TLS, I am still getting the same unexpected TLS packet was received error, even after trying chmod on the user1 folder

 drwxrwx--- 3 vsftpd    1002 4096 May  1 10:58 user1/
justadev
  • 243
  • yes. it was a typo. I edited it now – justadev Apr 30 '19 at 21:32
  • maybe this will help you: https://unix.stackexchange.com/a/270722 – Comar Apr 30 '19 at 22:43
  • thanks. I made some changes according to what I read there, but still didn't find a way to make it work. I updated the question with what I found – justadev May 01 '19 at 10:40
  • It looks like your chroot directory has read and execute set for others - I think it's the problem, please try to change it to something like chmod 750 or 770, like chmod 770 -R user1 – Comar May 01 '19 at 13:52
  • Tried, but unfortunately it didn't work. See update#2 – justadev May 01 '19 at 15:32

2 Answers2

2

Finally got it to work. Beside my debugging process which I outlined in the updates to the original question, here is what I did after.

For TLS to work, I recommend that you first make sure that passive mode is working without TLS. This is because from what I understand the encryption will prevent the server ip that is sent by the server to be received by the ftp client.

So first step, disable TLS by setting ssl_enable=YES in the conf file.

Passive mode requires additional ports. These are the lines that are related to that in the config file:

pasv_address=111.111.111.111
pasv_addr_resolve=NO
port_enable=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

You have to make sure that the passive ports are open! I was using EC2, so you need to open the ports in the security groups. In addition check ufw:

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 20/tcp                     ALLOW IN    Anywhere
[ 2] 21/tcp                     ALLOW IN    Anywhere
[ 3] 990/tcp                    ALLOW IN    Anywhere
[ 4] 40000:50000/tcp            ALLOW IN    Anywhere
[ 5] 22/tcp                     ALLOW IN    Anywhere
[ 6] 20/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 7] 21/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 990/tcp (v6)               ALLOW IN    Anywhere (v6)
[ 9] 40000:50000/tcp (v6)       ALLOW IN    Anywhere (v6)
[10] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

With this I was able to connect using passive mode, and then enabling ssl_enable=YES just worked.

This final /etc/vsftpd.conf:

listen=YES
listen_ipv6=NO

anonymous_enable=NO
local_enable=YES
write_enable=YES

local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
log_ftp_protocol=YES

nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/home/ftpmain/ftp/$USER
hide_ids=YES
guest_username=vsftpd
allow_writeable_chroot=YES
chroot_local_user=YES
chroot_list_enable=NO

secure_chroot_dir=/var/run/vsftpd/empty
use_localtime=YES
ssl_enable=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

pasv_address=111.111.111.111
pasv_addr_resolve=NO
port_enable=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
justadev
  • 243
0

I have followed all the steps well explained in this link.

And then, yes I encountered similar error. So I followed the suggestion in your answer to first try to connect without TLS by commenting ssl_enable=YES.

However, this did not work (see following error):

Response:   500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Error:          Critical error: Could not connect to server

Until I added this directive in the configuration file /etc/vsftpd.conf:

allow_writeable_chroot=YES

However, I have done some searches and found that for security reasons, this option must not be set to YES:

In the vsftpd.conf main page:

allow_writeable_chroot

Allow chroot()'ing a user to a directory writable by that user. Note that setting this to YES is potentially dangerous. For example, if the user creates an 'etc' directory in the new root directory, they could potentially trick the C library into loading a user-created configuration file from the /etc/ directory.

Check also this ServerFault question.

As a reminder chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.

So a good practice, is to set allow_writeable_chroot=NO and make an ftp directory which acts as chroot. Here is an example:

mkdir /home/ftpuser/ftpdirectory
chown -R ftpuser:ftpuser
chmod a-w /home/ftpuser

And finally in the config file vsftpd.conf:

user_sub_token=$USER 
local_root=/home/$USER/ftpdirectory
NotTheDr01ds
  • 17,888
Youssef
  • 101