0

In short: It DOES connect in passive mode, but it just doesn't use the ports that I'm trying to use despite the configuration.

Settings on pasv_max_port and pasv_min_port seems to be ignored, but I can't see what's preventing vsftpd from recognizing or applying the configuration.

Procedure I took is to:

  1. [Server] Edit vsftpd.conf and save

    pasv_max_port=60000
pasv_min_port=60003
#Server's public IP (AWS EC2 Elastic IP)
pasv_address=*.*.*.*

    *I have tried a few other conbination: it's shown down below.

  2. [Server] Restart vsftpd with service vsftpd restart

  3. [Client (Filezilla)] Connect to *.*.*.*, on port 22, in passive mode. SSL, and login all goes fine, then it returns this:

    Command:    PASV
Trace:  CFtpControlSocket::OnReceive()
Response:   227 Entering Passive Mode (*,*,*,*,254,73).

This seems like it's connecting to *.*.*.*:65097. (And this port number changes on each try as if I haven't set port range to be used for passive mode.) Sure enough, if I set my firewall to close everything else other than port 22 and range 60000 - 60003, it doesn't proceed any further.

I tried other ranges like 62010-62019, even rebooted linux but it still acts in the same behavior.

Is this conflict with iptables?? (I doubt it, as my machine is running on AWS EC2 instance so it's like running behind NAT, correct?)

Nothing close to my question was found, so I thought I must be doing something stupid, but spell has been checked letter to letter, and lines below the configuration pasv_address is indeed taking effect (it doesn't work if I leave them blank and restart vsftpd).

  • Hardware:
    AWS EC2 instance running "Amazon Linux AMI 2018.03.0.20180412 x86_64 HVM GP2"
  • Network:
    Firewall (AWS Security group) is configured for all ports to be opened for the client's ip. My goal is to leave only the necessary ports to be opend for the client (21, 60000 - 60003)
  • Package:
    vsftpd installed from amzn-main repository (vsftpd.x86_64, 2.2.2-13.13.amzn1)
  • Available Ports:
    cat /proc/sys/net/ipv4/ip_local_port_range returns 32768 60999

My goal is to open only controlled range of ports for data transfer, and it's just for single client with fixed IP address. That means I can actually just go for active mode and open port 20 only for that IP address, however just for the sake of sticking to the old configuration of the current FTP server to be replaced, I'd much rather use passive mode. -> Just found out that it had to be passive mode because of client side's security concern.

..any idea anyone?

Prior to this, I have tried them with a few other vsftpd.conf, such like

pasv_enable=YES
pasv_max_port=60000
pasv_min_port=60003
port_enable=YES
pasv_addr_resolve=YES
pasv_address=*.*.*.*

And I had no luck with this neither. Currently I'm just sticking with the minimum lines required for such thing (as pasv_enable is YES by default.)

Iorippi
  • 11
  • 1
  • 5
  • It seems a little sketchy that this is necessary for *all* of the passive mode configuration to apply, while some of works either way... but is `pasv_enable=YES` set? https://serverfault.com/a/421168/153161 – Michael - sqlbot Jun 13 '18 at 12:02
  • @Michael-sqlbot Thanks for checking out! (I'll edit this after this, but) I have indeed tried that along with a few other on-by-default parameters. Now they are actually commented out because I thought it's just better with less cluttered configuration. I only lightly mentioned but I have another extra configurations like SSL and stuff, that I'm pretty confident that it has nothing to do with them. – Iorippi Jun 13 '18 at 12:37
  • Your max port must be higher than your min port, that's probably the problem. Also, 4 ports total is very low. I usually set up a range of 2000 ports. Remember that these ports live throughout each session and then some. You don't want to run out of them. – Zdenek Jun 19 '18 at 15:06
  • @Zdenek Thanks a million for noticing this!! This is very embarrassing. It did work after I flipped the number. As for ports, I was wondering if this is suffice, but that was how the previous configuration went like and the max total clients at a time is going to be just 2 of them including development/testing phase, so I was thinking to stick with this configuration. – Iorippi Jun 20 '18 at 10:02

1 Answers1

1

Solved: @Zdenek from the comment section noticed that my configuration had stupid mistake in it:

max port must be higher than your min port -@Zdenek

So, fixing from

pasv_max_port=60000
pasv_min_port=60003

to

pasv_max_port=60003
pasv_min_port=60000

was all that needed to be done.

I thought this was too stupid to leave on this site, but thought it might be beneficial for someone who overlooked this or expected vsftpd to return error on misconfiguration such like this, so leaving as is.

Thanks again @Zdenek for checking out!

Iorippi
  • 11
  • 1
  • 5