1
this is my scenario: someone needs to push some files from a really old mainframe that only works with plain FTP (no SSH, no SSL). In my environment, I have a VM with Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-139-generic x86_64) image, where I set up a vsftpd server. The VM has public address XXX.XXX.XXX.XXX.
However, the internal addresses are different:
$ ifconfig
ens3 Link encap:Ethernet HWaddr aa:aa:aa:aa:aa:aa
inet addr:YYY.YYY.YYY.YYY Bcast:YYY.YYY.YYY.255 Mask:255.255.255.0
inet6 addr: aaaa::aaaa:aaaa:aaaa:aaaa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:676755 errors:0 dropped:0 overruns:0 frame:0
TX packets:244476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:712807318 (712.8 MB) TX bytes:20949942 (20.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:355 errors:0 dropped:0 overruns:0 frame:0
TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:23535 (23.5 KB) TX bytes:23535 (23.5 KB)
I have no external control of this VM. I request it on a system, and it gives me an IP address, user, and password. God knows where this VM is.
So, I have the following configuration for vsftpd:
listen_address=XXX.XXX.XXX.XXX. # External IP here.
pasv_address=XXX.XXX.XXX.XXX. # External IP here too.
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_writeable_chroot=YES
Using this configuration, I can access the server remotely and push files without a problem. Note that the IPs on the configuration file (XXX.XXX.XXX.XXX
) are the external IP, not the internal one (YYY.YYY.YYY.YYY
).
However, as the title suggests, my partner cannot use SSL connections. Since vsftpd does not accept user/password plain authentication when SSL is enabled, I have to turn that off:
ssl_enable=NO
But now, I have a lot of problems. This is an example when I try to connect to the server:
$ ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX).
220 (vsFTPd 3.0.3)
Name (XXX.XXX.XXX.XXX:alice): bob
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (0,0,0,0,39,107).
ftp: connect: Connection refused
Note that "alice" and "bob" are valid users on my server. So, the problem here is that when FTP goes passive to receive files, etc, it changes de IP to (0,0,0,0,39,107)
, which is localhost in the server, even though I explicitly ask to use address XXX.XXX.XXX.XXX.
There is some material on the internet that relates this issue with NAT translation (which looks be the case), but I have tried their solutions. Most of them ask us to set pasv_address
(and sometimes port ranges), but none works.
Now, another weirdo:
listen_ipv6=NO
ssl_enable=YES
Now, I cannot even connect into the server, neither remote machine:
$ hostname
my_laptop
$ ftp XXX.XXX.XXX.XXX
ftp: connect: Connection refused
nor localhost:
$ hostname
my_server
$ ftp localhost
ftp: connect: Connection refused
The latter makes sense since list_address
points to the external IP address. But even I comment that line, still, I cannot connect.
It clear to me that the problem is in the addresses configuration since it looks to respond to IPv6 localhost. However, I am not an expert on such things, so I look for your help. Thanks!