Linux HowTo: Vsftpd Implementation “Per-user only one active concurrent session is allowed”

Original Source Link

Vsftpd Implementation “Per-user only one active concurrent session is allowed”

I found that Pure-FTP has this compile options “–with-peruserlimits”. I wonder if vsftpd has this option?

Unfortunately, no (Source).

I couldn’t find anything mentioning limit by user on that man page, so i think we can’t do that.

Tagged : / /

Making Game: Vsftpd Implementation “Per-user only one active concurrent session is allowed”

Original Source Link

Vsftpd Implementation “Per-user only one active concurrent session is allowed”

I found that Pure-FTP has this compile options “–with-peruserlimits”. I wonder if vsftpd has this option?

Unfortunately, no (Source).

I couldn’t find anything mentioning limit by user on that man page, so i think we can’t do that.

Tagged : / /

Server Bug Fix: curl: (25) Failed FTP upload: 553 to vsftpd docker

Original Source Link

I’m running you container and try to send files using curl but it fails.

Running the container

export FTP_USER="test"
export FTP_PASSWORD="test"

docker run 
    --name mock_ftp_server 
    --publish 21:21 
    --publish 4559-4564:4559-4564 
    --env FTP_USER="$FTP_USER" 
    --env FTP_PASSWORD="$FTP_PASSWORD" 
    --detach 
  panubo/vsftpd

Sending file

$ curl --upload-file /tmp/mock.data-2017-03-28.tar.gz ftp://localhost --user $FTP_USER:$FTP_PASSWORD
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (25) Failed FTP upload: 553

Question

What’s the matter here? Do I need to add something?

related

Based on VSFTPD 553 error: could not create file on AskUbuntu I fixed it by changing the owner of the root directory (/srv/) to the FTP user ftp:

docker run …
docker exec mock_ftp_server chown ftp:ftp -R /srv/
curl …

I’m waiting for information about security for this solution.

Tagged : / / / /

Server Bug Fix: vsftpd error: 530 Login incorrect (and various others when trying other solutions on this website)

Original Source Link

I know this question has been asked countless times already, but I feel like I’ve tried every possible solution and none seem to work.

Some articles I’ve read and tried to use:

vsftpd error 530 login incorrect occurs with valid credentials and the 5 articles that one links to.
AskUbuntu – vsftpd 530 login incorrect and about 10 that offer the same solution.
LinuxQuestions.org – vsftpd login incorrect

I used to have UFW enabled (with 20:22/tcp and 20000:20200/tcp allowed) for both active and passive FTP, but have at some point disabled the entire thing.

I tried using xinetd, but got it working just as well as vsftpd-standalone, with exception of errors ‘500 OOPS: run two copies of vsftpd for IPv4 and IPv6’ and ‘500 OOPS: could not bind listening IPv4 socket’. However, after solving those two, the same problem (Error 530) occured.

My normal configuration file (/etc/vsftpd.conf) looks like this:

anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to the 'server name' FTP server.
deny_email_enable=YES
banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/etc/vsftpdjail
listen=YES
#listen_ipv6=YES
ssl_enable=YES
force_local_logins_ssl=NO
force_local_data_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
require_ssl_reuse=NO
pasv_min_port=20000
pasv_max_port=20200
pasv_enable=YES
pam_service_name=vsftpd

However, commenting everything from deny_email_enable and downward (disabling passive, ssl and pam), with exception of ‘listen=YES’ doesn’t yield other results.

vsftpd.service is enabled and started in systemctl

xinetd.service is disabled and stopped in systemctl (after some testing)

The PAM file (/etc/pam.d/vsftpd) contains:

#%PAM-1.0
auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#@include common-account
#@include common-session
#@include common-auth
auth    required    pam_shells.so

The files referred to DO exist and have the permissions: root:root 744

My user name is NOT in /etc/ftpusers

My user’s login shell (/bin/bash) IS in /etc/shells

My user IS in /etc/passwd

Whenever I try to login I just get the same error over and over again:

Connecting to 192.168.178.49:21...
Connection made, awaiting welcome message...
Initializing TLS...
Checking certificate...
Established TLS-connection.
USER username
331 Please specify the password.
PASS ************
530 Login incorrect.
Fatal error: Can't connect to server.

‘sudo netstat -tulpn’ shows:
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 342/vsftpd

/var/log/vsftpd.log shows the same message over and over again:

CONNECT: Client "192.168.178.69"
[username] FAIL LOGIN: Client "192.168.178.69"

without any further info. (Using the same login credentials as I use to login through SSH and locally on the server)

I am completely out of ideas, after having researched this issue for 6 continuous hours. So any help is appreaciated.

Also, system info:
Processor: 2xIntel Pentium [email protected] (intel-ucode IS installed)
OS: Arch Linux 5.0.9-arch1-1-ARCH x86_64 (Up-to-date and installed today)
RAM: 8192MB
Internet both Server and Client: 1Gbps cat 5e cable directly to modem
No firewall on client or modem

Edit1: Edited typos in /etc/pam.d/vsftpd

After I posted the question, I tried a for a little longer, but to no avail. Fast-forward one day and I’ve decided to completely wipe the operating system, reinstall and make vsftpd the very, very first thing to do after OS essentials. Therefore, I am not sure if what I changed fixed the issue, or if something went wrong during the initial installation of the operating system, but here we go anyway:

I was completely baffled why NO solutions from others, who had the same issue, helped, until I read the last entry in the Arch Linux vsftpd troubleshooting page which states, that PAM has been updated in 2019(!) and that authentication for local users now works differently. Provided is also, an example /etc/pam.d/vsftpd file:

#%PAM-1.0
account    required    pam_listfile.so onerr=fail item=user sense=allow file=/etc/vsftpd.user_list
account    required    pam_unix.so
auth       required    pam_unix.so

And all of a sudden, it works.

I only added one line to the config file, when I was testing things and had enabled the ‘anonymous’ user, and got a ‘directory listing’ error. This was also adviced in the troubleshooting section of the same page.

seccomp_sandbox=NO

But I honestly doubt that changed anything for logging in for local users, which was my initial question.

Wisegay, I think this might be user directory permission issue could you please check url https://help.ubuntu.com/community/vsftpd for user dir permission and pam file contents. I hope this will help you.

Haven’t been using vsftpd for a while and forgotten that nice 530: login incorrect thing.

Spent couple of hours playing around with all the possible solutions I managed to google, and finally recalled the root cause of the issue:

While pam_service_name=ftp is documented as a default value, default minimal config didn’t work (RHEL7.5, vsftpd3.0.2) throwing login incorrect error.

The error was gone when pam_service_name=vsftpd was set in /etc/vsftpd/vsftpd.conf

Tagged : / /

Server Bug Fix: Can’t mv files between directories on vsftpd

Original Source Link

I enabled this in vsftpd.conf

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd.chroot_list

user_config_dir=/etc/vsftpd_user_conf

and here is the user set in vsftpd_user_conf dirctory

ftpupload :

local_root=/mnt/upload

But /mnt/upload is mounted from another directory

/mnt/upload on /opt/upload type none (rw,bind)

Here is the list in /mn/upload

rough_images/

shoes-pentland/

vendor-upload/

shooting/

Additional, the shooting/ directory is mounted from another place

/mnt/upload/shooting on /mnt/shooting none (rw,bind)

Now here is the problem.

When I use the ftp client to move the files between the directories but failed .Files can moved between any directories except the shooting one.

The permission is right . I can move any files between this directories successful by using su ftpupload.

It means the vsftpd didn’t support the mount bind?


Here is the vsftpd.conf

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=000
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=app
xferlog_std_format=NO
log_ftp_protocol=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
user_config_dir=/etc/vsftpd_user_conf
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=YES
pasv_max_port=***
pasv_min_port=***
port_enable=YES
pasv_address=***
virtual_use_local_privs=YES
tcp_wrappers=YES

and here is the mtab:

    /mnt/upload /opt/upload none rw,bind 0 0
    /mnt/upload/shooting /mnt/shooting none rw,bind 0 0

all of the permissions under the /mnt/upload are the same:

drwxrwxrwx * ftpupload app

Are you chrooting the user into /mnt/upload? The problem may be that vsftpd detects /mnt/upload/shooting to be outside the chroot, although I would expect the bind mount to make this work. Try disabling the chroot or chrooting the user to /mnt.

Tagged : /

Ubuntu HowTo: How to limit user folder access using VSFTP?

Original Source Link

I’m trying to use VSFTPD with the following configuration, using a VM with Ubuntu 14.04. I’m able to login into my virtual sftp server normally but my client user is able to navigate between the folders, where it shouldn’t. Does anyone know why this happens ?

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

As far as I understand vsftpd uses existing system users.
And they always have the same access rights as this user.

If you want someone to only be able to access certain folders, you would have to add a new system user (or virtual user) with access rights set accordingly and use it as login.

https://serverfault.com/questions/544850/create-new-vsftpd-user-and-lock-to-specify-home-login-directory

You will have to uncomment the line:

chroot_local_user=YES

Also change the access mode to 555

sudo chmod [the_users_directory] 555

Then restart the vsftpd service for the change to take effect:

sudo restart vsftpd

You can also specify this behavior for specific users only by uncommenting the chroot_list_enable=YES and chroot_list_file=/etc/vsftpd.chroot_list lines and creating a list of specific users in a /etc/vsftpd.chroot_list file.

For specific users (/etc/vsftpd.conf lines affected):

chroot_list_enable=YES
chroot_list_enable=YES

Tagged : / /

Ubuntu HowTo: 530 Login incorrect vsftpd

Original Source Link

I receive this error from yesterday when I installed and removed EHCP, it has changed all my configuration files for example Apache, vsftpd and others…
I resolved other problems but I can’t resolve vsftpd error of 530 Login Incorrect.
I tried removing, reinstalling and canceling config file of vsftpd using the default configuration and edited it like first.

Can someone help me with this problem?
Thank you

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=ftp
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
allow_writeable_chroot=YES
#ftp_username=
#max_per_ip=
force_dot_files=NO
tcp_wrappers=NO
#listen_address=
#hide_file=
#anon_max_rate=
#local_max_rate=

Open the file /etc/vsftpd.conf

sudo nano /etc/vsftpd.conf

Change the pam_service_name entry so that it becomes –

pam_service_name=ftp

Press CTRL+X followed by Y to save.

Restart vsftpd

sudo service vsftpd restart

Alternatively, you may reinstall vsftpd

sudo apt-get remove vsftpd

sudo rm /etc/pam.d/vsftpd

sudo apt-get install vsftpd

This has been taken from here.

Tagged : / / /

Server Bug Fix: FTP connection stalls afert 6/8 minutes, afterwards remote IP is unreachable by any device within my LAN

Original Source Link

Remote machine: a VPS running Debian 10; vsftp as ftp server.

Local machine: a Fedora 30 desktop, within my home LAN. Local router: a Technicolor AGHP, on lease from my telcom provider.

I am trying to download a 1.5G remote directory (~21.000 items) by

wget -m -c -N -X -v  --debug  -o wgout.txt  ftp://myuser:[email protected]/html/wp/

Download starts fine, and progresses for almost 6/8 minutes, up to ~300MB, then it stalls:

250 Directory successfully changed.
done.
conaddr is: ip.ip.ip.ip
==> PASV ... 
--> PASV

227 Entering Passive Mode (ip,ip,ip,ip,234,149).
trying to connect to ip.ip.ip.ip port 60053
Closed fd 4
Closed fd 3
couldn't connect to ip.ip.ip.ip port 60053: Connection timed out
Retrying.

--2020-05-30 21:59:23--  ftp://myuser:*password*@mydomain/html/wp/wp-content/uploads/sites/3/2018/03/
  (try: 2) => ‘mydomain/html/wp/wp-content/uploads/sites/3/2018/03/.listing’
Found mydomain in host_name_addresses_map (0x55ccb875e0e0)
Connecting to mydomain (mydomain)|ip.ip.ip.ip|:21... Closed fd 3
failed: Connection timed out.
Releasing 0x00......0e0 (new refcount 1).
Releasing 0x00......0e0 (new refcount 0).
Deleting unused 0x000055ccb875e0e0.
Resolving mydomain (mydomain)... ip.ip.ip.ip
Caching mydomain => ip.ip.ip.ip
Connecting to mydomain (mydomain)|ip.ip.ip.ip|:21... Closed fd 3
failed: Connection timed out.
Releasing 0x00......10 (new refcount 1).
Retrying.

Afterwards, the remote ip is unreachable from any device within my LAN (either Linux, Win or Android), by any protocol (http(s), ssh, ftp), unless I reboot the router. (remote site is always reachable from outside my LAN.)

svftp.conf includes

connect_from_port_20=YES
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=65535  (edited)

I am not even sure where to locate the issue: vsftp, router, local machine.

ps. is there a way to call openssh-sftp-server, i.e. something like:

    wget  **sftp**://myuser:[email protected]/html/wp/

If this is a problem of too many connections per time period then you would want to limit wget to a certain amount. It does not seem to offer that feature, though. But you could use --limit-rate to slow down the transfer as a whole. If it is slow enough the problem may disappear.

Or you change your download so that it does not create a huge amount of connections. One way is to use something better than FTP as you did with rsync. You did not mention whether there are strong reasons why you prefer wget over rsync.

Unfortunately wget does not support SFTP but curl does (and may be closer to what you want than rsync.

If for some reason you really prefer wget over anything else then you could create an SSH tunnel. No port forwarding (as that would not help with FTP) but creating virtual network interfaces on both sides:

ssh -o 'Tunnel point-to-point' ...

wget would connect to the remote tun IP address. For all systems in between it would look like one long connection. You could even easily use traffic shaping that way to prevent those transfers from affecting the rest of the systems.

Tagged :

Server Bug Fix: Inverse Name Search by UID (CentOS 8) – Retrieves last created with same UID

Original Source Link

I am working with CentOS 8 and I have a problem with UIDs and User Names. I have installed VestaCP to manage my websites. The user by the name of “user123” and UID 1007 is the owner of all the websites (user in VestaCP). Then I have created individual FTP users for each website. Each FTP user has the following name format: “user123_random”, where random is a random text. Each FTP user has a different name, but they all share the same UID (1007) (this is the default behavior when creating new FTP users).

Now the problem happens when I am checking the ownership (user) of each website or file inside that website. So technically, the owner belongs is UID 1007. The problem here is that CentOS 8, for some reason, it is showing “user123_random” as the owner of the websites instead of “user123”.

The curious thing is that when I do a “id -nu 1007”, it returns the name of the last FTP user created with the prefix “user123_”. So I assume, this is what CentOS 8 does internally, showing the last username (with same ID 1007) as the owner of a file/directory. This is not how CentOS 7 worked. CentOS 7 would show “user123” as the owner of the files, irrespective of adding new FTP users with the same UID.

The question is…is there a way to change this behavior in CentOS 8, so that it behaves as CentOS 7? So that the inverse name search by UID returns the “first created user” with that UID.

I would use a different solution. I would add all those users in 2 groups, one group to give read-only access, and another group to give read-write access.
Then I would use extended POSIX ACLs to give those groups permission on the folders and files. You can set a default permission to be inherited. And with setGID I would set the group for new files and folders.

For details see the man pages for: chmod, chown, setfacl, getfacl, ls

Tagged : / / /

Ubuntu HowTo: VSFTPD fails to start

Original Source Link

I have setup VSFTPD on a server with UBUNTU 18.04 on a server with both ipv4 and ipv6 support and the service is running as expected.

I have then ported the same configuration to a server with only ipv4 support and the service is exiting with error.

The configuration is:

listen=NO
listen=127.0.0.1
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to SmartRed FTP service.
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp
rsa_cert_file=/etc/letsencrypt/live/www.***.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/www.***.com/privkey.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=41000

The service on restart gives the following feedback

● vsftpd.service – vsftpd FTP server Loaded: loaded
(/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-05-21 17:06:24 CEST;
2s ago Process: 2281 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
(code=exited, status=2) Process: 2280 ExecStartPre=/bin/mkdir -p
/var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Main PID: 2281
(code=exited, status=2)

while there is nothing in the log in /etc/log/vsftpd.log

What is wrong with this configuration? Can I enable a more verbose log to see what is wrong with the configuration?

Tagged : / / /