# vsftpd behind router and symbolic links

## pubecon

I'm looking to set up a simple ftp server to share the occasional file/directory.

my /etc/vsftpd/vsftpd.conf is

```
#

# vsftpd config file

#

anonymous_enable=YES

no_anon_password=YES

dirmessage_enable=YES

connect_from_port_20=YES

xferlog_enable=YES

xferlog_file=/var/log/vsftpd/vsftpd.log

nopriv_user=nobody

ftpd_banner=You are connected to Daves computer. Well done. Very well done..

```

my /etc/xinetd.d/vsftpd

```
service ftp

{

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/vsftpd

        server_args     = /etc/vsftpd/vsftpd.conf

        log_on_success  += DURATION USERID

        log_on_failure  += USERID

        nice            = 10

        disable         = no

}
```

I have port forwarding set up on my router to forward all connections to 21 to my local ip (192.168.0.2) but it still isn't visible to the outside world.

just wondering what needs to be done.

ALSO I did 

```
 ln -s /backup/video /var/ftp/vids 
```

 to try and share my video directory on the server.  the link appears but, when followed, gives a 550 error.

any help is much appreciated

----------

## devon

man vsftp.conf

```

connect_from_port_20

This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist that this is the case. Conversely, disabling this option enables vsftpd to run with slightly less privilege.

Default: NO (but the sample config file enables it)

```

Sounds to me that a client will try to connect to port tcp/20 on your server. Have you setup port-fowarding for that or disabled that option?

 *Quote:*   

> the link appears but, when followed, gives a 550 error. 

 

Sounds like a permissions error.

----------

## pubecon

 *devon wrote:*   

> Sounds to me that a client will try to connect to port tcp/20 on your server. Have you setup port-fowarding for that or disabled that option?
> 
> 

 

yeah, I thought that too.  I did set the router to forward ports 20->21 though to no effect. I'll try changing that option on the server side later on.

thanks for the speedy response

how does one symlink without permission errors then

----------

## devon

 *Quote:*   

> how does one symlink without permission errors then

 

What are the permissions of the actual directory?

----------

## pubecon

I chmodded it to be viewable writeable and everything by all

```
chmod -R 777 /backup/*
```

[edit]BEFORE the error [/edit]

----------

## kashani

Most ftp servers will not follow symlinks for anonymous users and some won't for normal users as well. I assume vsftp has the same behavior. You may be able to change this with config options.

kashani

----------

## pubecon

 *kashani wrote:*   

> You may be able to change this with config options.

 

I must be missing

make_it_work_behind_a_router=YES

symlinks_work_for_folk=YES

[edit]did a quick apache emerge there and it is viewable to the computers behind the router but not accessible via the ip address assigned to my router

attempting to connect to either ftp or http adds nothing to the log

whit's goan awn?!!!!!![/edit]

----------

## devon

Obvious question: Are you port forwarding 80 throught your router?  :Smile: 

And back to FTP:

symlinks: I did more research and it looks like vsftp chroot's the anonymous users. One person got around this by mounting his partition with the files to be shared (e.g. /dev/hdb1) in the chroot directory, allowing others to download files. See http://lists.suse.com/archive/suse-linux-e/2002-Oct/0070.html. Not sure if this is an option for you though.

Client's can't connect: Can you gives us any more details? They just don't connect? Or do they connect, but can't download?

----------

## pubecon

oooooh, very nice mounting. will give that a go..

I thought I'd mentioned that I'd set up the port forwarding

80 for apache and 20 and 21 for ftp - no effect.

"Connection refused" for anyone trying to connect to the port-forwarded ip.

nothing in the logs for apache/vsftpd either, just records of me connecting to myself via 192.168.0.*

----------

## devon

 *Quote:*   

> I thought I'd mentioned that I'd set up the port forwarding
> 
> 80 for apache and 20 and 21 for ftp - no effect. 

 

You did, but it never hurts to double check.  :Smile: 

I assume this is a hardware router? E.g. Linksys, Netgear, D-link, etc. Does it have any logging features? 

Are you using tcp_wrappers? I would imagine you would get something in /var/log/messages about rejections, but it doesn't hurt to check. Look at /etc/hosts.allow and /etc/hosts.deny

----------

## pubecon

it is a hardware router (netgear RP something or other [the cool silver one]). logs show nothing apart from successful local connections (no errors)

no tcp_wrappers

but

...is this it?

no hosts.allow or hosts.deny exist

----------

## devon

 *Quote:*   

> it is a hardware router (netgear RP something or other [the cool silver one]).

 

Is this it? http://www.netgear.com/products/prod_details.asp?prodID=131&view=hm

The reference PDF says it can do port forwarding. What happens if you do a nmap from an outside host back to yourself? Perhaps it is a firmware issue? I had a Linksys router that didn't work with my Linux box for some reason; worked for Windows 2000. I had to upgrade the firmwire to make it work.

 *Quote:*   

> logs show nothing apart from successful local connections (no errors)

 

Just to be clear, I meant on the router and not on the Gentoo server.  :Smile: 

 *Quote:*   

> no hosts.allow or hosts.deny exist

 

If you don't have tcp_wrappers, I wouldn't worry about this.

----------

## pubecon

that is indeed my router and there WAS a firmware upgrade.  just did that there. no effect.

and, yeah, it was the router logs I was referring to.

sigh

I use the port forwarding so I can act as a server with zsnes to play bomberman.

But if my config files are sound, and the router is doing it's whole tunneling through to my ip thing then what on earth could the problem be (it's not nthell (my isp) since their support pages say it's ok to serve http and ftp as long as ...(bunch of conditions on bandwidth and content etc.))?!

----------

## pubecon

Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-06-25 22:19 BST

All 1643 scanned ports on pc3-eswd1-6-cust74.renf.cable.ntl.com (81.98.134.74) are: closed

#bum bum buuuuuuum#!

but that was to myself

----------

## devon

Here is what I got using nmap.

```

Starting nmap 3.27 ( www.insecure.org/nmap/ ) at 2003-06-25 17:24 EDT

Interesting ports on pc3-eswd1-6-cust74.renf.cable.ntl.com (81.98.134.74):

(The 1021 ports scanned but not shown below are in state: filtered)

Port       State       Service

20/tcp     closed      ftp-data

21/tcp     open        ftp

80/tcp     closed      http

```

And if I connect to the FTP port:

```

NcFTP 3.1.5 (Oct 13, 2002) by Mike Gleason (ncftp@ncftp.com).

Connecting to 81.98.134.74...

You are connected to Daves computer. Well done. Very well done..

Logging in...

Login successful.

Logged in to 81.98.134.74.

ncftp / > ls

Data connection timed out.

Falling back to PORT instead of PASV mode.

ncftp / > ls

ncftp / > exit

```

and if I try HTTP

```

$ telnet 81.98.134.74 80

Trying 81.98.134.74...

telnet: connect to address 81.98.134.74: Connection refused

telnet: Unable to connect to remote host

```

Okay... what does tcpdump tell me when I try port 80 (HTTP).

```

17:39:09.834294 216.26.167.54.56168 > 81.98.134.74.80: S 1303137285:1303137285(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 258306983 0> (DF) [tos 0x10]

17:39:09.960204 81.98.134.74.80 > 216.26.167.54.56168: R 0:0(0) ack 1303137286 win 0 (DF)

```

So I am sending a SYN packet to you. You respond with a RST packet (not SYN-ACK).

I would double/triple-check your Netgear.

----------

## pubecon

amazing! you actually connected to the ftp server.

the reason nothing happened with the apache is that it won't start any more!

```

apache2: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
```

and in /var/log/apache2/

```

[Wed Jun 25 22:20:24 2003] [alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "dave.myhouse"

Configuration Failed

```

perhaps topic for another thread?

I'm lost with excitement!

how are you able to connect to me and not me to myself?!Last edited by pubecon on Wed Jun 25, 2003 9:12 pm; edited 1 time in total

----------

## devon

Okay. I looked at tcpdump data for FTP too. I found something that was strange to me. 

```

17:43:18.556480 81.98.134.74.33642 > 216.26.167.54.113: S 2985890254:2985890254(0) win 5840 <mss 1460,sackOK,timestamp 805684 0,nop

,wscale 0> (DF)

17:43:18.556518 216.26.167.54.113 > 81.98.134.74.33642: R 0:0(0) ack 2985890255 win 0

```

Your computer tried to use identd on mine, which I don't run. So I did some Googling and found this.

In your vsftpd.conf

```

        log_on_success  += DURATION USERID

        log_on_failure  += USERID 

```

try getting rid of USERID.

----------

## pubecon

right, I did that. (removed the USERID appearances in /etc/xinetd.d/vsftpd)

I also removed the local user access just there, restarted xinetd but now I can't even connect to myself on 192.168.0.2

```
530 Please login with USER and PASS.

SSL not available

500 OOPS: vsftpd: refusing to run with writable anonymous root

Login failed.
```

thanks for getting this far!!!!

----------

## devon

I get the same thing

```

NcFTP 3.1.5 (Oct 13, 2002) by Mike Gleason (ncftp@ncftp.com).

Connecting to 81.98.134.74...

You are connected to Daves computer. Well done. Very well done..

Unexpected response: OOPS: vsftpd: refusing to run with writable anonymous root

OOPS: vsftpd: refusing to run with writable anonymous root

OOPS: child died

```

It is because the anonymous user has write privs to the anonymous root directory when it shouldn't... Hence the name Very SecureFTP.  :Wink: Last edited by devon on Wed Jun 25, 2003 9:17 pm; edited 1 time in total

----------

## pubecon

you're write it shouldn't!

I turned the global write variable off!

someone should tell vsftpd that, cos it isn't noticing

echo "work damn you!!!!!!" | vsftpd

----------

## devon

 *Quote:*   

> 
> 
> I turned the global write variable off!
> 
> someone should tell vsftpd that, cos it isn't noticing 
> ...

 

The actual user that vsftpd uses when an anonymous user connects (default is ftp IIRC) has write privs to the directory. Do a "ls -l /your/directory" and then see which user and/or group and/or all has write (w) privs. And then see which users belong to that group in /etc/group.

----------

## pubecon

```
-rwxrwxrwx    1 ftp      ftp      598231040 2003-06-25 18:45 atomicbomberman.iso
```

I'm pretty sure that read root root before.

ftp is a member of ftp and is the anonymous user.

this whole idea I had that a beer or two would help me think is coming crashing down on me.

----------

## devon

That is the file you are sharing, not the directory. Do a "ls -la" in the same directory. Also, you can chmod 444 that atomicbomberman.iso file since the anonymous users shouldn't be able to write to it.  :Smile: 

 *Quote:*   

> 
> 
> this whole idea I had that a beer or two would help me think is coming crashing down on me.
> 
> 

 

Hmm... A friend and I used to do whiskey shots when doing calculus/DE homework. Didn't bother us... In fact, it helped get us though it.  :Cool: 

----------

## pubecon

yeah, a wee bit of alcohol USUALLY works wonders.

the ls -l for /var/ (where ftp resides) gives

```
drwxrwxrwx    2 ftp      ftp          4096 2003-06-25 18:06 ftp
```

----------

## devon

Okay. Try this as root.

```

chown root /var/ftp

chmod 755 /var/ftp

```

That changes the user for /var/ftp and the permissions to rwxr-x-r-x.

----------

## pubecon

yoss! a new error!

```

ftp dave

Connected to dave.myhouse.com.

220 You are connected to Daves computer. Well done. Very well done..

Name (dave:dave): anonymous

530 Please login with USER and PASS.

SSL not available

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

-r--r--r--    1 21       21       598231040 Jun 25 17:45 atomicbomberman.iso

226 Directory send OK.

```

no, wait, it's not an error!!

wahey!!!

I should probably just have started sshd up and let you have a go!!!

does it work from afar?

----------

## devon

It works.  :Very Happy: 

```

NcFTP 3.1.5 (Oct 13, 2002) by Mike Gleason (ncftp@ncftp.com).

Connecting to 81.98.134.74...

You are connected to Daves computer. Well done. Very well done..

Logging in...

Login successful.

Logged in to 81.98.134.74.

ncftp / > ls

Data connection timed out.

Falling back to PORT instead of PASV mode.

atomicbomberman.iso

ncftp / > ls

atomicbomberman.iso

ncftp / > get atomicbomberman.iso

atomicbomberman.iso:               ETA: 655:00    0.11/570.52 MB   14.86 kB/s

  ^C

ncftp> exit

```

Check your PM too, I sent you some more info.

And I would probably do a search on the forums about your Apache problem since I am sure it has been answered before.  :Smile: 

----------

## pubecon

fannytastic!

it's not everyday someone who has tcpdump, nmap and lightning fast google skills happens into one of my threads!

very much appreciated

----------

## eniac

I have the same problem 

here's a snippet of my vsftpd.conf file

```
anonymous_enable=YES

no_anon_password=YES

anon_root=/home/ftp

# Uncomment this to allow local users to log in.

local_enable=YES

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

anon_mkdir_write_enable=YES

```

I've also done a chown root /home/ftp && chmod 755 /home/ftp

but I always get :

553 Could not create file.

----------

