I was tasked with configuring VSFTPD to allow SFTP or FTPES (FTP over explicit TLS/SSL) tonight for a client. The configuration already had regular FTP working which I verified using FileZilla as an FTP client. I was able to login and transfer files in both directions to and from the server. Next I verified that SFTP worked without issue and I was able to also transfer files in both directions using SFTP. For FTPES I had to make some changes and once I did make the changes I was still getting an error when attempting to do a directory listing using FileZilla. Below I describe the initial changes I made to vsftpd.conf, the errors I received attempting to connect with FTPES, and the way I resolved the problem.
Configure VSFTPD For FTPES or File Transfer Protocol With Explicit TLS/SSL:
First generate an SSL certificate to use with the FTP server by issuing the below line from the Linux server CLI.
Generate SSL Certificate For VSFTPD Server:
- openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
You will be required to fill in the typical SSL certificate information such as Country, State, City, company, department, and email address. Once the SSL certificate has been completed add the below configuration lines to the /etc/vsftpd/vsftpd.conf file using your favorite file editor such as vi.
Modify vsftpd.conf To Allow FTPES Connections/Transfers:
- # FTPES Conf Additions
- ssl_enable=YES
- allow_anon_ssl=NO
- force_local_data_ssl=NO
- force_local_logins_ssl=NO
- ssl_tlsv1=YES
- ssl_sslv2=NO
- ssl_sslv3=NO
- rsa_cert_file=/etc/vsftpd/vsftpd.pem
You can modify force_local_logins_ssl and force_local_data_ssl both to YES depending on if you want to allow regular FTP connections or not. After saving the changes you will need to restart vsftpd using syntax similar to the below.
Restart vsftpd For FTPES Changes To Take Effect:
- [root@dev vsftpd]# /etc/init.d/vsftpd restart
- Shutting down vsftpd: [ OK ]
- Starting vsftpd for vsftpd: [ OK ]
After making all of the proper configuration changes this is where I ran into my first issue. When attempting to connect to the server using FTP with explicit TLS/SSL I received an error attempting to do a directory listing. I was able to connect but then the connection would drop. Below is part of the error as seen from FileZilla upon trying to connect to the vsftpd server using FTPES.
FileZilla Error Connecting To vsftpd Server Using FTPES:
- Response: 150 Here comes the directory listing.
- Error: GnuTLS error -9: A TLS packet with unexpected length was received.
- Status: Server did not properly shut down TLS connection
- Error: Could not read from transfer socket: ECONNABORTED - Connection aborted
- Response: 226 Directory send OK.
- Error: Failed to retrieve directory listing
Luckily the first thing I thought to do was check that VSFTPD was the latest and greatest version. The version I was running was vsftpd version 2.0.5-12 and I noticed via yum that vsftpd version 2.0.5-16 was available. Since it is always easy to upgrade packages like this via yum I decided to give this a shot first. Below I show how to verify you are running the latest vsftpd version available from your yum repositories and if not how to upgrade to the latest version.
Verify vsftpd Is The Latest Version Using Yum:
- [root@dev vsftpd]# yum list *VSFTP*
- Loading "installonlyn" plugin
- Setting up repositories
- base 100% |=========================| 2.1 kB 00:00
- updates 100% |=========================| 1.9 kB 00:00
- addons 100% |=========================| 951 B 00:00
- extras 100% |=========================| 1.1 kB 00:00
- Reading repository metadata in from local files
- Installed Packages
- vsftpd.x86_64 2.0.5-12.el5 installed
- Available Packages
- vsftpd.x86_64 2.0.5-16.el5_4.1 updates
Upgrade vsftpd Using Yum On CentOS Linux:
- [root@dev vsftpd]# yum install vsftpd
- Loading "installonlyn" plugin
- Setting up Install Process
- Setting up repositories
- Reading repository metadata in from local files
- Parsing package install arguments
- Resolving Dependencies
- --> Populating transaction set with selected packages. Please wait.
- ---> Downloading header for vsftpd to pack into transaction set.
- vsftpd-2.0.5-16.el5_4.1.x 100% |=========================| 18 kB 00:00
- ---> Package vsftpd.x86_64 0:2.0.5-16.el5_4.1 set to be updated
- --> Running transaction check
- Dependencies Resolved
- =============================================================================
- Package Arch Version Repository Size
- =============================================================================
- Updating:
- vsftpd x86_64 2.0.5-16.el5_4.1 updates 139 k
- Transaction Summary
- =============================================================================
- Install 0 Package(s)
- Update 1 Package(s)
- Remove 0 Package(s)
- Total download size: 139 k
- Is this ok [y/N]: y
- Downloading Packages:
- (1/1): vsftpd-2.0.5-16.el 100% |=========================| 139 kB 00:00
- Running Transaction Test
- Finished Transaction Test
- Transaction Test Succeeded
- Running Transaction
- Updating : vsftpd [1/2]warning: /etc/vsftpd/vsftpd.conf created as /etc/vsftpd/vsftpd.conf.rpmnew
- Updating : vsftpd ######################### [1/2]
- Cleanup : vsftpd ######################### [2/2]
- Updated: vsftpd.x86_64 0:2.0.5-16.el5_4.1
- Complete!
After upgrading vsftpd I restarted the ftp server again using the command displayed above and attempted to connect again with FileZilla. Sure enough things worked without issue this time. It always pays to run the latest and greatest software to make sure you have all of the latest bug fixes and security patches.
Linux Server Security: Tools & Best Practices for Bastion Hosts (Paperback)
|
||||||||
Linux Administration: A Beginner’s Guide, Fifth Edition (Paperback)
|
||||||||
Hi!
I just install vsftpd and it is the latest version but I am still getting the error:
In CuteFTP:
COMMAND:> PASV
227 Entering Passive Mode (206,217,197,207,233,78)
COMMAND:> LIST
STATUS:> Connecting FTP data socket… 206.217.197.207:59726…
ERROR:> Can’t connect to remote server. Socket error = #10065.
ERROR:> PASV failed, trying PORT.
In Filezilla:
Command: PASV
Response: 227 Entering Passive Mode (206,217,197,207,157,250)
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
Any solution for this?
Hello Hassan,
Since your VSFTPD question and/or VSFTPD error is not specifically related to the VSFTPD error in the article that is posted here I would suggest moving this question to the Engage section of Question Defense. This is a section of our site that allows end users to ask and answer questions. So while your question may be answered here it is much more likely that you will get a response if posting on this portion of Question Defense. If you move the VSFTPD question and error to Engage then we will take a closer look as well and see if we can provide a response for you.
Thanks.
alex
great post
newbie question if at all possible to reply
How do you call the edition/modification of vsftpd.conf in command line(using PuTTy)
I tried to initiate it with
/etc/vsftpd/vsftpd.conf (but permission was denied though am on vps)
Thanks in advance
Hello Vidal,
I am not sure what you mean by call the edition/modification of VSFTPD. Are you asking how you can make changes to the VSFTPD configuration file on the server? If so you are attempting to modify the proper file and would need the proper permissions to do so. Did you try “sudo su -” after you have logged in?
Thanks.
alex