vsftpd and ISPConfig | Users can't log in

Discussion in 'General' started by Nap, Jul 17, 2012.

  1. Nap

    Nap Member

    Hi,
    I've installed ISPConfig on my system, then decided to install vsftpd afterwards. From a configuration point of view, everything installed correctly, and seems to be running ok.
    I am just not able to log in with any users and don't understand why.
    What have I done wrong, or not done.

    Below are the configurations I've setup for the various modules:
    1) ISPConfig information
    2) Login details supplied to FTP client
    3) dbispconfig information
    4) vsftpd.conf

    1) FTP User added by Client in ISPConfig:
    Website: only one website for this client
    Username: ftp2_username
    password: mypassword
    active: is ticked
    options: left as per default. points to client2/web2 folder
    SAVED

    2) Login details supplied to FTP Client:
    (Using FireFTP in Firefox)
    Code:
    Account Name:  Client Domain
    Host: clientdomain.com
    Login: ftp2_username          (have also tried  [email]ftp2_username@clientcomain.com[/email] but no luck)
    Password:  mypassword
    Anonymous:  left unticked
    Connection Type:  Passive Mode ticked
    Security: None
    Port:  21
    Private Key: not able to set (as security is none)
    Initial Directories Local:  left blank
    Initial Directories remote:  left blank
    No Advanced options set.
    3) dbispconfig information:
    I looked into the ftp_user table and can see an entry for the above mentioned account.
    Fields are as follows:
    Code:
    ftp_user_id: 2
    sys_userid: 3
    sys_groupid: 3
    sys_perm_user: ruid
    sys_perm_group: ruid
    server_id: 1
    parent_domain_id: 2
    username: ftp2_username
    password:  (MD5 hash)
    quota_size: -1
    active: Y (ticked)
    uid: web2
    gid: client2
    dir: /var/ww/clients/client2/web2
    quota_files: -1
    ul_ratio: -1
    ul_bandwidth: -1
    dl_bandwidth: -1
    all other fields are blank

    4) vsftpd.conf:
    Code:
    # Example config file /etc/vsftpd.conf
    #
    # Lines added by me in accordance to the HowToForge Guide
    # 
    # Turn on SSL
    ssl_enable=YES
    #
    # Allow anonymous users to use secure SSL connections
    allow_anon_ssl=YES
    #
    # All non-anonymous logins are forced to use a secure SSL connection in order
    # to send and receive data on data connections (if YES, locks out non TLS users)
    force_local_data_ssl=NO
    #
    # All non-anonymous logins are forced to use a secure SSL connection in order
    # to send the password (if YES, locks out non TLS users)
    force_local_logins_ssl=NO
    #
    # Permit TLS v1 protocol connections. TLS v1 connections are preferred
    ssl_tlsv1=YES
    #
    # Permit SSL v2 protocol connections. TLS v1 connections are preferred
    ssl_sslv2=NO
    #
    # permit SSL v3 protocol connections. TLS v1 connections are preferred
    ssl_sslv3=NO
    #
    # Disable SSL session reuse (required by WinSCP)
    require_ssl_reuse=NO
    #
    # Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
    ssl_ciphers=HIGH
    #
    # END OF MY ADDITIONS
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    #
    # Run standalone?  vsftpd can run either from an inetd or as a standalone
    # daemon started from an initscript.
    listen=YES
    #
    # Run standalone with IPv6?
    # Like the listen parameter, except vsftpd will listen on an IPv6 socket
    # instead of an IPv4 one. This parameter and the listen parameter are mutually
    # exclusive.
    #listen_ipv6=YES
    #
    # Allow anonymous FTP? (Disabled by default)
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    #anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    #anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # If enabled, vsftpd will display directory listings with the time
    # in  your  local  time  zone.  The default is to display GMT. The
    # times returned by the MDTM FTP command are also affected by this
    # option.
    use_localtime=YES
    #
    # Activate logging of uploads/downloads.
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # You may override where the log file goes if you like. The default is shown
    # below.
    #xferlog_file=/var/log/vsftpd.log
    #
    # If you want, you can have your log file in standard ftpd xferlog format.
    # Note that the default log file location is /var/log/xferlog in this case.
    #xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    #idle_session_timeout=600
    #
    # You may change the default value for timing out a data connection.
    #data_connection_timeout=120
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    #ftpd_banner=Welcome to blah FTP service.
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd.banned_emails
    #
    # You may restrict local users to their home directories.  See the FAQ for
    # the possible risks in this before using chroot_local_user or
    # chroot_list_enable below.
    chroot_local_user=YES
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    #chroot_local_user=YES
    #chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsftpd.chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # Debian customization
    #
    # Some of vsftpd's settings don't fit the Debian filesystem layout by
    # default.  These settings are more Debian-friendly.
    #
    # This option should be the name of a directory which is empty.  Also, the
    # directory should not be writable by the ftp user. This directory is used
    # as a secure chroot() jail at times vsftpd does not require filesystem
    # access.
    secure_chroot_dir=/var/run/vsftpd/empty
    #
    # This string is the name of the PAM service vsftpd will use.
    pam_service_name=vsftpd
    #
    # This option specifies the location of the RSA certificate to use for SSL
    # encrypted connections.
    rsa_cert_file=/etc/ssl/private/vsftpd.pem
    
    I had force_local_data_ssl and force_local_logins_ssl both set to YES but changed them to NO while I'm trying to get the basics working.

    In my /etc folder, where vsftpd.conf is, there is no vsftpd_user file.
    I'm not quite sure how vsftpd checks login details against the data in mysql yet.
     
    Last edited: Jul 17, 2012
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Do you use ISPConfig 3? ISPConfig 3 supports PureFTPd, but not vsftpd.
     
  3. Nap

    Nap Member

    I've installed PureFTP as per the guide, and it's working like a charm.

    Is there a way of getting SFTP or FTP (SSL/TLS) going alongside? Can I install vsftpd, and manage it through puTTY etc.?
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  5. Nap

    Nap Member

    thnx Falko,

    I've done the few steps required.

    I'm able to connect using ISPConfig created ftp accounts, but only with normal FTP.
    I am also able to login using SFTP (SSH) with the linux accounts I created when setting up the server.
    What I can't seem to do is connect with ISPConfig created accounts using FTP (TSL/SSL).

    I suspect the problems is that I'm using a more recent version (3.5.3) of Filezilla than what's shown in the guide, and the options to choose from are different now. In the Site Manager, I setup the following:
    Code:
    Host:  myhost.com
    Port:  [left blank]
    Protocol: FTP - File Transfer Protocol
    Encryption: Require explicit FTP over TLS
    
    Logon Type:  Normal
    User:  myISPConfigUser
    Password: password_myISPConfigUser
    
    Transfer Settings Tab left Transfer Mode = Default
    Here is the display from Filezilla's activity pane:
    Code:
    Status:	Resolving address of mydomain.com
    Status:	Connecting to www.xxx.yyy.zzz:21...
    Status:	Connection established, waiting for welcome message...
    Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:	220-You are user number 1 of 50 allowed.
    Response:	220-Local time is now 18:36. Server port: 21.
    Response:	220-This is a private system - No anonymous login
    Response:	220-IPv6 connections are also welcome on this server.
    Response:	220 You will be disconnected after 15 minutes of inactivity.
    Command:	AUTH TLS
    Response:	234 AUTH TLS OK.
    Status:	Initializing TLS...
    Error:	Connection timed out
    Error:	Could not connect to server
    Do I need a private key on the clients side? Or is something else missing/wrong?

    Cheers,
    Nap
     
    Last edited: Jul 24, 2012
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you try with WinSCP?
     
  7. Nap

    Nap Member

    I created a saved session (hostname, username, but no password stored) using all default values except:
    File Protocol: FTP
    TLS Explicit encryptions (selected from the dropdown list)

    WinSCP, after contacting the server, prompted me for the password but was not able to connect. WinSCP popped up a window: Connection Failed...

    Here is the WinSCP log file:[/code]. 2012-07-26 01:17:34.590 --------------------------------------------------------------------------
    . 2012-07-26 01:17:34.590 WinSCP Version 4.3.5 (Build 1463) (OS 6.0.6002 Service Pack 2)
    . 2012-07-26 01:17:34.590 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
    . 2012-07-26 01:17:34.590 Local account: MyPC\ME
    . 2012-07-26 01:17:34.590 Login time: Thursday, 26 July 2012 1:17:34 AM
    . 2012-07-26 01:17:34.590 --------------------------------------------------------------------------
    . 2012-07-26 01:17:34.591 Session name: ftp_user@mydomain.com (Modified stored session)
    . 2012-07-26 01:17:34.591 Host name: mydomain.com (Port: 21)
    . 2012-07-26 01:17:34.591 User name: ftp_user (Password: No, Key file: No)
    . 2012-07-26 01:17:34.591 Tunnel: No
    . 2012-07-26 01:17:34.591 Transfer Protocol: FTP
    . 2012-07-26 01:17:34.591 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
    . 2012-07-26 01:17:34.591 Proxy: none
    . 2012-07-26 01:17:34.591 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: No]
    . 2012-07-26 01:17:34.591 Local directory: default, Remote directory: home, Update: No, Cache: Yes
    . 2012-07-26 01:17:34.591 Cache directory changes: Yes, Permanent: Yes
    . 2012-07-26 01:17:34.591 DST mode: 1
    . 2012-07-26 01:17:34.591 --------------------------------------------------------------------------
    . 2012-07-26 01:17:34.591 Password prompt (no password provided or last login attempt failed)
    . 2012-07-26 01:17:45.194 Connecting to mydomain.com ...
    . 2012-07-26 01:17:45.245 Connected with mydomain.com, negotiating SSL connection...
    < 2012-07-26 01:17:47.270 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    < 2012-07-26 01:17:47.464 220-You are user number 2 of 50 allowed.
    < 2012-07-26 01:17:47.464 220-Local time is now 01:17. Server port: 21.
    < 2012-07-26 01:17:47.464 220-This is a private system - No anonymous login
    < 2012-07-26 01:17:47.464 220-IPv6 connections are also welcome on this server.
    < 2012-07-26 01:17:47.464 220 You will be disconnected after 15 minutes of inactivity.
    > 2012-07-26 01:17:47.464 AUTH TLS
    < 2012-07-26 01:17:47.941 234 AUTH TLS OK.
    . 2012-07-26 01:18:03.991 Timeout detected.
    . 2012-07-26 01:18:03.991 Connection failed.
    * 2012-07-26 01:18:03.999 (ESshFatal) Connection failed.
    * 2012-07-26 01:18:03.999 Timeout detected.
    * 2012-07-26 01:18:03.999 Connection failed.
    * 2012-07-26 01:18:03.999 AUTH TLS OK.[/code]

    Fail2ban took over after a few retries. I was surprised though that I was able to login using puTTY on SSH. The IPTABLES indicate that all packets from my IP should be dropped, if I'm reading the firewall rules correctly.

    Also, why is the welcome message from the server transmitted to the client before authentication?

    Unfortunately, pure-ftpd's log file /var/log/messages (even after adding echo 'yes' > /etc/pure-ftpd/conf/VerboseLog and restarting) doesn't give any good info, except to confirm there was a new connection from my IP.

    Am I setting up WinSCP the right way?

    Cheers,
    Nap
     
    Last edited: Jul 25, 2012
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's the output of
    Code:
    iptables -L
    ? Did you try both active and passive transfers in your FTP client?
     
  9. Nap

    Nap Member

     
    Last edited: Jul 27, 2012
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes.
    Thanks for the hint, I've corrected this - the correct link is http://www.howtoforge.com/virtual-h...h-management-on-ubuntu-10.10-maverick-meerkat
     

Share This Page