Ftp – Specific FTP connections not able to upload files

connectionftppermissionsvsftpd

I have installed vsftpd in a server. A new ftp group was added and a user was created and added to that group.

I've tested 3 different scenarios, only 1 of them is working properly and the other 2 are giving me FAIL UPLOAD/425 Failed to establish connection

Scenario 1:

  • Connecting from my computer using FileZilla
  • I get the file list and can upload/download any file.

As you can see, the server says "227 Entering passive Mode" and is sending his public IP and using the port range I set up in the config file:

Jun  5 19:09:36 zhny vsftpd[1]: [ftpuser] OK LOGIN: Client "xxx.xxx.xxx.xxx"    
Jun  5 19:09:36 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "230 Login successful."   
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "SYST"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "215 UNIX Type: L8"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "FEAT"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "211-Features:"  
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " EPRT#015#012"   
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " EPSV#015#012"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " MDTM#015#012"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " PASV#015#012"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " REST STREAM#015#012"  
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " SIZE#015#012"  
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " TVFS#015#012"  
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", " UTF8#015#012"
Jun  5 19:09:37 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "211 End"
Jun  5 19:09:38 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "OPTS UTF8 ON"
Jun  5 19:09:38 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "200 Always in UTF8 mode."
Jun  5 19:09:38 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "PWD"
Jun  5 19:09:38 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "257 "/srv/ftpvs/ftpuser""
Jun  5 19:09:39 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "TYPE I"
Jun  5 19:09:39 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "200 Switching to Binary mode."
Jun  5 19:09:39 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "PASV"
Jun  5 19:09:39 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "227 Entering Passive Mode (zzz,zz,zzz,zzz,66,108)."
Jun  5 19:09:40 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "LIST"
Jun  5 19:09:40 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "150 Here comes the directory listing."
Jun  5 19:09:41 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "226 Directory send OK."

Scenario 2:

  • Connecting by command line from a server in the same network than my pc
  • The connection goes fine, but when i make a "ls" to get the file list, I got an error.

As you can see, the server is saying "Consider using pasv" and not sending his own IP. In the previous line seems like the client is sending his IP, which didnt happen with the FileZilla client:

Jun  5 19:14:43 zhny vsftpd[1]: [ftpuser] OK LOGIN: Client "xxx.xxx.xxx.xxx"
Jun  5 19:14:44 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "230 Login successful."
Jun  5 19:14:44 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "SYST"
Jun  5 19:14:44 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "215 UNIX Type: L8"
Jun  5 19:14:48 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "PORT xxx,xxx,xxx,xxx,205,157"
Jun  5 19:14:48 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "200 PORT command successful. Consider using PASV."
Jun  5 19:14:49 zhny vsftpd[1]: [ftpuser] FTP command: Client "xxx.xxx.xxx.xxx", "LIST"
Jun  5 19:15:49 zhny vsftpd[1]: [ftpuser] FTP response: Client "xxx.xxx.xxx.xxx", "425 Failed to establish connection."

Scenario 3:

  • Connecting from the device that will have to send the data to the FTP.
  • Connection goes good, but when it tries to PUT a file, the ftp send back the FAIL UPLOAD error message
  • Same behaviour than scenario 2 (saying "consider using pasv" and client sending his IP)

At the end you can see the FAIL UPLOAD message and that 0KB were transmitted:

Jun  5 14:51:46 zhny vsftpd[1]: [ftpuser] OK LOGIN: Client "yyy.yyy.y.yy"
Jun  5 14:51:46 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "230 Login successful."
Jun  5 14:51:46 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "TYPE I"
Jun  5 14:51:46 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "200 Switching to Binary mode."
Jun  5 14:51:47 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "PORT yyy,yyy,y,yy,244,168"
Jun  5 14:51:47 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "200 PORT command successful. Consider using PASV."
Jun  5 14:51:48 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "STOR TZE_1MIN_20130605_145200.dat"
Jun  5 14:51:54 zhny vsftpd[1]: [ftpuser] OK LOGIN: Client "yyy.yyy.y.yy"
Jun  5 14:51:54 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "230 Login successful."
Jun  5 14:51:55 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "TYPE I"
Jun  5 14:51:55 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "200 Switching to Binary mode."
Jun  5 14:51:55 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "PORT yyy,yyy,y,yy,244,169"
Jun  5 14:51:55 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "200 PORT command successful. Consider using PASV."
Jun  5 14:51:56 zhny vsftpd[1]: [ftpuser] FTP command: Client "yyy.yyy.y.yy", "STOR TZE_1MIN_20130605_135200.dat"
Jun  5 14:52:48 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "425 Failed to establish connection."
Jun  5 14:52:48 zhny vsftpd[1]: [ftpuser] FAIL UPLOAD: Client "yyy.yyy.y.yy", "/srv/ftpvs/ftpuser/TZE_1MIN_20130605_145200.dat", 0.00Kbyte/sec
Jun  5 14:52:56 zhny vsftpd[1]: [ftpuser] FTP response: Client "yyy.yyy.y.yy", "425 Failed to establish connection."
Jun  5 14:52:56 zhny vsftpd[1]: [ftpuser] FAIL UPLOAD: Client "yyy.yyy.y.yy", "/srv/ftpvs/ftpuser/TZE_1MIN_20130605_135200.dat", 0.00Kbyte/sec

Here you have my vsftpd.conf file:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
syslog_enable=YES
connect_from_port_20=YES
idle_session_timeout=300
data_connection_timeout=300
listen=YES
pam_service_name=vsftpd
tcp_wrappers=YES
chroot_local_user=YES
chroot_list_enable=YES
pasv_min_port=17000
pasv_max_port=17005
pasv_address=ip_of_the_ftp_server

In the vsftpd.chroot_list file i only have 1 line with the user i created for the ftp.

The only difference i can see between scenarios is that with FileZilla the ftp is using PASV connection. Can be this the reason of not working properly?

Any other thoughts and advices are welcome.

Best Answer

This is a fairly common problem with FTP when there is a NAT system between the client and server or a firewall that isn't configured for FTP.

Your first sample uses so-called "passive mode" FTP while your other two samples uses "active mode".

FTP works through two different TCP connection: a command channel (on port 21) that is used to transfer simple commands (login, list directory, etc) and a data channel which is used to send any data back (that is: a file but also the result of a directory listing request).

In active mode, when transmitting a file or a directory listing, the client will specify an IP address and port number (PORT command) to use and the server will establish a new connection from port 20 to the specified connection. If the client is behind a firewall or a NAT device, it will prevent that connection from succeeding.

In passive mode, the data channel is open in the opposite direction: The client will send the PASV command and the server will start listening on a random free port (typically in the dynamic range) and tell the client to connect to that port.

Passive mode is much more commonly used because it is relatively easy for a firewall configured on or close to the server to detect the command and allow the new connection. On the other hand, an active mode connection requires the client to be able to accept a connection coming from the server and that is usually not working well at all when behind a NAT device or corporate firewall.

the solution is typically to disable the active mode on the server altogether or make sure the clients all use passive mode. this is usually not a problem with modern client (which all default to active mode) but can be an issue with older ones or FTP scripts.

Related Topic