1

I have a rented VPS wieh debian installed. Recently I've installed proftpd in order to allow read-only access to everybody & full access for the particular users.

I configured proftpd (with TLS) according to several guides. I've unlocked passive ports (those and port 21 via iptables) and set up anonymous login.

When I log in, everything's all right - fast login, fast walking through dirs...problem occurs when I try to download a file - winscp/filezilla/python, all get stuck on downloading a file and then loose connection (files are ~1kB, so very small). When I am connected through SFTP to the server, I have no problems and full speed.

Any ideas? Do you need my proftpd.conf file?

Update:

I see that I need to add some information, thanks to the first comment (about SCP):

  • I'd like to be able to view files anonymously, best would be via web browser, but it's n ot a must.
  • I need to set up an application that synchronizes whole folder from VPS with folder on my hdd (I plan to do this via python, but shell/bash is good as well)
  • I'd like to be able to download/upload either whole catalog or only those file, that have changed
  • I need this to be doable without 3rd party programs. Either through cmdline/bash or official python libraries. Needs to work on both Windows and Fedora

My iptables configuration:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:60000:65535
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I've turned off TLS, connected via guest account, turned binary mode on and started tcpdump on port 21 (serverside ofc). Then I've made a 'get' on a single file and after a while I got "Connection closed by remote host". Here is ftp input:

ftp> get light.cfg
200 PORT command successful
150 Opening BINARY mode data connection for light.cfg (94 bytes)
Connection closed by remote host.

and here You can see get and connection_closed separated by a new line:

15:12:15.836468 IP (tos 0x0, ttl 119, id 30359, offset 0, flags [DF], proto TCP (6), length 67)
    83-144-76-138.static.chello.pl.54225 > vz31640.dahost.pl.ftp: Flags [P.], cksum 0x5526 (correct), seq 139:166, ack 575, win 7618, length 27
15:12:15.836636 IP (tos 0x0, ttl 64, id 50952, offset 0, flags [DF], proto TCP (6), length 69)
    vz31640.dahost.pl.ftp > 83-144-76-138.static.chello.pl.54225: Flags [P.], cksum 0x7049 (correct), seq 575:604, ack 166, win 115, length 29
15:12:15.856530 IP (tos 0x0, ttl 119, id 30360, offset 0, flags [DF], proto TCP (6), length 56)
    83-144-76-138.static.chello.pl.54225 > vz31640.dahost.pl.ftp: Flags [P.], cksum 0xd20f (correct), seq 166:182, ack 604, win 7589, length 16
15:12:15.868348 IP (tos 0x0, ttl 64, id 50953, offset 0, flags [DF], proto TCP (6), length 106)
    vz31640.dahost.pl.ftp > 83-144-76-138.static.chello.pl.54225: Flags [P.], cksum 0xba9a (correct), seq 604:670, ack 182, win 115, length 66
15:12:15.934002 IP (tos 0x0, ttl 119, id 30365, offset 0, flags [DF], proto TCP (6), length 40)
    83-144-76-138.static.chello.pl.54225 > vz31640.dahost.pl.ftp: Flags [.], cksum 0x0ccc (correct), ack 670, win 7523, length 0


15:13:15.909873 IP (tos 0x0, ttl 119, id 30372, offset 0, flags [DF], proto TCP (6), length 40)
    83-144-76-138.static.chello.pl.54225 > vz31640.dahost.pl.ftp: Flags [F.], cksum 0x0ccb (correct), seq 182, ack 670, win 7523, length 0
15:13:15.910056 IP (tos 0x0, ttl 64, id 50954, offset 0, flags [DF], proto TCP (6), length 40)
    vz31640.dahost.pl.ftp > 83-144-76-138.static.chello.pl.54225: Flags [F.], cksum 0x29ba (correct), seq 670, ack 183, win 115, length 0
15:13:15.922725 IP (tos 0x0, ttl 119, id 30373, offset 0, flags [DF], proto TCP (6), length 40)
    83-144-76-138.static.chello.pl.54225 > vz31640.dahost.pl.ftp: Flags [.], cksum 0x0cca (correct), ack 671, win 7523, length 0
MKK
  • 11
  • 3
  • Ditch ftps and just use scp? – EEAA Sep 29 '15 at 11:54
  • Looks pretty neat, but I won't be able to view files anonymously via web browser, right? Also I need to set up an application that synchronizes whole folder from VPS with folder on my hdd - I can recursively copy whole catalogs with this, which is GREAT, but is there a way to check which files do need to be updated? With ftp I wanted to use file path + date from LIST command, what would be possible using SCP? – MKK Sep 29 '15 at 12:07
  • If you need to view files from a web viewer, then just use Apache or nginx to do so. And yes, there are a plethora of ways to recursively copy and otherwise work with files over scp. – EEAA Sep 29 '15 at 12:13
  • Please copy&paste those into whole answer, because it looks pretty nice & I'd like to + u – MKK Sep 29 '15 at 12:14
  • Don't have time to write a proper answer now sadly. If someone else want to do it, by all means go for it. – EEAA Sep 29 '15 at 12:16
  • I see 1 more problem. SCP got some problems on Windows. I wrote about this synchronization app in python - it can also be in bash... but I cannot download any modules to use them with. So if it isn't commandline-doable or in python official libs, so I can do it on both Windows and Fedora, then this is a no-go. – MKK Sep 29 '15 at 12:23
  • If you have more info to add, please add it to your question. Comments often go overlooked. – EEAA Sep 29 '15 at 12:33

1 Answers1

0

Please post your iptables setup. Note that getting it work with FTP might be tricky as FTP uses dynamic port allocations (in the passive mode, when the client wants to download or upload a file, the server allocates a dynamic port for the data transfer stream, tells it to the client and expects the client to connect to it).

This means:

  1. If you want to use some "stateful" approach in Netfilter for detecting FTP data stream, you need to have special kernel module loaded for decoding control FTP streams;
  2. This won't work with TLS because the kernel will be unable to decode the said FTP control streams.

SCP (and SFTP) works OK because they multiplex control and data streams in a single TCP stream.

As to synchronisation… First, forget about scp as this is a legacy protocol; use SFTP instead. This appears to be a cross-platform Python SFTP implementation so it might just work for you. By the way, Windows has good support for SFTP front-end software (google for WinSCP).

And you might consider other means of synchronisation as well. For instance, rsync has Windows builds, and it's agruably the best filesystem synchronisation tool in existense. You might also consider WebDAV or even implementing something RESTful.

kostix
  • 1,150
  • 1
  • 7
  • 13
  • Please read my last point in Update - I see a lot of good tools, but they seem to need some 3rd party apps/libraries. Sfpt if usable would need to be chrooted...and can it use anonymous users? – MKK Sep 29 '15 at 12:43
  • Also posted iptables configuration – MKK Sep 29 '15 at 14:22
  • @MKK, well, basically your Netfilter setup allows any incoming TCP traffic to the ports in the range 60000:65535, so are you sure `proftpd` is configured to allocate its data stream ports for passive mode clients in this exact range? Note that this setting allows input connections to *any* program which happens to open a port in that range. To make your setup secure you need something like [this](http://unix.stackexchange.com/questions/93554/iptables-to-allow-incoming-ftp) instead. – kostix Sep 29 '15 at 16:18
  • @MKK, re. `proftpd` port range I mean [this setting](http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html). – kostix Sep 29 '15 at 16:19
  • Yes, the port range is in proftpd.conf. I can copy over configuration as well, if you'd like ;) Ok, but if it accepts any program, then it still should work, right? – MKK Sep 29 '15 at 17:33
  • @MKK, so long as the port ranges strictly match, yes it should work. Well, OK, I'm out of ideas then. If I was you, my next try would be running `tcpdump` on the server recording the traffic while I would be trying downloading something via FTP. You could then analyze the traffic in Wireshark to try to see if the client's data stream connection succeeds or not. Dumping the traffic on the client might also help. Well, and if you have TLS and/or STARTTLS enabled, try disabling it first. At least while debugging. – kostix Sep 29 '15 at 18:14
  • @MKK, please do enable full debug logging in `proftpd` and see what it tells you about how it handles incoming requests. – kostix Sep 29 '15 at 18:18
  • I've turned off TLS and checked with tcpdump - it's in question update. – MKK Oct 15 '15 at 13:21