1

I am trying to configure an FTP server at home with Ubuntu 16.04 Server but there's an issue with PASV. I can't make it return my external IP.

The output of ftp tester:

Status: Resolving address of dns. ... .net
Status: Connecting to xx.xxx.xxx.xxx
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220 (vsFTPd 3.0.3)
Command: CLNT https://ftptest.net on behalf of xx.xxx.xxx.xxx
Reply: 530 Please login with USER and PASS.
Command: AUTH TLS
Reply: 234 Proceed with negotiation.
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='C=PT,ST=Some-State,O=Internet Widgits Pty Ltd,EMAIL=admin@... .net' issuer='C=PT,ST=Some-State,O=Internet Widgits Pty Ltd,EMAIL=admin@... .net'
Command: USER home
Reply: 331 Please specify the password.
Command: PASS ********
Reply: 230 Login successful.
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Features:
Reply: AUTH TLS
Reply: EPRT
Reply: EPSV
Reply: MDTM
Reply: PASV
Reply: PBSZ
Reply: PROT
Reply: REST STREAM
Reply: SIZE
Reply: TVFS
Reply: 211 End
Warning: The server does not indicate MLSD support. MLSD uses a well-specified listing format. Without MLSD, directory listings have to be obtained using LIST which uses an unspecified output format.
Command: PBSZ 0
Reply: 200 PBSZ set to 0.
Command: PROT P
Reply: 200 PROT now Private.
Command: PWD
Reply: 257 "/home/home" is the current directory
Status: Current path is /home/home
Command: TYPE I
Reply: 200 Switching to Binary mode.
Command: PASV
Reply: 227 Entering Passive Mode (0,0,0,0,90,101).
Error: Server returned broadcast address in PASV reply

This is what I've changed in the config file:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_enable=Yes
pasv_max_port=1050
pasv_min_port=1040
pasv_address=xx.xx.xx.xx <- my wan IP
mignz
  • 131
  • 7
  • How is the server connected to the Internet? Many routers/firewalls will do dynamic translation of the PASV response from the server. It could be that the router is being confused by the PASV response from the server doesn't contain a local address, and hence "translates" it to 0.0.0.0. – Lars Lind Nilsson Nov 07 '16 at 09:01
  • It was working before I had to update the router firmware. It's an ASUS RT-AC66U with the latest Asuswrt-Merlin custom firmware. However, I do not know what's changed so it doesn't work anymore. Something to do with NAT? – mignz Nov 07 '16 at 14:47
  • The FTP PORT/PASV translation is part of NAT. It may be that something has been changed in the latest firmware. Perhaps the changelogs for the firmware have some information if they have changed anything in this area. – Lars Lind Nilsson Nov 07 '16 at 15:42

2 Answers2

0

Use the pasv_address to configure your external IP address.

See https://security.appspot.com/vsftpd/vsftpd_conf.html.

Martin Prikryl
  • 7,756
  • 2
  • 39
  • 73
  • I had it before, forgot to add it to the post. But the IP was wrong, however, it wasn't fixed even with the correct IP. Updated the question. – mignz Nov 06 '16 at 17:11
0

I was using a custom router firmware for the ASUS RT-AC66U (WRT Merlin) and updated to a newer version released yesterday. It's now working.

mignz
  • 131
  • 7