2

I have an ftp server to which my clients connect quietly in the morning, but the afternoon the connection is refused (not all, but only one of of them), while the clients using http normally works.

In particular, it appears as if the authentication credentials are accepted but the file transfer is blocked.

Can it be possible that the client at the afternoon has available a lower band and then linux or vsftpd denies the connection?

The ftp server is passive, the configuration file is vsftpd.conf ( aaa.bbb.ccc.ddd is the server ip address) is :

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=0666
xferlog_enable=YES
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
chroot_local_user=YES
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50010
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
file_open_mode=0666
anon_umask=000
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=YES
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd/vsftpd_user_conf
pasv_address=aaa.bbb.ccc.ddd
pasv_addr_resolve=NO
secure_chroot_dir=/usr/share/empty
allow_writeable_chroot=YES
isolate=NO
isolate_network=NO
famedoro
  • 145
  • 7

1 Answers1

1

I would check with your firewall team. Some of the more advanced firewalls may react in this manner in some instances.

With Passive FTP (common setup) the connection starts on port 21 and then moves to a high number random port. In your case 50000-50010 ports are used. The firewall is likely (and should) be setup to block these ports as they aren't used as a dedicated ports. The firewalls can allow connections on port 21 and then if the connection is established then it will track the connection and allow a dynamic port to be passed through.

I suspect your user who isn't using the connection as much is facing a timeout in this case. While port 21 will always be open the dynamic ports do have timeouts associated with them. The file transfer will be occurring on the dynamic ports which explains why they can connect, but not transfer.

DarkSheep
  • 1,036
  • 1
  • 13
  • 23
  • The firewall (iptables) is configured in such a way as to ensure the traffic on ports from 50000 to 50010 and in fact in the morning they work. The firewall is never changed from morning to the afternoon. Also the port 21 is open. – famedoro Nov 16 '16 at 13:56
  • I am assuming that there are two firewalls. It may not be the server firewall, but the client firewall. – DarkSheep Nov 16 '16 at 14:20
  • To run our tests we have disabled the firewall on our clients (they use Windows XP, Windows 7) – famedoro Nov 16 '16 at 14:40
  • any advice to solve the problem? – famedoro Nov 17 '16 at 14:28