[CentOS] VSftp, ssl/tls, slight issue with directory listings: SOLVED

Bob Hoffman bob at bobhoffman.com
Fri Mar 2 02:49:54 EST 2012


  on /Fri Mar 2 02:34:21 EST 2012 /John R. Pierce wrote;

>On 03/01/12 11:09 PM, Bob Hoffman wrote:
>>/  vsftp works fine in regular mode, going to ssl I got issues. I get as
/>>/  far as 'directory listing' and it dies. It times out and disconnects.
/
>if you need secure file transfer, use sftp/scp, not ftp-over-ssl...
>ftp-over-ssl is a mess.

Well, I got it working but not sure I want to leave it that way....

1- added these lines to vsftp.conf

listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100
(hopefully these ports are not used by anything._)

commented out the line, diisabling it.
#connect_from_port_20=YES

The above lines solve the issue of the ssl getting kind of lost since 
the iptable module conntrack cannot quite grasp ssl dealings in this regard.
These lines set specific ports to be used for, well, for whatever the 
heck vsftp needs all those ports for.
The min/max could be lower I guess, but what the heck.

IPTABLES required a nice bunch of junk too.
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 4999 
-j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000 -j 
ACCEPT
-A INPUT -p tcp --dport 5001:5100 -j ACCEPT

and of course you can kill the port 21 iptable listing as it will not 
work anymore.
(could port 20 and 21 still be used? I guess so, did not test that).

I wonder how safe that is to make such a huge hole in your firewall...?

you can see where the numbers added in vsftp.conf correspond with the 
iptables set up.

To finalize, here is the additions to the vsftp.conf file

listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_ciphers=HIGH


so there you have it, ssl over ftp with centos 6.
Not sure how safe the whole 100 ports open thing is (you need ports to 
be open depending on number of users I guess, I am gonna lower it to 20 
I think)


More information about the CentOS mailing list