[CentOS] VSftp, ssl/tls, slight issue with directory listings: SOLVED
Bob Hoffman
bob at bobhoffman.com
Fri Mar 2 07:49:54 UTC 2012
on /Fri Mar 2 02:34:21 EST 2012 /John R. Pierce wrote;
>On 03/01/12 11:09 PM, Bob Hoffman wrote:
>>/ vsftp works fine in regular mode, going to ssl I got issues. I get as
/>>/ far as 'directory listing' and it dies. It times out and disconnects.
/
>if you need secure file transfer, use sftp/scp, not ftp-over-ssl...
>ftp-over-ssl is a mess.
Well, I got it working but not sure I want to leave it that way....
1- added these lines to vsftp.conf
listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100
(hopefully these ports are not used by anything._)
commented out the line, diisabling it.
#connect_from_port_20=YES
The above lines solve the issue of the ssl getting kind of lost since
the iptable module conntrack cannot quite grasp ssl dealings in this regard.
These lines set specific ports to be used for, well, for whatever the
heck vsftp needs all those ports for.
The min/max could be lower I guess, but what the heck.
IPTABLES required a nice bunch of junk too.
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 4999
-j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000 -j
ACCEPT
-A INPUT -p tcp --dport 5001:5100 -j ACCEPT
and of course you can kill the port 21 iptable listing as it will not
work anymore.
(could port 20 and 21 still be used? I guess so, did not test that).
I wonder how safe that is to make such a huge hole in your firewall...?
you can see where the numbers added in vsftp.conf correspond with the
iptables set up.
To finalize, here is the additions to the vsftp.conf file
listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_ciphers=HIGH
so there you have it, ssl over ftp with centos 6.
Not sure how safe the whole 100 ports open thing is (you need ports to
be open depending on number of users I guess, I am gonna lower it to 20
I think)
More information about the CentOS
mailing list