FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 03-02-2012, 06:49 AM
Bob Hoffman
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

on /Fri Mar 2 02:34:21 EST 2012 /John R. Pierce wrote;

>On 03/01/12 11:09 PM, Bob Hoffman wrote:
>>/ vsftp works fine in regular mode, going to ssl I got issues. I get as
/>>/ far as 'directory listing' and it dies. It times out and disconnects.
/
>if you need secure file transfer, use sftp/scp, not ftp-over-ssl...
>ftp-over-ssl is a mess.

Well, I got it working but not sure I want to leave it that way....

1- added these lines to vsftp.conf

listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100
(hopefully these ports are not used by anything._)

commented out the line, diisabling it.
#connect_from_port_20=YES

The above lines solve the issue of the ssl getting kind of lost since
the iptable module conntrack cannot quite grasp ssl dealings in this regard.
These lines set specific ports to be used for, well, for whatever the
heck vsftp needs all those ports for.
The min/max could be lower I guess, but what the heck.

IPTABLES required a nice bunch of junk too.
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 4999
-j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000 -j
ACCEPT
-A INPUT -p tcp --dport 5001:5100 -j ACCEPT

and of course you can kill the port 21 iptable listing as it will not
work anymore.
(could port 20 and 21 still be used? I guess so, did not test that).

I wonder how safe that is to make such a huge hole in your firewall...?

you can see where the numbers added in vsftp.conf correspond with the
iptables set up.

To finalize, here is the additions to the vsftp.conf file

listen_port=5000
ftp_data_port=4999
pasv_min_port=5001
pasv_max_port=5100

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_ciphers=HIGH


so there you have it, ssl over ftp with centos 6.
Not sure how safe the whole 100 ports open thing is (you need ports to
be open depending on number of users I guess, I am gonna lower it to 20
I think)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-02-2012, 07:01 AM
John R Pierce
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

On 03/01/12 11:49 PM, Bob Hoffman wrote:
> so there you have it, ssl over ftp with centos 6.

good luck if the end user at the other end is behind a NAT of any sort
(soho router, etc).

btw, active/port vs PASV is at the choice of the CLIENT, not the
server. really makes a mess of this stuff, hence my statement that
ftp-over-ssl was an abomination.





--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-02-2012, 07:14 AM
Bob Hoffman
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

============================
John R. Pierce wrote
/Fri Mar 2 03:01:21 EST 2012/

On 03/01/12 11:49 PM, Bob Hoffman wrote:
>>/ so there you have it, ssl over ftp with centos 6.
/
>good luck if the end user at the other end is behind a NAT of any sort
>(soho router, etc).

>btw, active/port vs PASV is at the choice of the CLIENT, not the
>server. really makes a mess of this stuff, hence my statement that
>ftp-over-ssl was an abomination.

==============================
True that. I agree. I would rather ssh and I do.
However many people want or need ssh and want it encrypted.
They are just gonna have to do their own thing and figure it out on
their end.
This is all I am gonna do to work on it. It works.

I have no idea why ftp makes it like that. That whole range of ips it needs.
Without adding those ips the ssl connection will die and get lost.

I agree it is a mess. And 5 hours later I am not gonna go any further.
If they are behind something, they better learn about scp or putty...


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-02-2012, 05:01 PM
John R Pierce
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

On 03/02/12 12:14 AM, Bob Hoffman wrote:
> I agree it is a mess. And 5 hours later I am not gonna go any further.
> If they are behind something, they better learn about scp or putty...

for the windows clients, `winscp` is quite handy. or filezilla, either
are freeware GUI clients for scp/sftp.



--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-02-2012, 05:59 PM
Bob Hoffman
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

john R Pierce wrote
/Fri Mar 2 13:01:14 EST 2012/

>>On 03/02/12 12:14 AM, Bob Hoffman wrote:
>>/ I agree it is a mess. And 5 hours later I am not gonna go any further.
/>>/ If they are behind something, they better learn about scp or putty...
/
>for the windows clients, `winscp` is quite handy. or filezilla, either
>are freeware GUI clients for scp/sftp.

True and that is what I use. but this is in regards to people who are doing websites.
They usually use a site builder like dreamweaver and the like.
Using ssh with dreamweaver includes trying to tunnel through ssh which a basic user would be lost
trying to do.
Other free and paid ones have issues or cannot ssh at all. Thus, the need, as a webserver, to
allow this if needed (ftp..and more securely ftp over ssl).

If they get in a situation where they cannot ftp then they will need to do ssh.

The site builders do automatic update/upload of files changed on the local disk to the remote
web folder, thus programs like winscp and stuff are not useful to them.

AS an option, ssl over ftp is better than naught since they are going to be using it anyway.
However, as you mentioned, there are situations where it will fail because of the ssl.

For a webserver there is little choice but to add ftp unless the user is very proficient
at setting up ssh tunneling or other ssh options with a site builder program.

heck, I am just proud I was able to make the dang thing work.
Hopefully soon ftp will die out and ssh only will be the way.

-bob


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-02-2012, 06:30 PM
Frank Cox
 
Default VSftp, ssl/tls, slight issue with directory listings: SOLVED

On Fri, 02 Mar 2012 13:59:48 -0500
Bob Hoffman wrote:

> True and that is what I use. but this is in regards to people who are doing
> websites. They usually use a site builder like dreamweaver and the like.
> Using ssh with dreamweaver includes trying to tunnel through ssh which a
> basic user would be lost trying to do.
> Other free and paid ones have issues or cannot ssh at all. Thus, the need, as
> a webserver, to allow this if needed (ftp..and more securely ftp over ssl).

Have you looked at sitecopy? http://www.manyfish.co.uk/sitecopy/

It makes it pretty simple for end users to do this. I believe it's supposed to
run under Windows, though I've never tried that.

--
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:15 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org