VSFTPD refuses to list directory when PASV is enabledvsftpd does not list content of a directoryShare a...

Download, install and reboot computer at night if needed

A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?

Chess with symmetric move-square

Why do we use polarized capacitor?

What Brexit solution does the DUP want?

Why is "Reports" in sentence down without "The"

If Manufacturer spice model and Datasheet give different values which should I use?

Do airline pilots ever risk not hearing communication directed to them specifically, from traffic controllers?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

How to make payment on the internet without leaving a money trail?

declaring a variable twice in IIFE

Why is the design of haulage companies so “special”?

How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?

Is Social Media Science Fiction?

Draw simple lines in Inkscape

Copenhagen passport control - US citizen

Can Medicine checks be used, with decent rolls, to completely mitigate the risk of death from ongoing damage?

least quadratic residue under GRH: an EXPLICIT bound

How do you conduct xenoanthropology after first contact?

What would happen to a modern skyscraper if it rains micro blackholes?

Example of a relative pronoun

Email Account under attack (really) - anything I can do?

I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine

A function which translates a sentence to title-case



VSFTPD refuses to list directory when PASV is enabled


vsftpd does not list content of a directoryShare a directory over FTP with chroot_local enabledVSFTPD Home Directory CentOS 6Controlling ftp access with vsftpdVSFTPD cutted uploadsDirectory Contents Not Listed When Connecting To CentOS 7 VSFTPDVSFTPD 500 OOPS: cannot change directoryvsftpd closes conntion with code 421 when listing directory contentConfiguring VSFTPD over TLSAble to Connect to vsftpd server using Windows 7, but getting error using Ubuntu 14.04






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















I'm configuring VSFTPD on Ubuntu 18.04 and have followed all the guidelines. It's working OK for plain FTP (insecure), however as soon as I enable SSL/TLS and Passive mode, it connects, but I am unable to list any directories.



For reference, here's my vsftpd.conf :



# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Passive Adrress Routing
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=myholychecksum.workisboring.com
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# Passive Connections Port Range
pasv_min_port=5000
pasv_max_port=5999
#
# Userlist Settings
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES


My folder permissions are set fine, as mentioned before, it works fine on plain FTP.



I've narrowed it down to what I think is an issue with the passive ports. Iv'e tried multiple different port ranges for the passive ports, the 40000/50000 range, and the currently set 5000 to 5999. They are forwarded correctly on my router, and they are properly set on UFW:



sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
3306 ALLOW Anywhere
3306/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
30000:40000/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
5000:5999/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
30000:40000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
5000:5999/tcp (v6) ALLOW Anywhere (v6)


One thing I have noticed is that when checking nmap, the ports are not being listed:



sudo nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-06 14:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds


I fail to understand why.
Also follows the VSFTPD connection log.



Sat Apr  6 13:33:29 2019 [pid 5155] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:29 2019 [pid 5151] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,22,250)."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:33:49 2019 [pid 5162] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:49 2019 [pid 5161] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,21,115)."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:34:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:29 2019 [pid 5155] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."
Sat Apr 6 13:34:50 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:50 2019 [pid 5162] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."









share|improve this question









New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

    – Steffen Ullrich
    yesterday











  • Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

    – Steffen Ullrich
    yesterday













  • Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

    – Steffen Ullrich
    yesterday











  • Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

    – Linkfish
    yesterday


















0















I'm configuring VSFTPD on Ubuntu 18.04 and have followed all the guidelines. It's working OK for plain FTP (insecure), however as soon as I enable SSL/TLS and Passive mode, it connects, but I am unable to list any directories.



For reference, here's my vsftpd.conf :



# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Passive Adrress Routing
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=myholychecksum.workisboring.com
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# Passive Connections Port Range
pasv_min_port=5000
pasv_max_port=5999
#
# Userlist Settings
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES


My folder permissions are set fine, as mentioned before, it works fine on plain FTP.



I've narrowed it down to what I think is an issue with the passive ports. Iv'e tried multiple different port ranges for the passive ports, the 40000/50000 range, and the currently set 5000 to 5999. They are forwarded correctly on my router, and they are properly set on UFW:



sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
3306 ALLOW Anywhere
3306/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
30000:40000/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
5000:5999/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
30000:40000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
5000:5999/tcp (v6) ALLOW Anywhere (v6)


One thing I have noticed is that when checking nmap, the ports are not being listed:



sudo nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-06 14:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds


I fail to understand why.
Also follows the VSFTPD connection log.



Sat Apr  6 13:33:29 2019 [pid 5155] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:29 2019 [pid 5151] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,22,250)."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:33:49 2019 [pid 5162] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:49 2019 [pid 5161] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,21,115)."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:34:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:29 2019 [pid 5155] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."
Sat Apr 6 13:34:50 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:50 2019 [pid 5162] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."









share|improve this question









New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

    – Steffen Ullrich
    yesterday











  • Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

    – Steffen Ullrich
    yesterday













  • Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

    – Steffen Ullrich
    yesterday











  • Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

    – Linkfish
    yesterday














0












0








0








I'm configuring VSFTPD on Ubuntu 18.04 and have followed all the guidelines. It's working OK for plain FTP (insecure), however as soon as I enable SSL/TLS and Passive mode, it connects, but I am unable to list any directories.



For reference, here's my vsftpd.conf :



# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Passive Adrress Routing
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=myholychecksum.workisboring.com
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# Passive Connections Port Range
pasv_min_port=5000
pasv_max_port=5999
#
# Userlist Settings
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES


My folder permissions are set fine, as mentioned before, it works fine on plain FTP.



I've narrowed it down to what I think is an issue with the passive ports. Iv'e tried multiple different port ranges for the passive ports, the 40000/50000 range, and the currently set 5000 to 5999. They are forwarded correctly on my router, and they are properly set on UFW:



sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
3306 ALLOW Anywhere
3306/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
30000:40000/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
5000:5999/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
30000:40000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
5000:5999/tcp (v6) ALLOW Anywhere (v6)


One thing I have noticed is that when checking nmap, the ports are not being listed:



sudo nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-06 14:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds


I fail to understand why.
Also follows the VSFTPD connection log.



Sat Apr  6 13:33:29 2019 [pid 5155] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:29 2019 [pid 5151] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,22,250)."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:33:49 2019 [pid 5162] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:49 2019 [pid 5161] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,21,115)."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:34:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:29 2019 [pid 5155] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."
Sat Apr 6 13:34:50 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:50 2019 [pid 5162] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."









share|improve this question









New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I'm configuring VSFTPD on Ubuntu 18.04 and have followed all the guidelines. It's working OK for plain FTP (insecure), however as soon as I enable SSL/TLS and Passive mode, it connects, but I am unable to list any directories.



For reference, here's my vsftpd.conf :



# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Passive Adrress Routing
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=myholychecksum.workisboring.com
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# Passive Connections Port Range
pasv_min_port=5000
pasv_max_port=5999
#
# Userlist Settings
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES


My folder permissions are set fine, as mentioned before, it works fine on plain FTP.



I've narrowed it down to what I think is an issue with the passive ports. Iv'e tried multiple different port ranges for the passive ports, the 40000/50000 range, and the currently set 5000 to 5999. They are forwarded correctly on my router, and they are properly set on UFW:



sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
3306 ALLOW Anywhere
3306/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
30000:40000/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
5000:5999/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
30000:40000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
5000:5999/tcp (v6) ALLOW Anywhere (v6)


One thing I have noticed is that when checking nmap, the ports are not being listed:



sudo nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-06 14:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds


I fail to understand why.
Also follows the VSFTPD connection log.



Sat Apr  6 13:33:29 2019 [pid 5155] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:29 2019 [pid 5155] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:29 2019 [pid 5155] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:29 2019 [pid 5155] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:29 2019 [pid 5151] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,22,250)."
Sat Apr 6 13:33:29 2019 [pid 5159] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:33:49 2019 [pid 5162] CONNECT: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "220 (vsFTPd 3.0.3)"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "AUTH TLS"
Sat Apr 6 13:33:49 2019 [pid 5162] FTP response: Client "xx.xx.xxx.xxx", "234 Proceed with negotiation."
Sat Apr 6 13:33:49 2019 [pid 5162] FTP command: Client "xx.xx.xxx.xxx", "USER linkfish"
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "331 Please specify the password."
Sat Apr 6 13:33:49 2019 [pid 5162] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASS <password>"
Sat Apr 6 13:33:49 2019 [pid 5161] [linkfish] OK LOGIN: Client "xx.xx.xxx.xxx"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "230 Login successful."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "OPTS UTF8 ON"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Always in UTF8 mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PBSZ 0"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PBSZ set to 0."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PROT P"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 PROT now Private."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PWD"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "257 "/" is the current directory"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "TYPE I"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "200 Switching to Binary mode."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "PASV"
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "227 Entering Passive Mode (xx.xx.xxx.xxx,21,115)."
Sat Apr 6 13:33:49 2019 [pid 5163] [linkfish] FTP command: Client "xx.xx.xxx.xxx", "LIST"
Sat Apr 6 13:34:29 2019 [pid 5159] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:29 2019 [pid 5155] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."
Sat Apr 6 13:34:50 2019 [pid 5163] [linkfish] FTP response: Client "xx.xx.xxx.xxx", "425 Failed to establish connection."
Sat Apr 6 13:34:50 2019 [pid 5162] [linkfish] DEBUG: Client "xx.xx.xxx.xxx", "Control connection terminated without SSL shutdown."






directory ssl port-forwarding vsftpd port






share|improve this question









New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Rui F Ribeiro

42k1483142




42k1483142






New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









LinkfishLinkfish

1




1




New contributor




Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Linkfish is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

    – Steffen Ullrich
    yesterday











  • Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

    – Steffen Ullrich
    yesterday













  • Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

    – Steffen Ullrich
    yesterday











  • Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

    – Linkfish
    yesterday



















  • Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

    – Steffen Ullrich
    yesterday











  • Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

    – Steffen Ullrich
    yesterday













  • Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

    – Steffen Ullrich
    yesterday











  • Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

    – Linkfish
    yesterday

















Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

– Steffen Ullrich
yesterday





Your title and question mismatch: While you title claims that it does not work once PASV is enabled the body says it does not work once PASV and SSL is enabled. Also it is not clear if it even worked before enabling PASV and SSL, if it works with SSL but not passive, if it works with passive but not SSL etc. But this detail of information is actually necessary to narrow down the problem so please add the necessary details.

– Steffen Ullrich
yesterday













Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

– Steffen Ullrich
yesterday







Also nothing is known about how the FTP server is integrated in your network. Only a small note suggests that you are running the FTP server behind a router (which probably does NAT). This kind of setup will usually not work anyway. It might work if the router has some FTP helper but this helper will stop working once SSL is enabled since the helper is unable to find out the ports for data connections since the control connection is encrypted. In summary: don't use FTP in the first place, it only causes lots of trouble.

– Steffen Ullrich
yesterday















Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

– Steffen Ullrich
yesterday





Also, in the title you claim that "VSFTPD refuses to list directory". This is not true either: The log files clearly shows that the client fails to create the data connection to the FTP server within 40 seconds so the server is not refusing anything but the client simply cannot connect to the server to get the data.

– Steffen Ullrich
yesterday













Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

– Linkfish
yesterday





Thanks for your help Steffen. Indeed it's behind a NAT. No idea that didn't work but I do now thanks to your answer. Could've saved myself 10 hours of messing around but that's the best way to learn :) I will stick with SFTP instead then.

– Linkfish
yesterday










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






Linkfish is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510910%2fvsftpd-refuses-to-list-directory-when-pasv-is-enabled%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








Linkfish is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















Linkfish is a new contributor. Be nice, and check out our Code of Conduct.













Linkfish is a new contributor. Be nice, and check out our Code of Conduct.












Linkfish is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510910%2fvsftpd-refuses-to-list-directory-when-pasv-is-enabled%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Taj Mahal Inhaltsverzeichnis Aufbau | Geschichte | 350-Jahr-Feier | Heutige Bedeutung | Siehe auch |...

Baia Sprie Cuprins Etimologie | Istorie | Demografie | Politică și administrație | Arii naturale...

Nicolae Petrescu-Găină Cuprins Biografie | Opera | In memoriam | Varia | Controverse, incertitudini...