LINUX.ORG.RU
решено ФорумAdmin

Явный SSL\TSL для vsftpd

 , , , ,


0

1

Здравствуйте, дорогие специалисты! Очень прошу помощи как новичок. Пытаюсь сделать шифрованное соединение для своего фтп. Сделал сертификат, WinSCP пускает, но через несколько мгновений теряет соединение. Успеваю открыть файл один, пройти пару папок и пропадает соединение:

Превышено время ожидания (соединение потока передачи данных)
Не могу получить содержимое каталога

а иногда и не пускает, просто очень долго висит тут, пока не выходит время ожидания:

imgur

Когда отключаю ufw и захожу просто по фтп - всё работает как надо. Всё происходит локально. Запустил Debian 10 в VM box на вин10 и пытаюсь подключиться с вин10 на дебиан по winSCP.

вот файрвол

Status: active

To                         Action      From
--                         ------      ----
21/tcp                     ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
60000:65535/tcp            ALLOW       Anywhere                  
Samba                      ALLOW       Anywhere                  
OpenSSH                    ALLOW       Anywhere                  
20/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
3306/tcp                   ALLOW       Anywhere                  
990/tcp                    ALLOW       Anywhere                  
989/tcp                    ALLOW       Anywhere                  
40000:50000/tcp            ALLOW       Anywhere                  
10000:30000/tcp            ALLOW       Anywhere                  
50000:60000/tcp            ALLOW       Anywhere                  
10000:11000/tcp            ALLOW       Anywhere                  
21/tcp (v6)                ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
60000:65535/tcp (v6)       ALLOW       Anywhere (v6)             
Samba (v6)                 ALLOW       Anywhere (v6)             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
20/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
3306/tcp (v6)              ALLOW       Anywhere (v6)             
990/tcp (v6)               ALLOW       Anywhere (v6)             
989/tcp (v6)               ALLOW       Anywhere (v6)           

а вот конфиг vsftpd

>rsa_cert_file=/etc/ssl/certs/vsftpd.pem
>rsa_private_key_file=/etc/ssl/private/vsftpd.key
>ssl_enable=YES
>listen_port=990
>allow_anon_ssl=NO
>force_local_data_ssl=YES
>force_local_logins_ssl=YES
>ssl_tlsv1=YES
>ssl_sslv2=NO
>ssl_sslv3=NO
>require_ssl_reuse=NO
>ssl_ciphers=HIGH
>force_dot_files=YES
>user_config_dir=/etc/vsftpd_user_conf

если выкрутить отладку на максимум - что в логах?

очисти файрвол, закрой вручную ftp-порты 21 и 20 и попробуй снова

если подключаешься из-за NAT-а - с FTPS могут быть проблемы, т.к. conntrack helper файрвола его может не осиливать

Pinkbyte ★★★★★ ()
Ответ на: комментарий от Pinkbyte

Вот лог с ufw:

Jun 16 13:14:32 debiantryout kernel: [ 9676.942485] [UFW BLOCK] IN=enp0s3 OUT= MAC=08:00:27:32:d9:ee:8c:89:a5:80:4e:7f:08:00 SRC=192.168.1.65 DST=192.168.1.72 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30083 DF PROTO=TCP SPT=57034 DPT=8636 WINDOW=65320 RES=0x00 SYN URGP=0

Jun 16 13:14:33 debiantryout kernel: [ 9677.944099] [UFW BLOCK] IN=enp0s3 OUT= MAC=08:00:27:32:d9:ee:8c:89:a5:80:4e:7f:08:00 SRC=192.168.1.65 DST=192.168.1.72 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30085 DF PROTO=TCP SPT=57034 DPT=8636 WINDOW=65320 RES=0x00 SYN URGP=0

Jun 16 13:14:35 debiantryout kernel: [ 9679.944352] [UFW BLOCK] IN=enp0s3 OUT= MAC=08:00:27:32:d9:ee:8c:89:a5:80:4e:7f:08:00 SRC=192.168.1.65 DST=192.168.1.72 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30086 DF PROTO=TCP SPT=57034 DPT=8636 WINDOW=65320 RES=0x00 SYN URGP=0

Jun 16 13:14:39 debiantryout kernel: [ 9683.944494] [UFW BLOCK] IN=enp0s3 OUT= MAC=08:00:27:32:d9:ee:8c:89:a5:80:4e:7f:08:00 SRC=192.168.1.65 DST=192.168.1.72 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30087 DF PROTO=TCP SPT=57034 DPT=8636 WINDOW=65320 RES=0x00 SYN URGP=0

А вот с vsftpd:


Tue Jun 16 13:18:08 2020 [pid 2463] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: NONE"

Tue Jun 16 13:18:08 2020 [pid 2463] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: SSL_SENT_SHUTDOWN"

Tue Jun 16 13:18:08 2020 [pid 2463] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: 3"

Tue Jun 16 13:18:09 2020 [pid 2463] [alex] DEBUG: Client "192.168.1.65", "Control connection terminated without SSL shutdown."

Закрыть вручную порты имеется в виду в Iptables?

Про conntrack helper ничего не знаю, изучу.

magrega ()
Ответ на: комментарий от Pinkbyte

Вот что в логах:

Wed Jun 17 22:28:03 2020 [pid 1504] CONNECT: Client "192.168.1.65"
Wed Jun 17 22:28:03 2020 [pid 1504] DEBUG: Client "192.168.1.65", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, not reused, no cert"
Wed Jun 17 22:28:03 2020 [pid 1504] FTP response: Client "192.168.1.65", "220 (vsFTPd 3.0.3)"
Wed Jun 17 22:28:03 2020 [pid 1504] FTP command: Client "192.168.1.65", "USER alex"
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] FTP response: Client "192.168.1.65", "331 Please specify the password."
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] FTP command: Client "192.168.1.65", "PASS <password>"
Wed Jun 17 22:28:03 2020 [pid 1503] [alex] OK LOGIN: Client "192.168.1.65"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "230 Login successful."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "SYST"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "215 UNIX Type: L8"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "FEAT"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "211-Features:"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " AUTH TLS??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " EPRT??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " EPSV??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " MDTM??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " PASV??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " PBSZ??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " PROT??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " REST STREAM??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " SIZE??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", " TVFS??"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "211 End"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PBSZ 0"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 PBSZ set to 0."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PROT P"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 PROT now Private."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PWD"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "257 "/" is the current directory"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "CWD /alex/STUFFMAGREGA"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "250 Directory successfully changed."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PWD"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "257 "/alex/STUFFMAGREGA" is the current directory"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "TYPE A"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 Switching to ASCII mode."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PASV"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "227 Entering Passive Mode (192,168,1,72,44,131)."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "LIST -a"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "150 Here comes the directory listing."
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, reused, no cert"
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: NONE"
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Jun 17 22:28:03 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: 3"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "226 Directory send OK."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PWD"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "257 "/alex/STUFFMAGREGA" is the current directory"
magrega ()
Ответ на: комментарий от magrega

Извините за большой лог

Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "CWD /alex/STUFFMAGREGA/.ICEauthority"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "550 Failed to change directory."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "TYPE I"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 Switching to Binary mode."
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "SIZE /alex/STUFFMAGREGA/.ICEauthority"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "213 1022"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "MDTM /alex/STUFFMAGREGA/.ICEauthority"
Wed Jun 17 22:28:03 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "213 20200612131926"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "CWD Videos"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "250 Directory successfully changed."
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PWD"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "257 "/alex/STUFFMAGREGA/Videos" is the current directory"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "TYPE A"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 Switching to ASCII mode."
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PASV"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "227 Entering Passive Mode (192,168,1,72,250,178)."
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "LIST -a"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "150 Here comes the directory listing."
Wed Jun 17 22:28:06 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, reused, no cert"
Wed Jun 17 22:28:06 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: NONE"
Wed Jun 17 22:28:06 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Jun 17 22:28:06 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: 3"
Wed Jun 17 22:28:06 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "226 Directory send OK."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "CWD /alex/STUFFMAGREGA"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "250 Directory successfully changed."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PWD"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "257 "/alex/STUFFMAGREGA" is the current directory"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "TYPE A"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 Switching to ASCII mode."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PASV"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "227 Entering Passive Mode (192,168,1,72,88,183)."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "LIST -a"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "150 Here comes the directory listing."
Wed Jun 17 22:28:10 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, reused, no cert"
Wed Jun 17 22:28:10 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: NONE"
Wed Jun 17 22:28:10 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Jun 17 22:28:10 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "SSL shutdown state is: 3"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "226 Directory send OK."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "TYPE A"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "200 Switching to ASCII mode."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "PASV"
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "227 Entering Passive Mode (192,168,1,72,122,137)."
Wed Jun 17 22:28:10 2020 [pid 1505] [alex] FTP command: Client "192.168.1.65", "RETR phpmyadmin.conf"
Wed Jun 17 22:29:10 2020 [pid 1505] [alex] FTP response: Client "192.168.1.65", "425 Failed to establish connection."
Wed Jun 17 22:29:10 2020 [pid 1505] [alex] FAIL DOWNLOAD: Client "192.168.1.65", "/alex/STUFFMAGREGA/phpmyadmin.conf", 0.00Kbyte/sec
Wed Jun 17 22:29:10 2020 [pid 1504] [alex] DEBUG: Client "192.168.1.65", "Control connection terminated without SSL shutdown."
magrega ()
Ответ на: комментарий от Pinkbyte

Проблему решил. Указал в конфиге всфтпд диапазон рабочих портов (pasv_min\max_port) в соответствии с разрешенными портами в uwf.

magrega ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.