VSFTPD and Folding/BOINC on Ubuntu 9.10 Server

Tushon

Hi all, I'm trying my hand at Linux Server work (ubuntu for familiarity) and can't quite get a few things working. Here is my Ubuntu Forums post concerning VSFTPD:

Hi all. Just got my server box up and running with 9.10 to get some experience with server work so that once 10.04 LTS rolls around I'll be ready to rock it for a few years.

I'm having a problem getting VSFTPD working. Here is my config file

# Config file /etc/vsftpd.conf
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
#anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
#local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to Tushon's FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
#
# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default.  These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

# Pasv is used to get dynamic IP info
pasv_enable=YES
pasv_addr_resolve=yes
pasv_address=tushon.gotdns.org
pasv_min_port=49000
pasv_max_port=49100

and the output from Filezilla while trying to connect on the LAN (output is identical when connecting from www.ftptest.net)

Status:    Connecting to 192.168.1.3:21...
Status:    Connection established, waiting for welcome message...
Response:    220 Welcome to Tushon's FTP service.
Command:    USER anonymous
Response:    331 Please specify the password.
Command:    PASS **************
Response:    230 Login successful.
Command:    OPTS UTF8 ON
Response:    200 Always in UTF8 mode.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/"
Command:    TYPE I
Response:    200 Switching to Binary mode.
Command:    PASV
Response:    500 OOPS: priv_sock_get_cmd
Command:    PORT 192,168,1,2,154,78
Error:    Connection closed by server
Error:    Failed to retrieve directory listing

Any assistance handling this error would be greatly appreciated.

I have anonymous enabled only temporarily for troubleshooting purposes. Eventually, I will be creating user accounts for the 20 or so users that I am giving the info to and will only want one directory for all of them to view and download from, with no upload. (Advice here is also requested but that may wait till another day).

The code I'm using to create a new user is

sudo useradd [I]ftpuser[/I] -d /home/rt/torrent/ -s /bin/false
sudo passwd [I]ftpuser[/I]

where /home/rt/torrent is the directory of files/folders I wish to be accessible (I do not want them to have /home directories of their own on my server for now) and ftpuser will be changed to each user's "name".

Please tell me if I'm not clear or if you need further information. I'm comfortable with just pointing me to other tutorials if my googling has failed.

---

End of that post. I would also like to get folding/BOINC running and have not looked into that much (https://help.ubuntu.com/community/FoldingAtHome is probably where I will start but it is a little dated). My primary concerns are getting FTP server running (a Filezilla Server -like experience would have been amazing), sharing for local clients, and any security issues I need to address known and handled. Any and all advice is appreciated. I'm proficient enough to be pointed at a tutorial if that is a better answer but as far as VSFTPD goes, nothing has been able to resolve my issue.

Thanks in advance for any help you can provide.

_k

We would push you towards folding since we have a well ranked and producing team, here is the current Stanford faq for installation. Linux install is very straight forward the only time I have had issues is when I forgot to load a pre-req.

If you have any more questions feel free to open a new thread in our folding section in the forums here.

ardichoke

Given that your error is cropping up immediately after the PASV command, I would posit that the problem is with your passive mode configuration. I'd make sure that tushon.gotdns.org is resolving to the right public address. You should also make sure that port 21 is allowed through any firewalls and is being forwarded to the correct box. You will want to forward the passive port range to the box and open those ports in the firewall as well (IIRC).

As for your other question, absolutely go with f@home. I've had nothing but trouble with BOINC on Ubuntu, F@H is a breeze. The fact that you can contribute to team Icrontic (93) is superb as well. I also have written an init script to automatically start F@H at boot on Debian based systems as well. Hit me up if you would like it.

Tushon

ardichoke wrote:

Given that your error is cropping up immediately after the PASV command, I would posit that the problem is with your passive mode configuration. I'd make sure that tushon.gotdns.org is resolving to the right public address. You should also make sure that port 21 is allowed through any firewalls and is being forwarded to the correct box. You will want to forward the passive port range to the box and open those ports in the firewall as well (IIRC).

That's what I thought as well, but I double-checked it by hard-coding the current external IP and got the same result (after a reboot and everything). PASV is "best practice", right? If there is another way, I'm game to try it but I just only had experience with PASV on windows. This will be very low usage (maybe 20 friends total but only 3 people have ever gotten more than a few music files), so if high usage is a normal reason to use PASV, ignore it.

Port Forwarding Rules to the server:
FTP - TCP Any -> 21
FTP Passive Transfers - TCP Any -> 20
TCP Any -> 49000-49100
SSH - TCP Any -> 22
BT - TCP Any -> 65000-65500

Still working on getting RTorrent configured also, but that is a whole 'nother animal. Especially if I want to get a web interface. Learning learning learning.

Thanks for the advice from both of you regarding F@H. I'll get that rocking later today.

ardichoke

I've done some more research on this. It seems there was a bug with the pasv_address option in VSFTPD pre 2.2.1, if you're running an earlier version it's not going to work. Additionally, running passive mode FTP through a NAT router/firewall is notoriously flaky unless it specifically tracks FTP connections. No home routers do that (that I'm aware of anyway), you're probably better off using active mode. Passive mode isn't really best practice, it's more secure from the client end because the client initiates all transfers but I doubt you really need to worry about that for your purposes.

Tushon

Okay. Thanks very much for the info. I'm running 2.2.0 because that was what the repos had. I wonder why it hasnt made its way down yet. Compiled 2.2.2 and need to troubleshoot it some but that should be within my own power. I don't know why I never thought to check version. I'll try just leaving PASV off and letting it work that way.

I got FAH working away and the info from the standard install got it loaded on reboots; contributing to team 93 as we speak.

*EDIT* I don't think its contributing to team 93 but I also don't even know how to check. It may not have taken my desired settings when I installed it. Working on it.