- Error “530: permission denied” when user logs in to vsftpd server via ftp
- The Solution
- Allowing a VSFTP Server local user to login
- Ubuntu 19:10 — ftp: setsockopt (ignored): Permission denied (connecting to FTP server in active mode)
- 1 Answer 1
- 550 error vsftpd
- 2 ответа 2
- Похожие
- Подписаться на ленту
- Permission denied in FTP even though I’m the owner
Error “530: permission denied” when user logs in to vsftpd server via ftp
Vsftp server is newly installed and has been brought up but can’t be accessed by certain users giving the error shown below.
# service vsftpd status vsftpd (pid 5806) is running.
# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:oracle): user 530 Permission denied. Login failed.
The Solution
The cause is that if the parameter userlist_enable in file /etc/vsftpd/vsftpd.conf is YES and the parameter userlist_deny default value is also YES, then the username in file /etc/vsftpd/user_list will get ‘530 Permission denied‘ error and does not even prompt for a password.
When parameter userlist_enable is enabled, vsftpd will load the usernames in file /etc/vsftpd/userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted.
Parameter userlist_deny will be examined if userlist_enable is activated. If you set this setting to NO, then users will be allowed to login when they are listed in the file /etc/vsftpd/userlist_file.
Note: For security reason, userlist_enable should be set to “YES” as this issue can also be resolved by setting “userlist_enable=NO” in /etc/vsftpd/vsftpd.conf
So, we can resolve this issue by setting userlist_deny to NO when userlist_enable is activated. Then put the allowed usernames in file /etc/vsftpd/user_list and put the not allowed usernames in file /etc/vsftpd/ftpusers.
You can see the explanation from manual of vsftpd.conf.
$ man vsftpd.conf userlist_deny This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password. userlist_enable If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny. Default: NO
You can also see these comments in file /etc/vsftpd/user_list .
# vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied.
Allowing a VSFTP Server local user to login
1. Edit /etc/vsftpd/vsftpd.conf and set userlist_enable to YES and userlist_deny to NO.
# vi /etc/vsftpd/vsftpd.conf userlist_enable=YES userlist_deny=NO
2. Modify /etc/vsftpd/user_list, put the user (user01) which is allowed to login in this file
# cat /etc/vsftpd/user_list user01
3. Put all users not allowed to ftp in /etc/vsftpd/ftpusers.
# cat ftpusers # Users that are not allowed to login via ftp root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
5. Try ftp again with user – user01.
$ ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): user01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
6. Also try Login by disallowed userid, for example, root.
# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): root 530 Permission denied. Login failed. ftp>
Ubuntu 19:10 — ftp: setsockopt (ignored): Permission denied (connecting to FTP server in active mode)
I’m currently running Ubuntu 19:10 as my primary operating system. I need to connect to an FTP server where the connection needs to be in active mode. I have tried this with Filezilla by enabling active ftp and also via the command line. I can connect to the FTP server, however, when running it in debug mode by passing the -d flag to the ftp command, I am met with errors when attempting to list files. Here is a screenshot of my terminal window: Probably worth mentioning I can successfully run pwd and I can change directories with cd given I already know the name of two directories. The first error I see is this: ftp: setsockopt: Bad file descriptor followed by: ftp: setsockopt (ignored): Permission denied 500 Illegal PORT command ftp: bind: Address already in use From doing a lot of googling I saw a variety of suggestions such as enabling passive mode, and checking my firewall. However, when enabling passive mode I am met with the following problem: Likewise, I’ve verified that UFW is inactive from running: sudo ufw status I’ve also checked that there is nothing blocked in iptables . I can connect to a regular FTP server in passive mode without issue. This is the first time I’ve been required to use active mode when connecting. The question I therefore have is in two parts: 1. Is this likely to be an issue with my end (the client) or the FTP server? 2. If it is an issue on my end, what can I try to fix it? Any help will be much appreciated!
have you viewed this or any page such as this linux.die.net/man/2/setsockopt setsockopt(2) — Linux man page «For setsockopt(), the argument should be nonzero to enable a boolean option, or zero if the option is to be disabled.»
1 Answer 1
The FTP protocol, written before today’s concept of firewall existed is quite complex: while the client connects to the server for commands, for data transfers (including the output of the LIST command, but not the output of the PWD command which is directly in the command connection) in so-called active mode that is the server which initiates the connection (usually from port 20, to a random port chosen by the client).
All this makes it difficult for «dumb» firewalls to let FTP work with the PORT command. The PASV command instead makes the client initiate connections twice to the server: one for command and one for every data transfer. But the difficulty is now reversed: that’s the server’s firewall side which must cope with the random port chosen by the server when transmitting the PASV command’s answer containing the IP and port.
- you stated that you can’t use passive mode: that usually means the FTP’s server side is behind a restrictive (local or on the network path) firewall which has no configuration to allow the FTP server to open temporary random listening ports corresponding to the output of the PASV command.
- for active mode:
I noticed that the PORT command’s address you’re using is in the 100.64.0.0/10 network which is in RFC 6598:
This document requests the allocation of an IPv4 /10 address block to be used as Shared Address Space to accommodate the needs of Carrier-Grade NAT (CGN) devices.
o routing information about Shared Address Space networks MUST NOT be propagated across Service Provider boundaries. Service Providers MUST filter incoming advertisements regarding Shared Address Space.
o packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries. Service Providers MUST filter such packets on ingress links.
That’s the probable reason the server returns 500 Illegal PORT command. . Since the client is behind CGN, it’s not possible (without some difficulty involving total control of both sides attempting such a connection) for the client to be reachable from outside. Probably no provision is done anywhere (by equipments doing NAT) to translate and handle an incoming connection for this FTP PORT command and it’s rejected by the server since it’s a non-routable address (but more directly because the FTP server will accept only the same address used in the command connection to avoid so-called FXP transfers, and your address is not the one the FTP server sees).
- the FTP server you connect to can’t use passive mode
- your ISP can’t let you use active mode
There’s no solution without investing in something else:
- if you have leverage to the right persons to have the FTP server accept passive mode, try it.
- change ISP
Get an ISP not giving you Carrier-Grade NAT addresses. Then any random home router (probably including the one provided by the ISP) will handle correctly the translation of the PORT command in active FTP.
This shouldn’t be a simple commercial VPN to anonymize clients using it. It should be a full VPN on which you have full control to allow incoming traffic and correct handling of the FTP protocol. It could be a limited one allowing to port-forward some ports, which then also requires configuration on the client side to match the same address and ports, or it could be for example a Linux VPS where you can load kernel modules like nf_conntrack_ftp / nf_nat_ftp and use iptables or nftables, to automatically translate the PORT command from your client (as long as there’s no encryption used in FTP).
Have it available on HTTP, HTTPS, SFTP (that’s along SSH, not related to FTP).
550 error vsftpd
550 permission denied vsftpd
Поднимаю ftp сервер на Debian 9. При попытке создать директорию\файл выскакивает ошибка. Необходимо дать разрешение единственному пользователю (ftpuser) полный доступ к шаре. Что я делаю не так?
Спасибо.
2 ответа 2
Частая ошибка, для начала убедитесь в наличии строки write_enable=YES в конфиге сервера . Если после этого, ничего не поменялось, то проверьте права у папки на сервере, ftp пользователь должен иметь права на запись в них. Для установки прав на папку воспользуйтесь командой: sudo chmod -R ftpuser:ftpuser /path/to/folder
Сделал владельцем папки ftpuser, дал полные права. write_enable=YES установлено (см. скрины). Всё ещё не работает.
В итоге работает. Просто использовал userlist и убрал полностью всё про guest.
Похожие
Подписаться на ленту
Для подписки на ленту скопируйте и вставьте эту ссылку в вашу программу для чтения RSS.
Дизайн сайта / логотип © 2023 Stack Exchange Inc; пользовательские материалы лицензированы в соответствии с CC BY-SA . rev 2023.7.14.43532
Нажимая «Принять все файлы cookie» вы соглашаетесь, что Stack Exchange может хранить файлы cookie на вашем устройстве и раскрывать информацию в соответствии с нашей Политикой в отношении файлов cookie.
Permission denied in FTP even though I’m the owner
Okay, so I’ve tried my best at finding the answer to this by searching and looking through possible duplicates, but I just can’t so forgive me if it’s out there somewhere anyways. My issue is as follows. I’ve set the owner of /var/www to myuser:www-data and permissions of the folder and all (currently just the basic index.html) it’s content to 750 , and Apache seems to run it as supposed, but I can’t access it when I FTP into the server as the myuser user. I mean, I can access it, but as soon as I try to edit, delete or add something I just get 500 Permission denied , and if I try to edit the permissions I get 500 Unknown SITE command . Help! What do I do wrong? The idea on setting the user and group, and then the permissions as above was from a good friend of mine who is sort of an expert, but I feel like I’m bothering him when I ask so many questions, so if you can help me some more, that would be great! I’m trying to put a backup with 4 vhosts back into the www-folder, but what I put there shouldn’t be of any concern, right? That’s just the confing of the vhosting later that has got anything to do with that, right? Thanks in advance! Added info: I ran this: myuser@myserver:/$ groups myuser And got this: myuser : myuser adm cdrom sudo dip plugdev lpadmin sambashare Then I ran this: myuser@myserver:/$ groups www-data And got this: www-data : www-data And then this: myuser@myserver:/var/www$ ls -l And got this: total 4 -rwxr-x— 1 tjita1 www-data 177 Jan 25 17:45 index.html Regarding the ftpserver, I didn’t do anything in particular, I just installed vsftpd. Oh yeah, I also added a line in I think /etc/vsftpd.conf or something like that, that reads something like this: chmod_enable=YES . Also, I can’t get those 4-space-indents to work, sorry about that..
I don’t know whether this is right, but messing with permissions of such a directory is not a good way. Anyhow, May I ask the output of groups myuser (as in; replace it with the username of the user) please? and also ls -l of www dir