We’ve had a vsftpd server for a while and it’s performed very well for us. But it would appear that it’s not actively maintained. This may not be a problem as it still currently works just fine and we don’t have any obvious vulnerabilities with it, but as the OS it’s running on is Wheezy we need to move on at least up to Stretch. So I figured I’d try deploying a new server but configured with proftpd.
Having recently replaced the firewall we found one of the external sites used for FTP file transfers was failing periodically. Turns out this was a simple problem. We just weren’t allowing enough of a range for the FTP data ports needed. We’d allocated a range of 1,000 ports, but looks like they use more.
So how did we find this out? I could have trawled the firewall logs, but was just easier to see what the FTP log file was telling me.
The log file generated the error “425 Unable to open the data connection”. After looking at the previous passive mode response I decoded the port that it required.
ftp> 227 Entering Passive Mode (192,168,0,250,109,116)
It’s a simple calculation. The first four numbers are the remote servers IP address and the last two specify the TCP data port required. In order to determine the port take the 5th number and multiply by 256 then add the 6th number.
109 x 256 + 116 = 28020
So now I’ve extended the allowed port range to include 28000-28999 to make the connection.
Ideally it would be best to get the remote server administrator to tell you what range they require. But if you have to resort to guessing at least you know how to calculate their requirement.
PAM and LDAP
Getting this going is a challenge. It needs some tweaks with PAM to get the authentication going. In order to get it to work we needed libpam-ldapd NOT to be confused with libpam-ldap.
libpam-ldapd brings with is changes to nsswitch.conf so that certain pam capable services are capable of using ldap. The ones we need are passwd, group and shadow