Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 4th March 2006, 08:13 PM
jcliburn Offline
Registered User
 
Join Date: Nov 2004
Location: Mississippi, USA
Posts: 1,180
Common vsftp problems and likely solutions

Below are indications and likely solutions for commonly reported vsftp errors. A search of the forums using "vsftp" as the keyword returns over 150 posts, most of them reporting a problem of one type or another. After answering some of these myself, I thought I'd string together a list of the more frequently reported issues and their soultions in a single howto.

If you'd like to see additions, post them here and I'll add them to this howto.

ERROR:
- ftp: connect: Connection refused

REMEDY:
Most likely, the vsftpd daemon isn't running. Check /etc/vsftpd/vsftpd.conf, and if it contains "listen=YES" (without a "#" preceding it) it's configured to run in standalone mode. Start vsftpd thusly.
Code:
# service vsftpd start
# chkconfig vsftpd on
If you're not running vsftpd standalone, you must be running it under xinetd. Check to see that the file /etc/xinetd.d/vsftpd contains "disable = no", then restart xinetd thusly.
Code:
# service xinetd restart
# chkconfig xinetd on
To check to see if vsftpd is running and listening for connections, execute the following command and look for something similar to one of these expected outputs. The important part is the ":21", which is the ftp port number.
Code:
# netstat --proto=inet,inet6 --pnl | grep ":21"
tcp   0  0 :::21        :::*        LISTEN      2556/xinetd
   --- OR ---
tcp   0  0 0.0.0.0:21   0.0.0.0:*   LISTEN      2585/xinetd
   --- OR ---
tcp   0  0 :::21        :::*        LISTEN      3802/vsftpd
   --- OR ---
tcp   0  0 0.0.0.0:21   0.0.0.0:*   LISTEN      5993/vsftpd
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 421 Service not available
- 421 Service not available, remote server has closed connection

REMEDY:
Check /etc/vsftpd/vsftpd.conf to see if "tcp_wrappers=YES" (without a "#" preceding it) is present. If so, add the following line to the /etc/hosts.allow file. (You can restrict connections to various hosts/domains by using other options besides "ALL". See the hosts.allow manpage for details.)
Code:
vsftpd : ALL
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- long delay on command after ftp login
- ftp: connection timed out
- ftp: connect: No route to host
- Security: Bad IP connecting.
- 606 no socket

REMEDY:
Many people report problems with ftp sessions hanging or throwing errors after the ftp login session is successful. Frequently this is because the ftp-data port is blocked by a firewall or not forwarded by a router. This section describes the configuration of vsftpd to enable passive mode data transfers, along with the accompanying changes to iptables and your router to allow ftp-data connections to pass.

Ftp sessions consist of two channels: a command channel and a data channel, and they each use a different port. While the command channel is (usually) fixed at server port 21, the data channel employs varying ephemeral ports, and this can be problematic in the presence of a firewall since you don't know from session to session which port the ftp server will use for the data transfer. To get around this, you need to constrain the range of ports used by the server for ftp-data connections, and you need to modify your firewall and, if necessary, your router to enable traffic on that port range.

First, make sure that passive mode is enabled; vsftpd enables it by default, but it doesn't hurt to set it explicitly. Let's also restrict the data channel to ports 11000 through 11010. Depending upon the number of concurrent sessions you anticipate on your server, you can increase or decrease the port range by modifying the min and max values. You can also use any port range; I chose 11000 through 11010 at random. Just make sure the min port is greater than 1024. Add these lines to /etc/vsftpd/vsftpd.conf.
Code:
pasv_enable=YES
pasv_min_port=11000
pasv_max_port=11010
Restart vsftpd (or xinetd if you're running vsftpd under xinetd) to make the changes take effect.
Code:
service vsftpd restart
Now modify the server's firewall to unblock the ftp-data port range by adding the following rule to /etc/sysconfig/iptables before the line that contains "icmp-host-prohibited". (This assumes you haven't radically modified /etc/sysconfig/iptables. If you have, you know enough about iptables already to know where to insert this rule.)

NOTE: Newer versions of Fedora (starting with at least F11) use a different iptables input chain name called "INPUT" rather than "RH-Firewall-1-INPUT". Look at the other rules in your existing /etc/sysconfig/iptables file to see which name your version uses and modify the rule below accordingly. (Just delete the "RH-Firewall-1-" portion of the rule string if your input string is named "INPUT".)

Code:
-A RH-Firewall-1-INPUT -p tcp --dport 11000:11010 -j ACCEPT
Restart the firewall.
Code:
service iptables restart
If you have a router, you need to configure it to forward ports 11000 through 11010 if you want external users to be able to transfer data to and from your server. The instructions to do this vary according to your router, but often it can be done through a web interface to the router itself.

-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 550 Failed to change directory.

REMEDY:
This happens most likely because you've established a chroot jail for users, and the user is trying to access a directory outside the jail.

-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 500 OOPS: cannot change directory:/foo
- 500 OOPS: Connection closed by remote host.
- 500 OOPS: failed to open xferlog log file:/var/log/xferlog
- 553 could not create file error

REMEDY:
This happens because SELinux isn't properly configured for your ftp service. Either disable SELinux or configure it for ftp.

To disable SELinux, edit /etc/selinux/config and set "SELINUX=disabled", then reboot.

The easiest way to configure SELinux to work with ftp is to follow the instructions here (thanks to Stanton Finley). http://stanton-finley.net/fedora_cor...notes.html#FTP . This will require console (or xdmcp or vnc) access to the server.

As an alternative, although I haven't tested it, you might try
Code:
# setsebool -P ftpd_disable_trans 1
# service vsftpd restart

Last edited by jcliburn; 7th September 2009 at 05:10 PM.
Reply With Quote
  #2  
Old 18th January 2008, 05:56 PM
fleece Offline
Registered User
 
Join Date: Apr 2005
Location: Atlanta, Georgia USA
Posts: 8
Great post. Thanks. Disabling SELinux fixed my 553 errors on anon uploads.
Reply With Quote
  #3  
Old 11th June 2008, 09:36 AM
kimenemark Offline
Registered User
 
Join Date: Jun 2008
Posts: 1
Quote:
Great post. Thanks.
Couldn't agree more

Quote:
The easiest way to configure SELinux to work with ftp is to follow the instructions here (thanks to Stanton Finley). http://stanton-finley.net/fedora_co..._notes.html#FTP . This will require console (or xdmcp or vnc) access to the server.
The link is broken but found it here:
http://fedoranews.org/mediawiki/inde...allation_Notes
Reply With Quote
  #4  
Old 29th August 2008, 07:28 PM
AndyS Offline
Registered User
 
Join Date: Aug 2008
Posts: 11
Great post. Thanks, jcliburn ! I joined the forum just to say that! :-)
Reply With Quote
  #5  
Old 29th August 2008, 07:38 PM
jcliburn Offline
Registered User
 
Join Date: Nov 2004
Location: Mississippi, USA
Posts: 1,180
You're welcome. Glad it helped.
Reply With Quote
  #6  
Old 3rd November 2008, 10:51 AM
SteveHillier Offline
Registered User
 
Join Date: Oct 2008
Location: England
Posts: 7
Smile

Quote:
Originally Posted by jcliburn View Post
ERROR:
- 500 OOPS: cannot change directory:/foo
- 500 OOPS: Connection closed by remote host.
- 500 OOPS: failed to open xferlog log file:/var/log/xferlog
- 553 could not create file error

REMEDY:
This happens because SELinux isn't properly configured for your ftp service. Either disable SELinux or configure it for ftp.

To disable SELinux, edit /etc/selinux/config and set "SELINUX=disabled", then reboot.
My unbounded thanks to jcliburn for this post. Days of trying to configure FTP, dumping Proftpd, dumping webmin, 3 operating builds later and it works.
I hope I might have something that repays at some future date.
Steve
Reply With Quote
  #7  
Old 5th September 2009, 04:38 PM
sramanand Offline
Registered User
 
Join Date: Aug 2009
Posts: 7
windows_xp_2003firefox
I have the same problem with my Fedora 11. When I add the line

Code:
-A RH-Firewall-1-INPUT -p tcp --dport 11000:11010 -j ACCEPT
and try to restart the firewall using
Code:
service iptables restart
it gives me the following error:
Quote:
iptables: Applying firewall rules: iptables-restore: line 12 failed
Any ideas why this is happening and how I can fix this problem?
Reply With Quote
  #8  
Old 5th September 2009, 10:14 PM
jcliburn Offline
Registered User
 
Join Date: Nov 2004
Location: Mississippi, USA
Posts: 1,180
macosfirefox
Maybe F11 doesn't have an input chain called RH-Firewall-1-INPUT anymore? Look at the other rules in /etc/sysconfig/iptables and see what the input chain is called -- it might be just "INPUT." If that's the case, change RH-Firewall-1-INPUT to just INPUT.
Reply With Quote
  #9  
Old 7th September 2009, 03:48 AM
sramanand Offline
Registered User
 
Join Date: Aug 2009
Posts: 7
windows_xp_2003firefox
Thanks. It worked. The correct form is
Quote:
INPUT
.

One additional note. I use CoreFTP and in that application I had to use
Quote:
Connection Type: SSH/FTP
Reply With Quote
  #10  
Old 7th September 2009, 05:22 PM
jcliburn Offline
Registered User
 
Join Date: Nov 2004
Location: Mississippi, USA
Posts: 1,180
macosfirefox
Thanks. I edited the original post to reflect your iptables findings.
Reply With Quote
Reply

Tags
common, problems, solutions, vsftp

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Intel G45 (x4500) problems and solutions tzieja Hardware & Laptops 10 27th February 2009 01:11 AM
FC7 Samba problems and solutions bushpig Servers & Networking 0 25th June 2007 01:44 AM
2 touchpad problems and solutions (synaptics) kriswarner Hardware & Laptops 1 5th April 2007 11:11 PM
Solutions to common issue foolish Suggestions & Feedback 62 27th March 2007 06:08 AM
Common Sound Problems in FC2 - Collection of Possible Solutions Notte_Scura Hardware & Laptops 3 5th July 2004 09:41 AM


Current GMT-time: 16:22 (Monday, 24-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Jaszbereny Photos - Izyaslav Travel Photos on Instagram - Oxford