Below are indications and likely solutions for commonly reported vsftp errors. A search of the forums using "vsftp" as the keyword returns over 150 posts, most of them reporting a problem of one type or another. After answering some of these myself, I thought I'd string together a list of the more frequently reported issues and their soultions in a single howto.
If you'd like to see additions, post them here and I'll add them to this howto.
ERROR:
- ftp: connect: Connection refused
REMEDY:
Most likely, the vsftpd daemon isn't running. Check /etc/vsftpd/vsftpd.conf, and if it contains "listen=YES" (without a "#" preceding it) it's configured to run in standalone mode. Start vsftpd thusly.
Code:
# service vsftpd start
# chkconfig vsftpd on
If you're not running vsftpd standalone, you must be running it under xinetd. Check to see that the file /etc/xinetd.d/vsftpd contains "disable = no", then restart xinetd thusly.
Code:
# service xinetd restart
# chkconfig xinetd on
To check to see if vsftpd is running and listening for connections, execute the following command and look for something similar to one of these expected outputs. The important part is the ":21", which is the ftp port number.
Code:
# netstat --proto=inet,inet6 --pnl | grep ":21"
tcp 0 0 :::21 :::* LISTEN 2556/xinetd
--- OR ---
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2585/xinetd
--- OR ---
tcp 0 0 :::21 :::* LISTEN 3802/vsftpd
--- OR ---
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 5993/vsftpd
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 421 Service not available
- 421 Service not available, remote server has closed connection
REMEDY:
Check /etc/vsftpd/vsftpd.conf to see if "tcp_wrappers=YES" (without a "#" preceding it) is present. If so, add the following line to the /etc/hosts.allow file. (You can restrict connections to various hosts/domains by using other options besides "ALL". See the hosts.allow manpage for details.)
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- long delay on command after ftp login
- ftp: connection timed out
- ftp: connect: No route to host
- Security: Bad IP connecting.
- 606 no socket
REMEDY:
Many people report problems with ftp sessions hanging or throwing errors after the ftp login session is successful. Frequently this is because the ftp-data port is blocked by a firewall or not forwarded by a router. This section describes the configuration of vsftpd to enable passive mode data transfers, along with the accompanying changes to iptables and your router to allow ftp-data connections to pass.
Ftp sessions consist of two channels: a command channel and a data channel, and they each use a different port. While the command channel is (usually) fixed at server port 21, the data channel employs varying ephemeral ports, and this can be problematic in the presence of a firewall since you don't know from session to session which port the ftp server will use for the data transfer. To get around this, you need to constrain the range of ports used by the server for ftp-data connections, and you need to modify your firewall and, if necessary, your router to enable traffic on that port range.
First, make sure that passive mode is enabled; vsftpd enables it by default, but it doesn't hurt to set it explicitly. Let's also restrict the data channel to ports 11000 through 11010. Depending upon the number of concurrent sessions you anticipate on your server, you can increase or decrease the port range by modifying the min and max values. You can also use any port range; I chose 11000 through 11010 at random. Just make sure the min port is greater than 1024. Add these lines to /etc/vsftpd/vsftpd.conf.
Code:
pasv_enable=YES
pasv_min_port=11000
pasv_max_port=11010
Restart vsftpd (or xinetd if you're running vsftpd under xinetd) to make the changes take effect.
Code:
service vsftpd restart
Now modify the server's firewall to unblock the ftp-data port range by adding the following rule to /etc/sysconfig/iptables
before the line that contains "icmp-host-prohibited". (This assumes you haven't radically modified /etc/sysconfig/iptables. If you have, you know enough about iptables already to know where to insert this rule.)
NOTE: Newer versions of Fedora (starting with at least F11) use a different iptables input chain name called "INPUT" rather than "RH-Firewall-1-INPUT". Look at the other rules in your existing /etc/sysconfig/iptables file to see which name your version uses and modify the rule below accordingly. (Just delete the "RH-Firewall-1-" portion of the rule string if your input string is named "INPUT".)
Code:
-A RH-Firewall-1-INPUT -p tcp --dport 11000:11010 -j ACCEPT
Restart the firewall.
Code:
service iptables restart
If you have a router, you need to configure it to forward ports 11000 through 11010 if you want external users to be able to transfer data to and from your server. The instructions to do this vary according to your router, but often it can be done through a web interface to the router itself.
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 550 Failed to change directory.
REMEDY:
This happens most likely because you've established a chroot jail for users, and the user is trying to access a directory outside the jail.
-----------------------------------------------------------------------------------------------------------------------------------
ERROR:
- 500 OOPS: cannot change directory:/foo
- 500 OOPS: Connection closed by remote host.
- 500 OOPS: failed to open xferlog log file:/var/log/xferlog
- 553 could not create file error
REMEDY:
This happens because SELinux isn't properly configured for your ftp service. Either disable SELinux or configure it for ftp.
To disable SELinux, edit /etc/selinux/config and set "SELINUX=disabled", then reboot.
The easiest way to configure SELinux to work with ftp is to follow the instructions here (thanks to Stanton Finley).
http://stanton-finley.net/fedora_cor...notes.html#FTP . This will require console (or xdmcp or vnc) access to the server.
As an alternative, although I haven't tested it, you might try
Code:
# setsebool -P ftpd_disable_trans 1
# service vsftpd restart
Great post. Thanks. Disabling SELinux fixed my 553 errors on anon uploads.
Linear Mode
