425 Security: Bad IP connecting when trying to connect to ftp server behind load balancer
I have an ec2 instance with vsftp installed. The daemon is listening on port 21:
$ sudo netstat -tulpn
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1730/vsftpd
I am able to ftp and upload files through filezilla when connecting to the instance IP address itself. However, when I add the instance to a classic load balancer and try to connect to the load balancer, I get the following error:
Command: PASV
Response: 227 Entering Passive Mode (3,23,102,171,4,6).
Command: LIST
Response: 425 Security: Bad IP connecting.
Error: Failed to retrieve directory listing
The only options I changed in the vsftpd.config are the following:
listen=YES
# listen_ipv6=YES
write_enable=YES
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=3.23.102.171
All the other options are the defaults. There is nothing else installed on the server and clearly the Security Groups allow access.
What's this error about and how can I resolve it?
I think you have tackled almost everything. But some small things might be missing.
To run vsftpd behind a load balancer you need to:
Enable passive mode and set ports:
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
Obviously these ports needs to be exposed on your load balancer.
Setup a pasv_address and connect to it:
You should setup a pasv_address
, just like you did. But make sure:
- You are connecting with this address on your ftp clinet:
ftp same-address-as-config
- If your address is a name, add
pasv_addr_resolve=YES
Hope it helps.