Issues with VSFTPD / FTP on Linux Ubuntu server - Steps for Troubleshooting?

I am dealing with an issue I am unclear on how to resolve and have been pulling my hair out for some time. I have been trying to configure an FTP user using the following (we use this same documentation on all servers)

Install FTP Server

• apt-get install vsftpd Enable local_enable and write_enable to YES
• and anonymous user to NO in /etc/vsftpd.conf restart - service vsftpd
• restart - to allow changes to take place

Add WordPress User for FTP access in WP Admin

Create a fake shell for the user add "usr/sbin/nologin" to the bottom of the /etc/shells file

Add a FTP user account

• useradd username -d /var/www/ -s /usr/sbin/nologin
• passwd username

add these lines to the bottom of /etc/vsftpd.conf
- userlist_file=/etc/vsftpd.userlist - userlist_enable=YES - userlist_deny=NO

Add username to the list at top of /etc/vsftpd.userlist

• restart vsftpd "service vsftpd restart"
• make sure firewall is open for ftp "ufw allow ftp" allow
• modify the /var/www directory for username "chown -R /var/www

I have also went through everything listed on this post and no luck. I am getting connection refused.

Sorry for the poor text formatting above. I think you get the idea. This is something we do over and over and for some reason it is not cooperating here.

Setup is Ubuntu 12.04LTS and VSFTPD v2.3.5

Solution 1:

So here's the INPUT portion of your iptables configuration.

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

HERE^

ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

The line that i highlighted with the REJECT is denying all inbound connections. The rules you put at the bottom to permit ftp & ftp-data are never firing. Nor are the ufw- rules.

I'm not an ubuntu person and I don't have a box handy to look at, but it's likely your init script that handles your firewall is hardcoding the first few rules, and then the place where you added your config is happening later in the boot sequence.

Solution 2:

Don't know if this helps or not but here is my vsftpd.conf file that works perfectly for me :) Due to the amount of changes over the yrs. I have noticed changes made to my vsftpd.conf file.

    # /etc/vsftpd.conf - vsftpd configuration file
#
# Run standalone
listen=YES
#
# Allow anonymous FTP
anonymous_enable=NO
#
# Allow local users to log in
local_enable=YES
#
# Allow any form of FTP write command
write_enable=YES
#
# Default umask is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd)
local_umask=022
anon_umask=022
#
# Allow the anonymous FTP user to upload files
anon_upload_enable=NO
#
# Allow the anonymous FTP user to be able to create new directories
anon_mkdir_write_enable=NO
#
# Activate directory messages
dirmessage_enable=YES
#
# Display directory listings with the time in your local time zone
use_localtime=YES
#
# Activate logging of uploads/downloads
xferlog_enable=YES                    
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)
connect_from_port_20=YES
#
# Customise the login banner string
ftpd_banner=Welcome to FTP service.
#
# Restrict local users to their home directories
chroot_local_user=NO
#
# Activate the "-R" option to the builtin ls. This is disabled by default to
# avoid remote users being able to cause excessive I/O on large sites.
# However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option
ls_recurse_enable=YES
#
# Show textual names in the user and group fields of directory listings
text_userdb_names=YES
#
# Empty directory not writable by the ftp user as a secure chroot() jail at
# times vsftpd does not require filesystem access
secure_chroot_dir=/var/run/vsftpd/empty
#
# PAM service vsftpd will use
pam_service_name=vsftpd
#
# Support secure connections via SSL. This applies to the control connection
# (including login) and also data connections
ssl_enable=YES
#
# Certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/ssl/ssl.pem
#
#
# Not to require all SSL data connections to exhibit SSL session reuse
require_ssl_reuse=NO
#
# Force authenticated login and data via SSL
force_local_logins_ssl=NO
force_local_data_ssl=NO

ssl_ciphers=HIGH

# DEV1 Settings
listen_port=21
pasv_enable=YES
pasv_min_port=64400
pasv_max_port=64499

pasv_address=YOUR Static Public IP