Vsftpd passive reply with 0,0,0,0 address even with correct pasv_address

ftp vsftpd selinux

Solution 1:

It looks like a bug in vsftpd to me.

From the code, it looks like, vsftpd always sends the 0,0,0,0, if the public pasv_address is set, and the server has a (local) IPv6 address.

To fix this, make sure the server does not listen on IPv6 address (what is the default behavior, which you are overriding by setting listen_ipv6=YES):

listen_ipv6=NO
listen=YES

The only other solution is removing the private IPv6 address, if it is possible in EC2.

Or use another FTP server, e.g. ProFTPD.

To prove that this is indeed a bug:

handle_pasv in postlogin.c:

int is_ipv6 = vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr);

...

if (tunable_pasv_address != 0)
{
  vsf_sysutil_sockaddr_alloc_ipv4(&s_p_sockaddr);
  /* Report passive address as specified in configuration */
  if (vsf_sysutil_inet_aton(tunable_pasv_address, s_p_sockaddr) == 0)
  {
    die("invalid pasv_address");
  }
}
else
{
  vsf_sysutil_sockaddr_clone(&s_p_sockaddr, p_sess->p_local_addr);
}
str_alloc_text(&s_pasv_res_str, "Entering Passive Mode (");
if (!is_ipv6)
{
  str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntop(s_p_sockaddr));
}
else
{
  const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
  if (p_v4addr)
  {
    str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
  }
  else
  {
    str_append_text(&s_pasv_res_str, "0,0,0,0");
  }
}

where the vsf_sysutil_sockaddr_ipv6_v4 returns 0, if the s_p_sockaddr is not IPv6 (what it never is, when the pasv_address is set).

sysutil.c:

const void*
vsf_sysutil_sockaddr_ipv6_v4(const struct vsf_sysutil_sockaddr* p_addr)
{
  static unsigned char pattern[12] =
      { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF };
  const unsigned char* p_addr_start;
  if (p_addr->u.u_sockaddr.sa_family != AF_INET6)
  {
    return 0;
  }
  if (vsf_sysutil_memcmp(pattern, &p_addr->u.u_sockaddr_in6.sin6_addr, 12))
  {
    return 0;
  }
  p_addr_start = (const unsigned char*)&p_addr->u.u_sockaddr_in6.sin6_addr;
  return &p_addr_start[12];
}

Imho, the code is wrong. It works (and makes sense), when the IP address is "autodetected" from p_sess->p_local_addr, but fails, when the pasv_address address is used.

Consider reporting this to the author of vsftpd.

Solution 2:

I had this problem with a server hosted on Aliyun.

I solved it by disabling listen_ipv6 and enabling listen in the config.

listen_ipv6=NO
listen=YES

I also specified my external IP using pasv_address=

Related

Linux process management
How to migrate a physical system to a KVM virtual server with only network access?
How to port forward with firewalld depending on source IP
Install Trac Without Setting Up a VirtualHost in Apache?
Where to go to learn about web architecture? Youtube example? [closed]
Are Colocation Cross Connects Worth While
Initial RDP Connection to Windows 10 slow to connect
Apparmor denies ntpd access to its own logs
Can I test broadcast packets on a single machine?
Is wireless wake on lan possible?
Allowing users in from an IP address without certificate client authentication
Send objectGUID as an AD FS 2.0 Claim