无法在配置为使用vsftpd的VM(ARM)上使用基于TLS的FTP进行连接 [英] Unable to connect using FTP over TLS on a VM (ARM) configured for using vsftpd
问题描述
大家好,
我是azure的新手,并且通过TLS访问我新创建的VM时遇到了这个问题.
我创建了一个具有虚拟网络,网络安全组,公共IP地址和网络接口的新VM,
我安装了vsftpd并更新了配置文件,如下所示,我还生成了一些使用它的证明,
生成的证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout/etc/ssl/private/vsftpd.pem -out/etc/ssl/private/vsftpd.pemvsftpd.conf
#示例配置文件/etc/vsftpd/vsftpd.conf # #在设置中编译的默认值非常偏执.这个样本文件 #稍微放松一下,使ftp守护程序更可用. #请参阅vsftpd.conf.5以获取所有默认编译的信息. # #阅读此内容:此示例文件不是vsftpd选项的详尽列表. #请阅读vsftpd.conf.5手册页以全面了解vsftpd #功能. # #允许匿名FTP? (当心-如果您注释掉,默认情况下允许). onymous_enable =否 # #取消注释以允许本地用户登录. local_enable =是 # #取消注释此选项以启用任何形式的FTP写命令. write_enable = YES # #本地用户的默认umask为077.您可能希望将其更改为022, #如果您的用户期望(大多数其他ftpd使用022) local_umask = 022 # #取消注释此选项,以允许匿名FTP用户上传文件.仅此 如果激活了上述全局写启用,则#会起作用.而且,你会 #显然需要创建一个FTP用户可写的目录. anon_upload_enable =否 # #如果您希望匿名FTP用户能够创建,请取消注释 #个新目录. anon_mkdir_write_enable =否 # #激活目录消息-远程用户收到的消息 #进入某个目录. dirmessage_enable =是 # #目标日志文件可以是vsftpd_log_file或xferlog_file. #这取决于设置xferlog_std_format参数 xferlog_enable =是 # #确保PORT传输连接来自端口20(ftp-data). connect_from_port_20 =是 # #如果需要,您可以安排上载的匿名文件归所有者所有 #一个不同的用户.笔记!使用"root"对于上传的文件不是 # 受到推崇的! #chown_uploads =是 #chown_username =任何人 # #当xferlog_enable = YES和xferlog_std_format = YES时的日志文件名 #警告-更改此文件名会影响/etc/logrotate.d/vsftpd.log xferlog_file =/var/log/xferlog # #在登录vsftpd_log_file和xferlog_file文件之间切换. #NO写入vsftpd_log_file,YES写入xferlog_file xferlog_std_format =是 # #您可以更改默认值以使空闲会话超时. idle_session_timeout = 600 # #您可以更改默认值以使数据连接超时. #data_connection_timeout = 120 # #建议您在系统上定义一个唯一的用户, #ftp服务器可以用作完全隔离且没有特权的用户. #nopriv_user = ftp安全 # #启用此选项,服务器将识别异步ABOR请求.不是 #为安全起见,建议使用此代码(此代码是不平凡的).不启用它, #但是,可能会使较旧的FTP客户端感到困惑. #async_abor_enable =是 # #默认情况下,服务器将假装允许ASCII模式,但实际上忽略 #请求.打开以下选项以使服务器实际执行ASCII #在ASCII模式下处理文件. #注意在某些FTP服务器上,ASCII支持会导致拒绝服务 通过命令"SIZE/big/file"进行#攻击(DoS);在ASCII模式下. vsftpd #预测了这种攻击,并且一直很安全,并报告了 # 原文件. #ASCII改写是该协议的可怕特征. #ascii_upload_enable =是 #ascii_download_enable =是 # #您可以完全自定义登录标题字符串: ftpd_banner = FTP服务器 # #您可以指定一个不允许的匿名电子邮件地址文件.显然 #对于抵制某些DoS攻击很有用. #deny_email_enable =是 #(遵循默认值) #banned_email_file =/etc/vsftpd/banned_emails # #您可以指定本地用户的显式列表,以将chroot()移至其家中 # 目录.如果chroot_local_user为YES,则此列表将成为 #个用户不使用chroot(). chroot_local_user =是 #chroot_list_enable =是 #(遵循默认值) #chroot_list_file =/etc/vsftpd/chroot_list # #您可以激活"-R"内置ls的选项.这被禁用 #默认为避免远程用户能够在大型服务器上导致过多的I/O #个网站.但是,某些损坏的FTP客户端(例如"ncftp")会被删除.和镜子"认为 #-R"的存在.选项,因此有很强的理由启用它. #ls_recurse_enable =是 # #当听"启用指令,vsftpd以独立模式运行,并且 #侦听IPv4套接字.此伪指令不能结合使用 #与listen_ipv6指令一起使用. 听=是 # #此指令启用侦听IPv6套接字.监听IPv4和IPv6 #sockets,必须运行带有两个配置文件的vsftpd的两个副本. #确保对其中一个监听选项进行了注释! #listen_ipv6 =是 pam_service_name = vsftpd userlist_enable =是 tcp_wrappers =是 pasv_min_port = 10100 pasv_max_port = 10120 pasv_address = $ {VM_DNS_NAME}//replaced_with_the_actual_name ssl_enable =是 allow_anon_ssl =否 force_local_data_ssl =是 force_local_logins_ssl =是 ssl_tlsv1 =是 ssl_sslv2 =否 ssl_sslv3 =否 require_ssl_reuse =否 ssl_ciphers =高 rsa_cert_file =/etc/ssl/private/vsftpd.pem rsa_private_key_file =/etc/ssl/private/vsftpd.pem
好吧,据我所知,vsftpd运行良好
$ ps -A | grep vsftpd
10825吗? 00:00:00 vsftpd
在网络安全组中,我添加了作业所需的端口,端口20,21和22被声明为允许入站
已建立连接,正在等待欢迎消息...
状态: 服务器不安全,它不支持基于TLS的FTP.
命令: USER userftp
响应: 331请指定密码.
命令: PASS ***************
响应: 530登录不正确.
错误: 严重错误:无法连接到服务器知道该密码是100%正确的密码,因为我正在使用它通过 SSH SFTP
进行连接我可能缺少某些配置或做错了方法!
感谢大家提供的任何帮助.
(抱歉,由于我的帐户存在问题,我们无法添加图片)
解决方案
也允许连接到防火墙中所需的端口?像您一样,您需要打开Symantec Network Security组中的端口.这允许通过Azure防火墙进行连接.但是,在大多数情况下,这些端口 仍然被操作系统防火墙阻止.因此,您也需要在操作系统中打开它们.
Hello every body,
i am new to azure, and i have this issue with accessing my newly created VM over TLS.i created a new VM, with a Virtual network, network security group, public IP adress and network interface,
i installed vsftpd and updated the configuration file as shown below, i also generated some ceritcate to use it,
generated certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pemvsftpd.conf
#Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=NO # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=NO # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=FTP server # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES pasv_min_port=10100 pasv_max_port=10120 pasv_address=${VM_DNS_NAME}//replaced_with_the_actual_name ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ok,that been said, vsftpd seems to run well as i can see the process
$ ps -A | grep vsftpd
10825 ? 00:00:00 vsftpd
in the Network security group, i added the ports that are needed for the job, ports 20,21 and 22 are declared as allowed for inbound
Issue :
When i try to connect from an ftp client (Filezilla)
- i cannot connect with ftp (FTP over TLS), the error message is
- Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Command: USER userftp
Response: 331 Please specify the password.
Command: PASS ***************
Response: 530 Login incorrect.
Error: Critical error: Could not connect to serverKnowing that the Password is correct 100% as i am using it to connect over SSH and SFTP
i might be missing some configuration or did some the wrong way !
Thank you all for any help you can provide.
(sorry coudn't add images because an issue with my account)
解决方案Did you also make sure to allow the connections to the needed ports in the firewall as well? As you did, you need to open the ports in the Network Security group. This allows the connection through the Azure firewall. However, in most cases these ports are still blocked by the OS firewall. So you will need to open them in the OS as well.
这篇关于无法在配置为使用vsftpd的VM(ARM)上使用基于TLS的FTP进行连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
