VSFTPD 收到了意外的 TLS 数据包

tag-icon tag-icon vsftpd
VSFTPD 收到了意外的 TLS 数据包

我正在尝试设置多个 ftp 用户,每个用户都有自己的子文件夹(因此用户只能看到他的根文件夹,而看不到其他内容)。

当前的问题是,在 filezilla 上我得到了

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Error:  GnuTLS error -15: An unexpected TLS packet was received.
Error:  Disconnected from server: ECONNABORTED - Connection aborted
Error:  Failed to retrieve directory listing

我尝试了 Filezilla 中 FTP 的所有选项(TLS 显式或隐式)。所有选项均有错误。

/etc/vsftpd.conf

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/home/ftpmain/ftp/$USER
hide_ids=YES
guest_username=vsftpd
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
ssl_enable=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
pasv_address=123.123.123.123
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
chroot_local_user=YES
chroot_list_enable=NO

/etc/pam.d/vsftpd

auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so

user1 文件夹如下所示(chmod+chown 之后):

/home/ftpmain/ftp/user1$ ll
total 12
dr-xr-xr-x 3 root   root    4096 Mar 18 19:17 ./
dr-xr-xr-x 4 nobody nogroup 4096 Mar 18 19:09 ../
drwxr-xr-x 2 vsftpd nogroup 4096 Mar 18 19:17 folder1/

任何想法?

更新

从我读到的内容来看,这可能与文件夹不存在或权限错误有关。我在 conf 文件中添加了“allow_writeable_chroot=YES”。我还添加了“log_ftp_protocol=YES”。

这是当前日志(/var/log/vsftpd.log):

Wed May  1 08:44:28 2019 [pid 2310] CONNECT: Client "111.111.111.111"
Wed May  1 08:44:28 2019 [pid 2310] FTP response: Client "111.111.111.111", "220 (vsFTPd 3.0.3)"
Wed May  1 08:44:28 2019 [pid 2310] FTP command: Client "111.111.111.111", "AUTH TLS"
Wed May  1 08:44:28 2019 [pid 2310] FTP response: Client "111.111.111.111", "234 Proceed with negotiation."
Wed May  1 08:44:29 2019 [pid 2310] FTP command: Client "111.111.111.111", "USER user1"
Wed May  1 08:44:29 2019 [pid 2310] [user1] FTP response: Client "111.111.111.111", "331 Please specify the password."
Wed May  1 08:44:29 2019 [pid 2310] [user1] FTP command: Client "111.111.111.111", "PASS <password>"
Wed May  1 08:44:29 2019 [pid 2309] [user1] OK LOGIN: Client "111.111.111.111"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "230 Login successful."
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PBSZ 0"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 PBSZ set to 0."
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PROT P"
Wed May  1 08:44:29 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 PROT now Private."
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PWD"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "257 "/" is the current directory"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "TYPE I"
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP response: Client "111.111.111.111", "200 Switching to Binary mode."
Wed May  1 08:44:30 2019 [pid 2319] [user1] FTP command: Client "111.111.111.111", "PASV"

在对“user1”文件夹进行 chown 之后:

$ ll
dr-xr-xr-x 4 nobody nogroup 4096 Mar 18 19:09 ./
drwxr-xr-x 5 ftpmain  ftpmain   4096 Mar 18 16:09 ../
dr-xr-xr-x 3 vsftpd    1002 4096 Mar 18 19:17 user1/

/home/ftpmain/ftp 归 'nobody:nogroup' 所有

更新 #2

目前的情况是,我确保可以使用普通 FTP 主动模式连接到 FTP。对于普通 FTP 被动模式,我仍然收到错误:

Status: Resolving address of .....
Status: Connecting to 111.111.111.111:21...
Status: Connection established, waiting for welcome message...
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Response:   500 OOPS: invalid pasv_address
Command:    PORT 10,0,0,15,253,199
Response:   500 OOPS: priv_sock_get_cmd
Error:  Failed to retrieve directory listing
Error:  Connection closed by server

unexpected TLS packet was received尝试使用 TLS 时,即使在 user1 文件夹上尝试 chmod 后,我仍然收到相同的错误

 drwxrwx--- 3 vsftpd    1002 4096 May  1 10:58 user1/

答案1

终于让它工作了。除了我在原始问题更新中概述的调试过程之外,以下是我之后所做的工作。

为了使 TLS 正常工作,我建议您首先确保被动模式在没有 TLS 的情况下也能正常工作。这是因为据我所知,加密将阻止服务器发送的服务器 IP 被 ftp 客户端接收。

因此第一步,通过ssl_enable=YESconf 文件中的设置禁用 TLS。

被动模式需要额外的端口。以下是配置文件中与之相关的行:

pasv_address=111.111.111.111
pasv_addr_resolve=NO
port_enable=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

您必须确保被动端口已打开!我使用的是 EC2,因此您需要在安全组中打开端口。此外,请检查 ufw:

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 20/tcp                     ALLOW IN    Anywhere
[ 2] 21/tcp                     ALLOW IN    Anywhere
[ 3] 990/tcp                    ALLOW IN    Anywhere
[ 4] 40000:50000/tcp            ALLOW IN    Anywhere
[ 5] 22/tcp                     ALLOW IN    Anywhere
[ 6] 20/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 7] 21/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 990/tcp (v6)               ALLOW IN    Anywhere (v6)
[ 9] 40000:50000/tcp (v6)       ALLOW IN    Anywhere (v6)
[10] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

通过这个,我能够使用被动模式进行连接,然后启用ssl_enable=YES就可以了。

最终的 /etc/vsftpd.conf:

listen=YES
listen_ipv6=NO

anonymous_enable=NO
local_enable=YES
write_enable=YES

local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
log_ftp_protocol=YES

nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/home/ftpmain/ftp/$USER
hide_ids=YES
guest_username=vsftpd
allow_writeable_chroot=YES
chroot_local_user=YES
chroot_list_enable=NO

secure_chroot_dir=/var/run/vsftpd/empty
use_localtime=YES
ssl_enable=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

pasv_address=111.111.111.111
pasv_addr_resolve=NO
port_enable=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

答案2

我已遵循了所有步骤,详细说明如下此链接

然后,是的,我遇到了类似的错误。所以我按照建议您的答案首先通过注释尝试在没有 TLS 的情况下进行连接ssl_enable=YES

然而,这并没有起作用(参见以下错误):

Response:   500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Error:          Critical error: Could not connect to server

直到我在配置文件中添加了该指令/etc/vsftpd.conf

allow_writeable_chroot=YES

然而,我进行了一些搜索,发现出于安全原因,此选项必须不是设置为YES

在里面vsftpd.conf主页

允许_可写_chroot

允许 chroot() 将用户引导至该用户可写入的目录。请注意,将其设置为是的,有潜在危险。例如,如果用户在新根目录中创建一个“etc”目录,他们可能会欺骗 C 库从 /etc/ 目录加载用户创建的配置文件。

另请检查这个 ServerFault 问题

提醒一句chroot是更改当前正在运行的进程及其子进程的显性根目录的操作。在这种修改后的环境中运行的程序无法访问该环境目录树之外的文件和命令。这种修改后的环境称为 chroot jail。

因此,一个好的做法是设置allow_writeable_chroot=NO并创建一个充当 chroot 的 ftp 目录。以下是示例:

mkdir /home/ftpuser/ftpdirectory
chown -R ftpuser:ftpuser
chmod a-w /home/ftpuser

最后在配置文件中vsftpd.conf

user_sub_token=$USER 
local_root=/home/$USER/ftpdirectory

相关内容