本文介绍了无法在配置为使用vsftpd的VM(ARM)上使用基于TLS的FTP进行连接的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
大家好,
我是azure的新手,并且通过TLS访问我新创建的VM时遇到了这个问题.
我创建了一个具有虚拟网络,网络安全组,公共IP地址和网络接口的新VM,
我安装了vsftpd并更新了配置文件,如下所示,我还生成了一些使用它的证明,
生成的证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout/etc/ssl/private/vsftpd.pem -out/etc/ssl/private/vsftpd.pemvsftpd.conf
#示例配置文件/etc/vsftpd/vsftpd.conf # #在设置中编译的默认值非常偏执.这个样本文件 #稍微放松一下,使ftp守护程序更可用. #请参阅vsftpd.conf.5以获取所有默认编译的信息. # #阅读此内容:此示例文件不是vsftpd选项的详尽列表. #请阅读vsftpd.conf.5手册页以全面了解vsftpd #功能. # #允许匿名FTP? (当心-如果您注释掉,默认情况下允许). onymous_enable =否 # #取消注释以允许本地用户登录. local_enable =是 # #取消注释此选项以启用任何形式的FTP写命令. write_enable = YES # #本地用户的默认umask为077.您可能希望将其更改为022, #如果您的用户期望(大多数其他ftpd使用022) local_umask = 022 # #取消注释此选项,以允许匿名FTP用户上传文件.仅此 如果激活了上述全局写启用,则#会起作用.而且,你会 #显然需要创建一个FTP用户可写的目录. anon_upload_enable =否 # #如果您希望匿名FTP用户能够创建,请取消注释 #个新目录. anon_mkdir_write_enable =否 # #激活目录消息-远程用户收到的消息 #进入某个目录. dirmessage_enable =是 # #目标日志文件可以是vsftpd_log_file或xferlog_file. #这取决于设置xferlog_std_format参数 xferlog_enable =是 # #确保PORT传输连接来自端口20(ftp-data). connect_from_port_20 =是 # #如果需要,您可以安排上载的匿名文件归所有者所有 #一个不同的用户.笔记!使用"root"对于上传的文件不是 # 受到推崇的! #chown_uploads =是 #chown_username =任何人 # #当xferlog_enable = YES和xferlog_std_format = YES时的日志文件名 #警告-更改此文件名会影响/etc/logrotate.d/vsftpd.log xferlog_file =/var/log/xferlog # #在登录vsftpd_log_file和xferlog_file文件之间切换. #NO写入vsftpd_log_file,YES写入xferlog_file xferlog_std_format =是 # #您可以更改默认值以使空闲会话超时. idle_session_timeout = 600 # #您可以更改默认值以使数据连接超时. #data_connection_timeout = 120 # #建议您在系统上定义一个唯一的用户, #ftp服务器可以用作完全隔离且没有特权的用户. #nopriv_user = ftp安全 # #启用此选项,服务器将识别异步ABOR请求.不是 #为安全起见,建议使用此代码(此代码是不平凡的).不启用它, #但是,可能会使较旧的FTP客户端感到困惑. #async_abor_enable =是 # #默认情况下,服务器将假装允许ASCII模式,但实际上忽略 #请求.打开以下选项以使服务器实际执行ASCII #在ASCII模式下处理文件. #注意在某些FTP服务器上,ASCII支持会导致拒绝服务 通过命令"SIZE/big/file"进行#攻击(DoS);在ASCII模式下. vsftpd #预测了这种攻击,并且一直很安全,并报告了 # 原文件. #ASCII改写是该协议的可怕特征. #ascii_upload_enable =是 #ascii_download_enable =是 # #您可以完全自定义登录标题字符串: ftpd_banner = FTP服务器 # #您可以指定一个不允许的匿名电子邮件地址文件.显然 #对于抵制某些DoS攻击很有用. #deny_email_enable =是 #(遵循默认值) #banned_email_file =/etc/vsftpd/banned_emails # #您可以指定本地用户的显式列表,以将chroot()移至其家中 # 目录.如果chroot_local_user为YES,则此列表将成为 #个用户不使用chroot(). chroot_local_user =是 #chroot_list_enable =是 #(遵循默认值) #chroot_list_file =/etc/vsftpd/chroot_list # #您可以激活"-R"内置ls的选项.这被禁用 #默认为避免远程用户能够在大型服务器上导致过多的I/O #个网站.但是,某些损坏的FTP客户端(例如"ncftp")会被删除.和镜子"认为 #-R"的存在.选项,因此有很强的理由启用它. #ls_recurse_enable =是 # #当听"启用指令,vsftpd以独立模式运行,并且 #侦听IPv4套接字.此伪指令不能结合使用 #与listen_ipv6指令一起使用. 听=是 # #此指令启用侦听IPv6套接字.监听IPv4和IPv6 #sockets,必须运行带有两个配置文件的vsftpd的两个副本. #确保对其中一个监听选项进行了注释! #listen_ipv6 =是 pam_service_name = vsftpd userlist_enable =是 tcp_wrappers =是 pasv_min_port = 10100 pasv_max_port = 10120 pasv_address = $ {VM_DNS_NAME}//replaced_with_the_actual_name ssl_enable =是 allow_anon_ssl =否 force_local_data_ssl =是 force_local_logins_ssl =是 ssl_tlsv1 =是 ssl_sslv2 =否 ssl_sslv3 =否 require_ssl_reuse =否 ssl_ciphers =高 rsa_cert_file =/etc/ssl/private/vsftpd.pem rsa_private_key_file =/etc/ssl/private/vsftpd.pem
好吧,据我所知,vsftpd运行良好
$ ps -A | grep vsftpd
10825吗? 00:00:00 vsftpd
在网络安全组中,我添加了作业所需的端口,端口20,21和22被声明为允许入站
问题:
当我尝试从ftp客户端(Filezilla)连接时
-我无法连接ftp(基于TLS的FTP),错误消息为
- 状态: 已建立连接,正在等待欢迎消息...
状态: 服务器不安全,它不支持基于TLS的FTP.
命令: USER userftp
响应: 331请指定密码.
命令: PASS ***************
响应: 530登录不正确.
错误: 严重错误:无法连接到服务器
知道该密码是100%正确的密码,因为我正在使用它通过 SSH SFTP
进行连接我可能缺少某些配置或做错了方法!
感谢大家提供的任何帮助.
(抱歉,由于我的帐户存在问题,我们无法添加图片)
解决方案
Hello every body,
i am new to azure, and i have this issue with accessing my newly created VM over TLS.
i created a new VM, with a Virtual network, network security group, public IP adress and network interface,
i installed vsftpd and updated the configuration file as shown below, i also generated some ceritcate to use it,
generated certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
vsftpd.conf
#Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=FTP server
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_min_port=10100
pasv_max_port=10120
pasv_address=${VM_DNS_NAME}//replaced_with_the_actual_name
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ok,that been said, vsftpd seems to run well as i can see the process
$ ps -A | grep vsftpd10825 ? 00:00:00 vsftpd
in the Network security group, i added the ports that are needed for the job, ports 20,21 and 22 are declared as allowed for inbound
Issue :
When i try to connect from an ftp client (Filezilla)
- i cannot connect with ftp (FTP over TLS), the error message is
- Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Command: USER userftp
Response: 331 Please specify the password.
Command: PASS ***************
Response: 530 Login incorrect.
Error: Critical error: Could not connect to server
Knowing that the Password is correct 100% as i am using it to connect over SSH and SFTP
i might be missing some configuration or did some the wrong way !
Thank you all for any help you can provide.
(sorry coudn't add images because an issue with my account)
解决方案
这篇关于无法在配置为使用vsftpd的VM(ARM)上使用基于TLS的FTP进行连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!