Odd ftpd Problem

From: Stefan Willmert (stefanw_at_this.is.fake.intellanet.com)
Date: 09/05/04


Date: Sun, 5 Sep 2004 09:22:33 -0500

I'm stumped, and i'm hoping someone here might be able to point me in the
right direction.

My ftpd server fails when requesting passive mode from an internet client,
and therefore, file uploads are not working. I have an automated file upload
service, and the uploads are leaving zero length files.

Here's the situation.

I have a separate multi-homed server for the network firewall. I use NAT to
provide access to an ftp server running linux and wu-ftpd. This has always
worked well in the past.

Recently, my server running the ftpd daemon had a hard drive failure. I
purchased a new hard drive, partitioned it, and did a complete system
restore from my backups. Everything works, except for the ftp passive mode.

Symptoms:
1. Valid users can connect via ftp.
2. pwd command works.
3. ls command fails when client is an internet client.
4. Valid user attempts to upload file (from internet connection)...a zero
length file is created.
5. ls works perfectly when client is local network client.
6. upload works when client is local network client.
7. Firewall is on a separate machine and has not been changed.
8. Firewall machine logs all blocked packets. No packets are logged for
passive mode requests.
9. FTP server logs all errors. No errors reported for ftp service.
10. FTP logs report PASV command log when an ls command is issued....the
command DOES NOT return a directory listing.
11. Everything worked prior to the hard drive failure, and the system
restore.

I've checked for pid files, directory permissions, have replaced the wu-ftpd
rpm package. I am stumped on how to debug this problem. Any suggestions for
debugging this issue, to determine why passive mode is failing from an
internet connection, yet it works from a local network connection? I know,
it sounds like a firewall issue, however, the firewall is on a different
machine and has not been changed, it also worked prior to the system restore
of the ftp server, plus, it logs all blocked packets, and no packets are
logged during the ftp connection. Plus, i opened the firewall temporarily to
make sure, and ftp passive mode still failed.

Please help with any suggestions on debugging this? I'm looking at tcpdump,
but i need to learn the exact communication for an ftp client.

Thanks for any help you may provide.

-stefan



Relevant Pages

  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Microsoft FTP Server problem on W2K?
    ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Telnet/ftp problems SBS2000
    ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
    (microsoft.public.windows.server.sbs)
  • [NEWS] Directory Traversal Vulnerabilities in FTP Clients
    ... vulnerable to certain directory traversal attacks by modified FTP servers. ... file/directory permissions and the privilege level of the client. ... A malicious server could potentially overwrite key files to cause a denial ... your vendor, or the associated CERT vulnerability note, if your product is ...
    (Securiteam)
  • Re: Configure ISA to allow ISA Server to make external FTP Connect
    ... your Server name and select properties, Installation mode is listed at the ... client, as well as being all three at the same time. ... This means that the workstation has the proxy server details ... Enter the name 'FTP Access', press next twice, from the drop down box ...
    (microsoft.public.isa.configuration)