Why can’t I access my Linux FTP (vsftpd) server?

Posted on

Why can’t I access my Linux FTP (vsftpd) server? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ftp, netstat, ftps, .

I’ve just installed vsftpd, and started the service. The service is running, and my netstat dump shows it (See below). I’ve also enabled anonymous access for good measure. However, when I try to access the server with an FTP client, or even just telnet to port 21, I get a “connection refused”.

How do I troubleshoot this?

netstat -a:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 localhost:11110             *:*                         LISTEN
tcp        0      0 *:mysql                     *:*                         LISTEN
tcp        0      0 *:macromedia-fcs            *:*                         LISTEN
tcp        0      0 *:ndmp                      *:*                         LISTEN
tcp        0      0 *:ftp                       *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0      0 localhost:19350             *:*                         LISTEN
tcp        0      0 *:lmsocialserver            *:*                         LISTEN
tcp        0      0 localhost:19350             localhost:60863             ESTABLISHED
tcp        0      0 mischost:ssh                c-71-56-64-141.hsd1.g:62946 ESTABLISHED
tcp        0      0 localhost:60863             localhost:19350             ESTABLISHED
tcp        0    196 mischost:ssh                c-71-56-64-141.hsd1.g:18606 ESTABLISHED
tcp        0      0 *:http                      *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0      0 mischost:http               baiduspider-123-125-7:25479 FIN_WAIT2
udp        0      0 *:ndmp                      *:*

/etc/sysconfig/iptables:

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:92]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

iptables -L -n:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1935
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1111
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Solution :

“Connection Refused” is very specific. It means that when you tried to connect to this service (by sending an SYN packet), you got a specific response (a RST packet) meaning “the server is there, but not offering a service on that port. without any firewalls in the way, this is the response you’d get if nothing was actually listening on that port. Since you’ve verified that something IS listening on that port, this response MUST have come from some firewall, Either the firewall on the server itself (which you could check with iptables -L -n) or some other firewall in between you and the server. If its not the server itself, it could be any other router in between server and client.

This all assumes that you try to telnet to the correct ip address.

Check the firewall if port 21 is open and you have modules in the firewall for connection tracking of the data stream.

Leave a Reply

Your email address will not be published.