Hello,

I've recently installed vsftpd, and configured it so as to only allow connections from my user account. I had to open ports 20-22 on the firewall, and enable port forwarding on my DI-524 router on those same ports to the machine in which vsftpd was running. Then, ssh'ed to my university servers and tested it - everything running fine.
Now I've stopped the daemon (/etc/init.d/vsftpd stop), closed the previously opened ports on the firewall, ssh'ed to my uni, sftp'ed back here, and it still connects! It works on any port, even though I had specified connect_from_port_20=YES on vsftpd.conf. I tried ssh'ing here from my university, and it also works, but I never (knowingly) set up any ssh server on my home computer.
Now I fear for my safety... is there anything I can do about this?

Thanks in advance,

-Fibo

sftp/ssh is not ftp/vsftp.

The sftp server is part of the sshd daemon and uses the ssh protocol, on port 22 normally. It's usually enabled by default on fedora core systems. Obviously, you can turn if off using System->Administration->Server Settings->Services. If you want sshd but not sftp, you can configure this in /etc/ssh/sshd_config. I think the default port for ftp is 20 or 21. "sftp" is a confusing name, since another protocol called "Simple File Transfer Protocol", also sftp, exists and uses port 115 by default. vsftp can use SSL encryption for ftp transfers; I'm not sure what port it uses in this case.

N.B. If you want to make sftp/ssh even more secure but still be able to login remotely, disable password-logins in /etc/ssh/sshd_config. Remote logins using an public/private key pair can be used and is very secure.

sftp/ssh is not ftp/vsftp.

Oops, sorry... what client corresponds to vsftpd, then?

The sftp server is part of the sshd daemon and uses the ssh protocol, on port 22 normally. It's usually enabled by default on fedora core systems.

Just noticed so. I apologise for my stupidity.

vsftp can use SSL encryption for ftp transfers; I'm not sure what port it uses in this case.

20?

N.B. If you want to make sftp/ssh even more secure but still be able to login remotely, disable password-logins in /etc/ssh/sshd_config. Remote logins using an public/private key pair can be used and is very secure.

Too cumbersome... I intend to access this server from both Wintendo *AHEM* Windows and Linux machines, in which I cannot install any extra software. I don't think it's possible using PK login.

vsftpd (and every other ftpd) run on port 20 and 21. One is a control port and one is data, or something like that, but it really doesn't matter. It uses both and both have to be open. The client that corresponds to this is ftp. gFTP, commandline ftp, Firefox, or (god forbid!) IE, etc. can all connect to it.

About public/private key authentication for SSH - I don't know how to do it in Windows, but in Linux to generate a key pair just use ssh-keygen, which is included with OpenSSH. To enable this on the server side, you only have to make an authorized_keys text file with the public key. If you need more details about this, I or someone else can give you step-by-step instructions for setting it up.

... The client that corresponds to this is ftp. gFTP, commandline ftp, Firefox, or (god forbid!) IE, etc. can all connect to it.

Maybe I did something wrong, then, because I couldn't ftp back here from my university. And yes, vsftpd was running.

About public/private key authentication for SSH - I don't know how to do it in Windows, but in Linux to generate a key pair just use ssh-keygen, which is included with OpenSSH. To enable this on the server side, you only have to make an authorized_keys text file with the public key. If you need more details about this, I or someone else can give you step-by-step instructions for setting it up.

The problem would not be generating the keys, but using them.

Maybe I did something wrong, then, because I couldn't ftp back here from my university. And yes, vsftpd was running.


this could be a problem with your firewall. there exists two ftp modes active and passive ftp. now normaly (active) ftp uses ports 20 and 21. the most clients (including ie and so on) wants then to switch to passive mode where the server sends to client a port above 1024...

so be sure to use only passive ftp if you have a firewall involved...

there exists two ftp modes active and passive ftp. now normaly (active) ftp uses ports 20 and 21. the most clients (including ie and so on) wants then to switch to passive mode where the server sends to client a port above 1024...

Even good ol' command line FTP?

so be sure to use only passive ftp if you have a firewall involved...

How? pasv_enabled on the conf file prevents it from even starting...

yes, even old command line ftp uses this...you have a command passive in command line ftp...which then switches to active ftp mode ;)