Ftp
pure-ftpd 在 TLS 模式下為被動連接提供錯誤的 ip
我正在設置我們的 ftp 伺服器 ( pure-ftpd-1.0.21-r1 ) 以使用 TLS/SSL。它在我不使用 TLS 時有效。
從命令選項開始:
-S 21 -c 30 -C 10 -B -k 90% -A -R -Z -p 49152:65534 -U 013 -s --tls=1.
Response: 230 OK. Current restricted directory is / Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Extensions supported: Response: EPRT Response: IDLE Response: MDTM Response: SIZE Response: REST STREAM Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; Response: MLSD Response: TVFS Response: ESTP Response: PASV Response: EPSV Response: SPSV Response: ESTA Response: AUTH TLS Response: PBSZ Response: PROT Response: 211 End. Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (76,65,xxx,xxx,228,146) #last octets removed to protect the guilty Command: MLSD Response: 150 Accepted data connection Response: 226-ASCII Response: 226-Options: -l Response: 226 54 matches total Status: Directory listing successful Status: Disconnected from server當我使用 TLS 時:
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Response: 220-You are user number 4 of 30 allowed. Response: 220-Local time is now 09:19. Server port: 21. Response: 220-IPv6 connections are also welcome on this server. Response: 220 You will be disconnected after 15 minutes of inactivity. Command: AUTH TLS Response: 234 AUTH TLS OK. Status: Initializing TLS... Status: Verifying certificate... Command: USER john Status: TLS/SSL connection established. Response: 331 User john OK. Password required Command: PASS ******** Response: 230-User john has group access to: svn anonymou proftpd powercor john Response: 230- users usb ftp Response: 230 OK. Current restricted directory is / Command: SYST #....same as above Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (192,168,15,2,198,194) Status: Server sent passive reply with unroutable address. Using server address instead. Command: MLSD Error: Connection timed out Error: Failed to retrieve directory listing
我的猜測是您的 FTP 伺服器位於 NAT 防火牆後面,並且您在防火牆設備上執行了 ip_conntrack_ftp 輔助模組(或等效模組)。基本上,該模組掃描數據流以查找內部 IP 地址的實例,並將它們重寫為外部 IP 地址。但是,它不能對受 TLS 保護的 FTP 連接執行此操作,因為它無法解密飛行中的數據包以找到 IP 地址(通常被認為是一件好事)。
您的選擇是:
- 使用
-P選項“強制指定 IP 地址以回复 PASV/EPSV/SPSV 命令”。- 擺脫 NAT