Skip to main content

FTP

Posted by civey on Tue, 02/08/2011

I have TFTP working on the Thirdlane but as everyone knows Polycoms and TFTP do not play nice.
Last night we tried to get FTP working and to test we logged in with a laptop but the system would just kick us out.

Is there something we need to do special to make FTP work on the server?


Submitted by civey on Tue, 02/08/2011 Permalink

ISO installed around October 2010 and then upgraded to 6.1.1.7.
I was wondering what it takes to get the FTP working because it does not look to be running by default.

Thanks

Submitted by civey on Tue, 02/08/2011 Permalink

Yes I have that directory and I was under the impression that FTP/TFTP/HTTP all point to that directory.
The only one that will pul files are TFTP. Are we supposed to pick a FTP client to install and configure?
If so how do we go about doing this?
I looked at ProFTPD in Webmin and it says

The ProFTPD server /usr/sbin/proftpd could not be found on your system. Maybe it is not installed, or your module configuration is incorrect.

The ProFTPd package can be automatically installed by Webmin. Click here to have it downloaded and installed using YUM.

So does this mean I need to figure out how to configure it?

Thanks

Submitted by eeman on Tue, 02/08/2011 Permalink

you should have vsftpd running, you should have a user in your /etc/passwd file named PlcmSpIp. If you installed from ISO then all this is already running. when you connected via FTP did you use the user/pass of PlcmSpIp for both user and pass?

Submitted by civey on Tue, 02/08/2011 Permalink

vsftpd is running and it looks like the username and password are PlcmSpIp but when I try and log in it will just kick me out and tell me I don't have rights?

It says an error occured when trying to open that folder....

Ideas?

Submitted by eeman on Tue, 02/08/2011 Permalink

[root@eeman ~]# ls -ld /home/PlcmSpIp
drwx--x--x 8 root root 4096 Jan 28 12:56 /home/PlcmSpIp

Submitted by civey on Tue, 02/08/2011 Permalink

PlcmSpIp is the user and does exist in the /etc/passwd file:

PlcmSpIp:x:500:500::/home/PlcmSpIp:/sbin/nologin

Even adjusted to

PlcmSpIp:x:503:503::/home/PlcmSpIp:/bin/bash

I still cant list the directory? But I can now login via SSH:

[PlcmSpIp@mylogin ~]$ dir
dir: .: Permission denied
[PlcmSpIp@mylogin ~]$

Even if its changed to a

We have been using PlcmSpIp as the password

No matter what we change it will not connect completely….it ends in a data socket connection error

Iptables is temporarily turned off right now, we are using vsftpd

Submitted by civey on Tue, 02/08/2011 Permalink

[root@mylogin vsftpd]# ls -ld /home/PlcmSpIp
drwxr-x--x 8 root root 12288 Feb 8 00:08 /home/PlcmSpIp
[root@mylogin vsftpd]#

I even just adjusted vsftp.conf with

pasv_address=ipofthePBX

and nothing after vsftpd restart

Submitted by eeman on Tue, 02/08/2011 Permalink

you aren't supposed to be able to list the directory, thats part of the security.

what you should be able to do,

be able to login via FTP
be able to issue a GET command for a specific file name.

Submitted by eeman on Tue, 02/08/2011 Permalink

make sure you change your shell back to /sbin/nologin .. otherwise there will be attempts to hack your server via ssh.

Submitted by civey on Tue, 02/08/2011 Permalink

Get Works...
Trying to use it like normal FTP..
Testing now with a Polycom.

Thanks EEMAN for the help.

Submitted by eeman on Tue, 02/08/2011 Permalink

By removing the read permission from the directory prevents someone from using an FTP client to login, search the directory, finding those mac-registration.cfg files, downloading and acquiring your login credentials. This was also a vulnerability of previous HTTP installations where directory indexing was enabled. The behavior now mimics TFTP in where the filename must be known. This makes remote tampering much more difficult because the hacker would have to have the ability to use a packet capture utility to sniff not only user/pass but the get requests to FTP.

Submitted by eeman on Tue, 02/08/2011 Permalink

application not present means you have not installed hte bootrom and sip software..

go fetch both the bootrom and sip software, stay away from the 3.3.x release use the 3.2.x release.

put them somewhere, like in my example usr/src/polycom

cd /home/PlcmSpIp
unzip /usr/src/polycom/spip_ssip_vvx_BootROM_4_2_0_release_sig.zip
unzip /usr/src/polycom/spip_ssip_vvx_3_2_1_release_sig_split.zip

Submitted by civey on Tue, 02/08/2011 Permalink

Thanks EEMAN - sip.ld is not there

downloading now.

Submitted by civey on Tue, 02/08/2011 Permalink

I have unzipped in the home/PlcmSpIp folder.
I can run a tcpdump -n -i eth0 -vvv port ftp from the cli and see the phone hitting the box but after this runs for about 2 to 3 min it will say on the phone could not contact boot server and then it will tell me application is not present.

Any Ideas?

Submitted by civey on Tue, 02/08/2011 Permalink

I changed it back to TFTP and it downloaded the application but it will not download in FTP mode?

I watch it and it does hit the FTP server but it just bombs.

I think it is weird that it will download the files in TFTP because the folder is the same.

Submitted by eeman on Tue, 02/08/2011 Permalink

what does your /var/log/xferlog say? its possible you changed something in vsftpd.conf ?

Submitted by civey on Tue, 02/08/2011 Permalink

Tue Feb 8 15:40:16 2011 1 127.0.0.1 1822 /0004f22b0df0.cfg b _ o r PlcmSpIp ftp 0 * c
Tue Feb 8 21:38:51 2011 3 208.210.197.234 634324 /2345-12360-001.bootrom.ld a _ o r PlcmSpIp ftp 0 * c

Submitted by civey on Wed, 02/09/2011 Permalink

EEMAN do you have any ideas where I should look the phone will work no problem TFTP?

Very Strange

Submitted by civey on Wed, 02/09/2011 Permalink

Opened the Cisco router in front of the Thirdlane box and it works.
We are looking at the ports and it looks like it need random ports opened in order to complete the connection.

How do we leave the router in place but open the ports for FTP to work?

Submitted by eeman on Wed, 02/09/2011 Permalink

If by router you mean pix firewall this is an unnecessary addition because centos already has a good firewall running in the MTE distribution. If you want to continue to use the pix firewall you will need to find out from that vendor how to enable a FTP server using PASSIVE mode FTP from behind the firewall. Passive mode dynamically picks a port from 1025-16550 for transfer. Linux firewalls use a 'helper module' that tracks FTP port 21 connections and if there is a connection considered ESTABLISHED, then the ESTABLISHED,RELATED firewall rule will allow additional traffic (ie the passive data port) to occur.

Submitted by civey on Thu, 02/10/2011 Permalink

EEMAN

Thanks for the insight on this.

We were able to program the passive ports on the router and all is good now.

Submitted by acheck on Wed, 03/13/2013 Permalink

In order to prevent possible attacks via ssh you should block PlcmSpIp at /etc/ssh/sshd_config

#block PlcmSpIp
DenyUsers PlcmSpIp

After that PlcmSpIp login will be blocked at sshd forever.

Submitted by eeman on Wed, 03/13/2013 Permalink

Yes this is a flaw in SSH that has been discussed in the redhat/centos community. actually what you should do is close off SSH to only a few trusted subnet's and not have to worry about this exploit or the 10000000000 other exploits people will try via SSH. This wont be the first or the last SSH based attack. The first thing someone should do when they roll their service into production is edit their /etc/sysconfig/iptables script and for the port 22 allow rule modify it to use a -s 123.123.123.123/24 syntax to restrict it to a source subnet. Multiple rules can be inserted to allow a handful of restricted source addresses. The iptables script needs a cleaning anyway.. for what ever reason I have found a ridiculous rule inserted, on several machines now, where every single port from 1024 upward is allowed for TCP access. I think the intent was related to ftp and tftp but whoever made that rule simply had no clue how the CONNTRACK system works.. you can simply add ip_conntrack_ftp and ip_conntrack_tftp to the loaded module list so that the -m state --state ESTABLISHED,RELATED -j ACCEPT rule works. leaving 65k tcp ports open to attack means that this pbx is 1) vulnerable to a lots of attacks where the service port is > 1024 and 2) Any entity that is a government organization or does business with a government org cannot use it as-is because it does not comply with about half a dozen broad security requirements. Basically they don't let people have an "allow-everything and only block a few" rule set.

Submitted by thirdlane on Sat, 02/13/2016 Permalink

6.1.1.10 is VERY old.

You should consider moving to version 7.X - for which we provide tools to facilitate migration from 6.X.