RHEL7 FTP server error: ftp: connect: No route to host solution

When setting up FTP server on Redhat 7 Linux box the following error message ftp:
connect: No route to host may pop-up during FTP client session:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (10,1,1,110,138,70).

ftp: connect: No route to host

ftp>

The cause of the above error is a missing ip_conntrack_ftp kernel module. Quick

fix solution is to load this module using modprobe:

# modprobe ip_conntrack_ftp

However, you will need to do this every time you reboot your RedHat server. Thus as
a more permanent solution you can persistently load this module after each reboot by
creating executable shell script within /etc/sysconfig/modules/ directory. Create
file /etc/sysconfig/modules/iptables.modules with the following content:
#!/bin/sh

exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1

Once you save this file you also need to make it executable:

# chmod +x /etc/sysconfig/modules/iptables.modules

The above script will load the following modules after each reboot:

[root@rhel7 ~]# lsmod | grep ftp

nf_conntrack_ftp 18638 0

nf_conntrack 101024 9
nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,ip6table_nat,nf_conn

Title: Red Hat Enterprise Linux 7 - FTP Client Aborts With Error "Out
of memory" When Using 'mput' to Transfer Files

Object Name: emr_na-kc0132419en_us
Document Type: Support Information
Original owner: KCS - Linux
Disclosure level: Public
Version state: final
Environment
FACT:RHEL 7.2
FACT:ftp-0.17-66.el7
FACT:RHEL 6 versions prior to ftp-0.17-51.3

Questions/Symptoms
SYMPTOM:
ftp: Out of memory

Cause
CAUSE:ftp client available in RHEL 7.2 fails with error "Out of
memory"
when attempting to transfer multiple files with 'mput':

# ftp dl980g7
Connected to dl980g7 (10.26.8.8).
220 (vsFTPd 2.2.2)
Name (dl980g7:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mput host*

ftp: Out of memory

# echo $?
1

Transferring the files individually using 'put' works.

The latest RHEL 6 ftp client does not suffer from this problem;
the later
RHEL 6 ftp RPM changelog contains:

ek <[email protected]>
- 0.17-51.2
- fix 'Out of memory' message when stacksize is set to unlimited
- Resolves: #783868
However, the RHEL 7 changelog does not list these changes. This
is a bug in
the RHEL 7 ftp client; the RHEL 6 "unlimited stack" errata was
not included
in RHEL 7.

Answer/Solution
FIX:Red Hat identifies the problem on RHEL6 is due to an
unlimited stack
size in the shell environment.

Click here to access the article titled "FTP client on RHEL6.x

failed with 'ftp: Out of memory'". 

Several workarounds exist:

1. Before running 'ftp', change the stack size back to its

default value of 8KB. This prevents the "out of memory" failure:

# ulimit -s 8192

2. Use 'sftp' instead. The secure ftp client uses the standard
'sshd' server
and is strongly recommended.

3. Avoid using 'mput' to transfer multiple files at once.

 Red Hat is aware of the problem and is working on a fix for RHEL
7 under
private BZ#1304064. The fixed client is targeted for RHEL 7.3

In this article, we discuss how to remedy the following error message in VSFTPD.

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Preflight Check
 These instructions are intended specifically for solving the error:
500 OOPS: vsftpd: refusing to run with writable root inside chroot().
 We will be working from a Liquid Web Self Managed Fedora 32 server, and logged in as
the root user.

How to Repair
This error may occur when attempting to connect to a vsftpd FTP server that is
configured to jail (prevent from accessing other directories) each FTP user. It is best
practice to create Linux users specifically for FTP, that can't log in via SSH. For example,
if you wanted to remove SSH access for testuser, then you'd use the following
command:

usermod -s /sbin/nologin testuser

However, that won't address the problem listed in the error. To do this, we must modify
the user's home directory to read only. Assuming the username is testuser and the
home directory is /home/testuser, then execute the following command:

chmod a-w /home/testuser

For good measure, be sure to restart vsftpd:

systemctl restart vsftpd

 Alternative Fix
Alternatively, you can bypass the writable check in the vsftpd config file by running the
following command.

echo 'allow_writeable_chroot=YES' >> /etc/vsftpd/vsftpd.conf && systemctl

restart vsftpd

FTP (File Transfer Protocol)



By

 Sean Michael Kerner

 John Burke, Nemertes Research

What is FTP (File Transfer Protocol)?

FTP (File Transfer Protocol) is a network protocol for transmitting files
between computers over Transmission Control Protocol/Internet Protocol
(TCP/IP) connections. Within the TCP/IP suite, FTP is considered an
application layer protocol.

In an FTP transaction, the end user's computer is typically called the local

host. The second computer involved in FTP is a remote host, which is usually
a server. Both computers need to be connected via a network and configured
properly to transfer files via FTP. Servers must be set up to run FTP services,
and the client must have FTP software installed to access these services.

Although many file transfers can be conducted using Hypertext Transfer

Protocol (HTTP) -- another protocol in the TCP/IP suite -- FTP is still
commonly used to transfer files behind the scenes for other applications, such
as banking services. It is also sometimes used to download new applications
via web browsers.

How does FTP work?

FTP is a client-server protocol that relies on two communications channels
between the client and server: a command channel for controlling the
conversation and a data channel for transmitting file content.

Here is how a typical FTP transfer works:

1. A user typically needs to log on to the FTP server, although some servers

make some or all of their content available without a login, a model known
as anonymous FTP.

2. The client initiates a conversation with the server when the user requests
to download a file.

3. Using FTP, a client can upload, download, delete, rename, move and copy
files on a server.

FTP sessions work in active or passive modes:

 Active mode. After a client initiates a session via a command channel

request, the server creates a data connection back to the client and begins
transferring data.
 Passive mode. The server uses the command channel to send the client
the information it needs to open a data channel. Because passive mode
has the client initiating all connections, it works well across firewalls
and network address translation gateways.

Active FTP and passive FTP compared

Users can work with FTP via a simple command-line interface -- from a
console or terminal window in Microsoft Windows, Apple macOS or Linux -- or
with a dedicated graphical user interface. Web browsers can also serve as
FTP clients.
Why is FTP important and what is it used for?
FTP is a standard network protocol that can enable expansive file transfer
capabilities across IP networks. Without FTP, file and data transfer can be
managed with other mechanisms -- such as email or an HTTP web service --
but those other options lack the clarity of focus, precision and control that FTP
enables.

FTP is used for file transfers between one system and another, and it has
several common use cases, including the following:

 Backup. FTP can be used by backup services or individual users to

backup data from one location to a secured backup server running FTP
services.

 Replication. Similar to backup, replication involves duplication of data

from one system to another but takes a more comprehensive approach to
provide higher availability and resilience. FTP can also be used to facilitate
this.

 Access and data loading. FTP is also commonly used to access shared

web hosting and cloud services as a mechanism to load data onto a
remote system.
FTP types
There are several different ways an FTP server and client software can
conduct a file transfer using FTP:

 Anonymous FTP. This is the most basic form of FTP. It provides support

for data transfers without encrypting data or using a username and
password. It's most commonly used for download of material that is
allowed for unrestricted distribution. It works on port

 Password-protected FTP. This is also a basic FTP service, but it requires

the use of a username and password, though the service might not be
encrypted or secure. It also works on port 21.
 FTP Secure (FTPS). Sometimes referred to as FTP Secure Sockets Layer
(FTP-SSL), this approach enables implicit Transport Layer Security (TLS)
as soon as an FTP connection is established. FTPS was initially used to
help enable a more secure form of FTP data transfer. It typically defaults to
using port 990.

 FTP over explicit SSL/TLS (FTPES). This approach enables explicit TLS

support by upgrading an FTP connection over port 21 to an encrypted
connection. This is a commonly used approach by web and file sharing
services to enable secure file transfers.

 Secure FTP (SFTP). This is technically not an FTP protocol, but it

functions similarly. Rather, SFTP is a subset of the Secure Shell (SSH)
protocol that runs over port 22. SSH is commonly used by systems
administrators to remotely and securely access systems and applications,
and SFTP provides a mechanism within SSH for secure file transfer.
FTP security
FTP was initially defined in 1971, predating TCP and IP, and it has been
redefined several times since then to accommodate new technologies,
including the use of TCP/IP, or Request for Comments 765 and RFC 959,
and IPv6, or RFC 2428.

FTP has also undergone several updates to enhance FTP security. These
include versions that encrypt via an implicit TLS connection (FTPS) or explicit
TLS connection (FTPES) or that work with SFTP.

By default, FTP does not encrypt traffic, and individuals can capture packets
to read usernames, passwords and other data. By encrypting FTP with FTPS
or FTPES, data is protected, limiting the ability of an attacker to eavesdrop on
a connection and steal data.
FTP may still be vulnerable to brute-force attacks against user/password
authentication spoofing, an FTP bounce attack or a distributed denial-of-
service attack.

History of FTP
The first specification for FTP was published as RFC 114 on April 16, 1971,
and was written by Abhay Bhushan, then a student at the Massachusetts
Institute of Technology. The original idea behind FTP was to enable the
transfer of files over ARPANET, the precursor to the internet.

As the modern internet began to take shape, the FTP specification underwent
several revisions to align with networking standards, including TCP/IP. In
1980, a new version of FTP was defined in RFC 765 by Jon Postel, a
research scientist at the Information Sciences Institute at the University of
Southern California at the time. Five years later, FTP was redefined yet again
with RFC 959, which introduced new management capabilities for the
protocol, including the ability to make and remove a file directory. Prior
iterations of FTP were largely limited to transferring files to and from existing
file directory structures.

In 1997, RFC 959 was updated with new capabilities defined in RFC 2228 to
provide security capabilities. Two years later, FTP was updated with RFC
2428 to support the IPv6 protocol.

FTP clients
FTP clients are used to upload, download and manage files on a server. FTP
clients include the following:

 FileZilla. This is a free FTP client for Windows, macOS and Linux that
supports FTP, FTPS and SFTP.

 Transmit. This is an FTP client for macOS that supports FTP and SSH.
 WinSCP. This is a Windows FTP client that supports FTP, SSH and SFTP.

 WS_FTP. This is another Windows FTP client that supports SSH.

This was last updated in May 2021

The second digit is a grouping digit and encodes the following information:

Range Purpose

 x0x Syntax
These replies refer to syntax errors, syntactically correct commands that don’t fit any
functional category, unimplemented or superfluous commands.
 x1x Information
These are replies to requests for information, such as status or help.
 x2x Connections
Replies referring to the control and data connections.
 x3x Authentication and accounting
Replies for the login process and accounting procedures.
 x4x Unspecified as of RFC 959.
 x5x File system
These replies indicate the status of the Server file system vis-a-vis the requested
transfer or other file system action.

Below is a list of all known return codes that may be issued by an FTP server.

 100 Series The requested action is being initiated, expect another reply before
proceeding with a new command
 110 Restart marker reply. In this case, the text is exact and not left to the particular
implementation; it must read: MARK yyyy = mmmm where yyyy is User-process data
stream marker, and mmmm server’s equivalent marker (note the spaces between
markers and “=”).
 120 Service ready in nnn minutes.
 125 Data connection already open; transfer starting.
 150 File status okay; about to open data connection.
 200 Command okay.
 202 Command not implemented, superfluous at this site.
 211 System status, or system help reply.
 212 Directory status.
 213 File status.
 214 Help message.On how to use the server or the meaning of a particular non-standard
command. This reply is useful only to the human user.
 215 NAME system type. Where NAME is an official system name from the list in the
Assigned Numbers document.
 220 Service ready for new user.
 221 Service closing control connection.
 225 Data connection open; no transfer in progress.
 226 Closing data connection. Requested file action successful (for example, file transfer
or file abort).
 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
 230 User logged in, proceed. Logged out if appropriate.
 250 Requested file action okay, completed.
 257 “PATHNAME” created.
 331 User name okay, need password.
 332 Need account for login.
 350 Requested file action pending further information
 421 Service not available, closing control connection.This may be a reply to any
command if the service knows it must shut down.
 425 Can’t open data connection.
 426 Connection closed; transfer aborted.
 450 Requested file action not taken.
 451 Requested action aborted. Local error in processing.
 452 Requested action not taken. Insufficient storage space in system.File unavailable
(e.g., file busy).
 500 Syntax error, command unrecognized. This may include errors such as command
line too long.
 501 Syntax error in parameters or arguments.
 502 Command not implemented.
 503 Bad sequence of commands.
 504 Command not implemented for that parameter.
 530 Not logged in.
 532 Need account for storing files.
 550 Requested action not taken. File unavailable (e.g., file not found, no access).
 551 Requested action aborted. Page type unknown.
 552 Requested file action aborted. Exceeded storage allocation (for current directory or
dataset).
 553 Requested action not taken. File name not allowed.
 600 Series Replies regarding confidentiality and integrity
 631 Integrity protected reply.
 632 Confidentiality and integrity protected reply.
 633 Confidentiality protected reply.
 10000 Series Common Winsock Error Codes (These are not FTP return codes)
 10054 Connection reset by peer. The connection was forcibly closed by the remote host.
 10060 Cannot connect to remote server.
 10061 Cannot connect to remote server. The connection is actively refused by the
server.
 10066 Directory not empty.
 10068 Too many users, server is full.
Important FTP Commands Cheat sheet

A list of FTP commands that may be sent to an FTP server, including all commands that
are standardized in RFC 959 by the IETF (Internet Engineering Task Force).

RFC-  Stands for Request for Comments

 Command         RFC                      Description       

 ABOR                                            Abort an active file transfer.
 ACCT                                             Account information.
 ADAT                RFC 2228          Authentication/Security Data
 ALLO                                             Allocate sufficient disk space to receive a file.
 APPE                                             Append (with create)
 AUTH               RFC 2228           Authentication/Security Mechanism
 AVBL                                             Streamlined FTP Command Extensions Get the
available space
 CCC                   RFC 2228          Clear Command Channel
 CDUP                                            Change to Parent Directory.
 CONF                RFC 2228          Confidentiality Protection Command
 CSID                                              Streamlined FTP Command Extensions Client /
Server Identification
 CWD                 RFC 697             Change working directory.
 DELE                                             Delete file.
 DSIZ                                              Streamlined FTP Command Extensions Get the
directory size
 ENC                  RFC 2228          Privacy Protected Channel
 EPRT                RFC 2428          Specifies an extended address and port to which the
server should connect.
 EPSV                RFC 2428           Enter extended passive mode.
 FEAT                RFC 2389           Get the feature list implemented by the server.
 HELP                                             Returns usage documentation on a command if
specified, else a general help document is returned.
 HOST               RFC 7151             Identify desired virtual host on server, by name.
 LANG               RFC 2640           Language Negotiation
 LIST                                               Returns information of a file or directory if specified,
else information of the current working directory is returned.
 LPRT                RFC 1639            Specifies a long address and port to which the server
should connect.
 LPSV                RFC 1639             Enter long passive mode.
 MDTM             RFC 3659            Return the last-modified time of a specified file.
 MFCT       The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify the
creation time of a file.
 MFF          The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify fact
(the last modification time, creation time, UNIX group/owner/mode of a file).
 MFMT      The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify the
last modification time of a file.
 MIC                 RFC 2228             Integrity Protected Command
 MKD                                               Make directory.
 MLSD             RFC 3659              Lists the contents of a directory if a directory is named.
 MLST             RFC 3659               Provides data about exactly the object named on its
command line, and no others.
 MODE                                             Sets the transfer mode (Stream, Block, or
Compressed).
 NLST                                               Returns a list of file names in a specified directory.
 NOOP                                              No operation (dummy packet; used mostly on
keepalives).
 OPTS              RFC 2389              Select options for a feature (for example OPTS UTF8
ON).
 PASS                                               Authentication password.
 PASV                                              Enter passive mode.
 PBSZ              RFC 2228              Protection Buffer Size
 PORT                                             Specifies an address and port to which the server
should connect.
 PROT             RFC 2228              Data Channel Protection Level.
 PWD                                               Print working directory. Returns the current directory
of the host.
 QUIT                                              Disconnect.
 REIN                                              Re initializes the connection.
 REST             RFC 3659              Restart transfer from the specified point.
 RETR                                            Retrieve a copy of the file
 RMD                                             Remove a directory.
 RMDA                                          Streamlined FTP Command Extensions Remove a
directory tree
 RNFR                                           Rename from.
 RNTO                                           Rename to.
 SITE                                             Sends site specific commands to remote server (like
SITE IDLE 60 or SITE UMASK 002). Inspect SITE
 HELP                                           Output for complete list of supported commands.
 SIZE              RFC 3659             Return the size of a file.
 SMNT                                          Mount file structure.
 SPSV        FTP Extension Allowing IP Forwarding (NATs)        Use single port passive
mode (only one TCP port number for both control connections and passive-mode data
connections)
 STAT                                           Returns the current status.
 STOR                                          Accept the data and to store the data as a file at the
server site
 STOU                                          Store file uniquely.
 STRU                                          Set file transfer structure.
 SYST                                           Return system type.
 THMB                                        Streamlined FTP Command Extensions Get a thumbnail
of a remote image file
 TYPE                                          Sets the transfer mode (ASCII/Binary).
 USER                                         Authentication username.
 XCUP             RFC 775            Change to the parent of the current working directory
 XMKD            RFC 775            Make a directory
 XPWD            RFC 775            Print the current working directory
 XRCP             RFC 743
 XRMD           RFC 775            Remove the directory
 XRSQ            RFC 743
  XSEM            RFC 737            Send, mail if cannot
 XSEN             RFC 737            Send to terminal

VSFTPD: Getting error 425 Failed to

establish connection, while listing directory
contents in RHEL 7 ?
 SOLUTION VERIFIED - Updated December 11 2019 at 10:30 AM - 

English 

Environment

 Red Hat Enterprise Linux 7.0

 vsftpd-3.0.2-9
 selinux-policy-3.13.1-23.el7.noarch
 selinux-policy-targeted-3.13.1-23.el7.noarch
 SELinux enabled in Enforcing mode

Issue

 FTP client getting error 425 Failed to establish connection, while listing directory contents in
RHEL 7
 FTP server gets "connection refused" when establishing Active FTP to FTP client
 FTP client logs show:

Raw
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

 /var/log/audit/audit.log shows an SELinux permission denial:

Raw
type=AVC msg=audit(1404410045.618:1404): avc: denied { name_connect } for
pid=30686 comm="vsftpd" dest=63853 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Resolution

This behaviour can be allowed in SELinux using the boolean ftpd_connect_all_unreserved.

The following command permanently applies the policy:

Raw
# setsebool -P ftpd_connect_all_unreserved 1
Root Cause

The default SELinux policy in early RHEL7 denies the FTP server (executing in ftpd_t) access
to connect to high-numbered sockets (in unreserved_port_t).

Diagnostic Steps

strace of ftp server process shows connect() returning EACCES:

Raw
19304 20:30:09.759007 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 <0.000058>
19304 20:30:09.759095 setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 <0.000011>
19304 20:30:09.759148 bind(6, {sa_family=AF_INET, sin_port=htons(20),
sin_addr=inet_addr("10.0.0.27")}, 16) = 0 <0.000113>
19304 20:30:09.759387 connect(6, {sa_family=AF_INET, sin_port=htons(61519),
sin_addr=inet_addr("10.0.0.101")}, 16) = -1 EACCES (Permission denied) <0.000162>

There is an SELinux boolean relating to this:

Raw
# getsebool -a | grep ftp
ftpd_connect_all_unreserved --> off