Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[pixelpunk]

I've enabled the PureFTPd server and granted full access to the one and only account I've created to gain access through windows, however the FTP allows any username & pass to login and view directories!

I've even tried to creat an account for ANONYMOUS and generated a random password to lock it out but it still allows entry.

I'm running fw v1.07

[gunrunnerjohn]

1.08b5 doesn't allow that.

Here's an attempted login with a dummy name and password.


C:\Users\John Will>ftp dlink
Connected to dlink.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 3 allowed.
220-Local time is now 08:08. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 5 minutes of inactivity.
User (dlink:(none)): dummy
331 Any password will work
Password: anypassword
530 Please tell me who you are
Login failed.
ftp>

[dmnc]

That's not an anonymous login... Try logging in as user "anonymous", then any password.

[gunrunnerjohn]

Well, that did something odd, but didn't allow me access.  AAMOF, it didn't even ask for the password, just dropped me back to the command prompt.  I tried it again with the same response, and still said I was user number 1 of 3 allowed, so the previous login attempt obviously didn't succeed.


C:\Users\John Will>ftp dlink
Connected to dlink.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 3 allowed.
220-Local time is now 08:49. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 5 minutes of inactivity.
User (dlink:(none)): anonymous
230 Anonymous user logged in
ftp: connect
C:\Users\John Will>

[pixelpunk]

That's good news, thanks.

[gunrunnerjohn]

Note that I could view directories too, but they were on my local drive, because I was out of the FTP. 

However, on a more concerning note, logging in with Firefox or IE allowed me right in with no password prompt! 

I think I won't enable the FTP server outside my network, AAMOF, I'm going to disable it right now! 

[ECF]

I just tested this and I am not able to get in using the anonymous account unless I created one. I tried the cmd prompt, IE, and firefox and found no issue like you explain.

[gunrunnerjohn]

Ignore my last post, I had left an anonymous share in after I put in all the named accounts!    When I removed it, I get the proper password prompt in browsers.  This also changed the odd behavior I was getting with the Windows command line FTP client.

At least for me, it appears FTP is working as it should.

[ECF]

Cool! Good to hear..

[gunrunnerjohn]

I swear I thought I deleted that anonymous login after configuring the users, but when I looked to post my "rebuttal", I realized that I had no leg to stand on. 

[davss]

I'm on 1.08 firmware UK release. After upgrading from 1.06 am no longer able to FTP.

After turning on SSL/TLS checkbox my FTP doesn't want to go to back to standard unsecure mode (tried saving settings with ticked and unticked and it's always showing as SSL/TLS whereas all other changes are save OK - UI bug?).

   Status    Started
     Port    21
     Max. User    3
     Flow Control    Unlimited
     Idle Time    10
     Client Language    Central European
     SSL/TLS connection    Yes
     Passive Mode    55536~55663

I have a redirection for port 21 (TCP/UDP) on my router set to DNS-323 reserved IP. They are on the same subnet i.e. 192.168.0.1 (router) and .2 (dns-323). It passes by authentication with OK result but returns eithr "530 Tell me who you are" error or FTP client (YummyFTP on MAC SSL/TLS) is hanging on the LIST command eventually throwing the same error.

Here are my tests:

Connection : 4
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 10 allowed.
220-Local time is now 16:52. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 10 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
USER XXX
331 User XXX OK. Password required
PASS ***********
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
PROT E
534 Fallback to [C]
PROT S
534 Fallback to [C]
PROT C
200 OK
PWD
257 "/" is your current location
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (192,168,0,2,217,30)
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 10 allowed.
220-Local time is now 16:52. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 10 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
USER XXX
331 User XXX OK. Password required
PASS ***********
230 OK. Current restricted directory is /
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
PROT E
534 Fallback to [C]
PROT S
534 Fallback to [C]
PROT C
200 OK
CWD /
250 OK. Current directory is /
PWD
257 "/" is your current location
TYPE A
200 TYPE is now ASCII
PORT 192,168,1,103,246,160
200-FXP transfer: from 84.123.XX.XX to 192.168.1.103
200 PORT command successful
LIST


TELNET:
$ telnet myservername.dyndns.org 21
Trying XX.XX.XXX.XXX...
Connected to webcoder.dyndns.org.
Escape character is '^]'.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 3 of 3 allowed.
220-Local time is now 16:43. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 10 minutes of inactivity.


$ ftp XXX@myservername.dyndns.org
Connected to myservername.dyndns.org.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 6 of 10 allowed.
220-Local time is now 16:56. Server port: 21.
220-This server supports FXP transfers
220 You will be disconnected after 10 minutes of inactivity.
421 Service not available, remote server has closed connection.
ftp: Login failed

Also checked that IP on my router with DynDNS, tried using IP to FTP, turned on/off PASSIVE mode, changing port to 1025 on DNS and ROUTER port forward - still no joy. I was able to connect with 1.06 using unsecure 21 port.

I'm giving up on this c**p server.

Best,
David