I would like to use sftp and disable ftp. Presently I am able to do both.
I stopped vsftpd.service but I am still able to ftp.
I also stopped tftp. Is it wise to turn this service off?
How do you disable the ftp service?
How do I find the status for sftp?
Hi
Disable the service and ensure the ftp port is closed YaST firewall allowed services. Probably xinetd is is also running again ensure this is disabled via YaST Network services?
As long as sshd is running and allowed through the YaST firewall allowed services you can then use scp, sftp and ssh.
Thank you for your reply. Not sure of that I did everything suggested. I am still able to ftp.
The firewall is disabled on this system.
In YAST I set the FTP service to manual.
Checked xinetd
x — xftp xstreamx tcp xNo xroot x/usr/sbin/vsftpd x/etc/vsftpd.conf
commented /etc/services
#ftp-data 20/tcp # File Transfer [Default Data] [Jon_Postel]
#ftp-data 20/udp # File Transfer [Default Data] [Jon_Postel]
#ftp-data 20/sctp # FTP [Randall_Stewart] [RFC4960]
#ftp 21/tcp # File Transfer [Control] [Jon_Postel] [RFC959]
#ftp 21/udp # File Transfer [Control] [Jon_Postel] [RFC959]
#ftp 21/sctp # FTP [Randall_Stewart] [RFC4960]
Checked vsftpd status
systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)
Hi
In YaST disable the xinetd service if it’s enabled. Kill off any xinetd
processes running and remove the vsftpd package(s). One wonders if it
needs a reboot…?
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Hi mikenash,
you can also use lsof (with the “-i” options) to check if port 21 is still held open by some process - there may be other FTP servers installed and active, than vsftpd.
Regards,
Jens
I do not fell comfortable with removing the vsftpd packages or stopping all xinetd services, seems too extreme.
Stopping vsftpd and xftp should be enough. the lsof -I does not show any issues.
I only want to disable ftp and still be able to use sftp.
Must be some kind of a system’s programmer’s law because usually I can get things to not work but now that I want something to stop working. :rolleyes:
lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 889 avahi 11u IPv4 13383 0t0 UDP *:mdns
avahi-dae 889 avahi 12u IPv6 13384 0t0 UDP *:mdns
avahi-dae 889 avahi 13u IPv4 13385 0t0 UDP *:56308
avahi-dae 889 avahi 14u IPv6 13386 0t0 UDP *:36944
Xvnc 1416 root 0u IPv6 14481 0t0 TCP *:x11 (LISTEN)
Xvnc 1416 root 1u IPv4 14482 0t0 TCP *:x11 (LISTEN)
Xvnc 1416 root 6u IPv4 14487 0t0 TCP *:5901 (LISTEN)
Xvnc 1416 root 7u IPv4 14488 0t0 TCP *:5801 (LISTEN)
sshd 1436 root 3u IPv4 15124 0t0 TCP *:ssh (LISTEN)
sshd 1436 root 4u IPv6 15126 0t0 TCP *:ssh (LISTEN)
master 1525 root 13u IPv4 15541 0t0 TCP localhost:smtp (LISTEN)
master 1525 root 14u IPv6 15542 0t0 TCP localhost:smtp (LISTEN)
sshd 1723 root 5u IPv4 17296 0t0 TCP linux-39dj.site:ssh->ibm758-r8pxkkk.pok.ibm.com:52162 (ESTABLISHED)
vsftpd 6509 root 3u IPv4 27194 0t0 TCP *:ftp (LISTEN)
Sorry, I pasted the wrong output for lsof -i.
lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 889 avahi 11u IPv4 13383 0t0 UDP *:mdns
avahi-dae 889 avahi 12u IPv6 13384 0t0 UDP *:mdns
avahi-dae 889 avahi 13u IPv4 13385 0t0 UDP *:56308
avahi-dae 889 avahi 14u IPv6 13386 0t0 UDP *:36944
Xvnc 1416 root 0u IPv6 14481 0t0 TCP *:x11 (LISTEN)
Xvnc 1416 root 1u IPv4 14482 0t0 TCP *:x11 (LISTEN)
Xvnc 1416 root 6u IPv4 14487 0t0 TCP *:5901 (LISTEN)
Xvnc 1416 root 7u IPv4 14488 0t0 TCP *:5801 (LISTEN)
sshd 1436 root 3u IPv4 15124 0t0 TCP *:ssh (LISTEN)
sshd 1436 root 4u IPv6 15126 0t0 TCP *:ssh (LISTEN)
master 1525 root 13u IPv4 15541 0t0 TCP localhost:smtp (LISTEN)
master 1525 root 14u IPv6 15542 0t0 TCP localhost:smtp (LISTEN)
sshd 1723 root 5u IPv4 17296 0t0 TCP linux-39dj.site:ssh->ibm758-r8pxkkk.pok.ibm.com:52162 (ESTABLISHED)
Hi
So if you use YaST network services (xinetd) and go down the list and
ensure is off and disabled. Since your running Xvnc that’s possibly why
it’s still needed. Remember xinet is an on demand service, so unless
you login it won’t run.
Call me an old-timer, but less cruft running the better and prefer the
command line and ncurses YaST, if push comes to shove I just use ssh
with the -X option and run locally…
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Hi mikenash,
so the second listing is without vsftpd and no other process listening on the ftp port. Does that change when you connect via the client? Because if the port isn’t open (ie by vsftpd or xinetd), the client shouldn’t get a connect at all.
Regards,
Jens
I can still ftp!
In Yast I set FTP server to manal and stop the service.
In xinetd I see that ftp and tftp are off.
In Yast I disable tftp server.
Testing:
ftp 9.42.101.38
Wrapper for lftp to simulate compatibility with lukemftp
Name (root): root
Password:
lftp root@9.42.101.38:~> ls
---- Connecting to 9.42.101.38 (9.42.101.38) port 21
<— 220 Welcome message
<— 230 Login successful.
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Desktop
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Documents
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Downloads
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Music
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Pictures
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Public
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Templates
drwxr-xr-x 2 0 0 4096 Feb 20 23:58 Videos
-rw-r–r-- 1 0 0 28074 Feb 20 21:20 autoinst.xml
drwxr-xr-x 2 0 0 4096 Sep 21 2014 bin
drwxr-xr-x 6 0 0 4096 Feb 20 21:08 inst-sys
lftp root@9.42.101.38:~> quit
linux140:/ # systemctl status vsftpd
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client “9.42.101.38”, “227 Entering Passive Mode (9,42,101,40,117,123).”
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP command: Client “9.42.101.38”, “LIST”
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client “9.42.101.38”, “150 Here comes the directory listing.”
May 07 10:39:33 linux140 vsftpd[3207]: [root] FTP response: Client “9.42.101.38”, “226 Directory send OK.”
May 08 10:43:34 linux140 systemd[1]: Stopping Vsftpd ftp daemon…
May 08 10:43:34 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
May 08 10:43:48 linux140 systemd[1]: Starting Vsftpd ftp daemon…
May 08 10:43:48 linux140 systemd[1]: Started Vsftpd ftp daemon.
May 08 10:43:57 linux140 systemd[1]: Stopped Vsftpd ftp daemon.
Hint: Some lines were ellipsized, use -l to show in full.
I think this is only local now. From a DOS prompt on a laptop I can not ftp in. From the server with the changes I am able to ftp to another server on the network. From the other network I can not ftp in. So it seems that outgoing ftp is not disabled. Strange but why and how can I disable ftp completely?
it seems much clear that there is no FTP service running on your server because of which any of your incoming connections get failed.
but your FTP client can connect to any of FTP server running if allowed to connect.
outgoing connections are initiated from your local sever to remote server, so remote servers firewall rules must be set so that your outgoing connections gets refused.
It is cleat that your FTP has been disabled.
Thank you for your reply. I have a better understanding about ftp now. In other forums I have read that disabling outgoing ftp would not be a good idea because so many servers still use ftp. However, I also read that the ftp server is more exposed to security issues. I find that there are available and more secure solutions like sftp or vsftpd with TSL enabled. These protocols have to be enabled on the server for the client to ue them. I have learned but I question why the use of a more secure is not a standard practice. Can anyone recommend a discussion chat room on linux for begnners?