Fixing Vsftpd Passive Mode Returning 0.0.0.0 Address Despite Correct pasv_address Configuration


2 views

When configuring Vsftpd on AWS EC2 with Elastic IP, you might encounter a situation where the server responds with (0,0,0,0,...) in PASV mode replies despite having correctly set pasv_address parameter. This causes clients to fall back to server address, creating potential connectivity issues.

The problem typically occurs when:

  • IPv6 is enabled (listen_ipv6=YES)
  • Network Address Translation (NAT) is involved
  • Firewall/SELinux intercepts the connection
  • Vsftpd fails to properly detect external IP

Here's a working configuration that handles this scenario properly:

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
seccomp_sandbox=NO
pasv_enable=YES
pasv_min_port=49152
pasv_max_port=65535
pasv_address=your.elastic.ip.here
pasv_addr_resolve=YES
port_enable=YES
userlist_enable=YES

1. Disable IPv6:

listen_ipv6=NO

Many NAT-related issues disappear when forcing IPv4-only operation.

2. Add Passive Address Resolution:

pasv_addr_resolve=YES

This makes Vsftpd re-resolve the hostname on each PASV request.

3. Network Configuration Check:
Verify your AWS Security Groups allow both control port (21) and passive ports (as defined in pasv_min_port/pasv_max_port).

When SELinux is enforcing, you need these policies:

setsebool -P ftp_home_dir on
setsebool -P ftpd_full_access on
semanage port -a -t ftp_port_t -p tcp 49152-65535

Use this command to verify PASV mode works correctly:

curl -v ftp://username:password@yourserver.com/ --disable-epsv -v

Look for proper IP in the 227 response line.

1. Check Vsftpd logs:

tail -f /var/log/vsftpd.log

2. Verify network connectivity:

tcpdump -i any port 21 or portrange 49152-65535 -nn

3. Test from external network:

telnet your.elastic.ip.here 21

When configuring vsftpd on AWS EC2 with Elastic IP, many administrators encounter a puzzling behavior where the server responds with a 0.0.0.0 address in passive mode despite having explicitly set pasv_address. Here's what's happening under the hood:

227 Entering Passive Mode (0,0,0,0,4,1)

This indicates vsftpd isn't properly advertising your external IP address in PASV responses, forcing clients to fall back to the server's original address.

The solution involves addressing three critical components simultaneously:

  • vsftpd's network binding behavior
  • AWS EC2 networking stack
  • SELinux context for FTP operations

Here's a verified configuration that resolves the 0.0.0.0 PASV response issue:

# Basic settings
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
seccomp_sandbox=NO

# Passive mode configuration
pasv_enable=YES
pasv_min_port=49152
pasv_max_port=65535
pasv_address=your.elastic.ip.here
pasv_addr_resolve=YES
port_promiscuous=YES

# Security settings
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
tcp_wrappers=YES

For EC2 instances, you must additionally:

  1. Configure security groups to allow both TCP 21 and your passive port range
  2. Ensure the Elastic IP is properly associated with the instance
  3. Add a VPC route for the passive ports

Run these commands to adjust SELinux contexts:

setsebool -P ftpd_full_access on
semanage port -a -t ftp_port_t -p tcp 49152-65535
restorecon -Rv /etc/vsftpd

To confirm vsftpd is binding to the correct interface:

netstat -tulnp | grep vsftpd

Expected output should show your Elastic IP, not 0.0.0.0.

If issues persist, check these diagnostic points:

# Verify IP routing
ip route get your.elastic.ip.here

# Check for NAT interference
conntrack -L | grep 21

# Test passive mode manually
telnet your.server.ip 21
> USER username
> PASS password
> PASV

Remember to restart vsftpd after configuration changes:

systemctl restart vsftpd