Why is my session anonymous? 530 Anonymous sessions may not use encryption.

[AdmirableTable]

I have searched for literal hours to either understand or fix this issue..

I am new to this so please point me to relevant info if I missed something basic (which feels like it is).
I recently set up an ftp server on linux using vsftpd but I can't seem to connect to it using Filezilla.

Whenever I attempt to connect to it I get the following:

Code: Select all

Status:	Connecting to **************:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Status:	TLS connection established.
Command:	USER ftp
Response:	530 Anonymous sessions may not use encryption.
Error:	Could not connect to server
Status:	Waiting to retry...
Status:	Connecting to **************:21...
Status:	Connection established, waiting for welcome message...
Response:	220 (vsFTPd 3.0.3)
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Status:	TLS connection established.
Command:	USER ftp
Response:	530 Anonymous sessions may not use encryption.
Error:	Could not connect to server

I will add more config info below.

First question is... How/why is my session anonymous if I'm providing a user/pwd?
There is no second question, only a request for ideas as to why this could be happening and how to fix it..

Filezilla sitemanager config

Code: Select all

Protocol: FTP
Host: IP Port: 21
Encryption: Require Explicit FTP over TLS
Logon Type: Normal
User: ftp
Password: **********...

Server type: Default (Autodetect)
...

Transfer mode: Default (have tried manually switching to Active or Passive)
...

vsftpd.config (relevant values - let me know if anything seems to be missing)

Code: Select all

anonymous_enable=NO
local_enable=YES
write_enable=YES

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

require_ssl_reuse=NO
ssl_ciphers=HIGH

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist # -> contains only ftp
userlist_deny=NO

local_root=*******

pasv_min_port=30000
pasv_max_port=31000

[boco]

Is your username "ftp"? The usernames "anonymous" and "ftp" (in any upper-/lower case combination) are reserved for anonymous FTP. Other than that, you can select your username freely.

[botg]

anonymous_enable=NO

Looks like a server-side issue, it considers some logins anonymous even if anonymous sessions are disabled.

allow_anon_ssl=NO

That's just stupid. I really hope this setting is not the default.

require_ssl_reuse=NO

That's security vulnerability, leaves the server open to connection stealing attacks. Again, I hope this setting is not the default.

[AdmirableTable]

Is your username "ftp"? The usernames "anonymous" and "ftp" (in any upper-/lower case combination) are reserved for anonymous FTP. Other than that, you can select your username freely.

That was exactly it... Had no idea that username "ftp" was reserved.

Thank you so much

[AdmirableTable]

anonymous_enable=NO

Looks like a server-side issue, it considers some logins anonymous even if anonymous sessions are disabled.

As boco pointed out, it was due to the username being "ftp", whether it was a reserved username on the server or client side.

allow_anon_ssl=NO

That's just stupid. I really hope this setting is not the default.

If anonymous sessions are disabled, this setting doesn't seem to have any effect. It is the default as well according to the manual.

require_ssl_reuse=NO

That's security vulnerability, leaves the server open to connection stealing attacks. Again, I hope this setting is not the default.

Looked into this... I don't know enough about how vsftpd manages its connections to tell how big of a risk this is and how easy it is to hijack an open connection. Will re-enable for the time being as per your suggestion but the manual suggests some ftp clients may not work properly with the option enabled. Most basic setup tutorials for Filezilla I have found suggest to disable the option.

[botg]

the manual suggests some ftp clients may not work properly with the option enabled.

Clients that do not support this options are insecure, they are vulnerable to connection stealing attacks.

Most basic setup tutorials for Filezilla I have found suggest to disable the option.

These tutorials are deeply misguided then.