Discuss August 2011

discuss@lists.centos.org

222 participants
210 discussions

cant login remotely proftpd
by Tim Dunphy 23 Aug '11

23 Aug '11

Hello list! Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server. :) I believe I have the passive mode issue that I was expereriencing last time mostly worked out. But there are still a couple of things going on with this config that I was hoping to run by you in hopes of finding a solution. If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory. [root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 230 User bluethundr logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,183,201). 150 Opening ASCII mode data connection for file list 226 Transfer complete ftp> quit 221 Goodbye. However if I log into the external address of the FTP server the login fails. Name (snjh.net:root): bluethundr 331 Password required for bluethundr Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. There is no activity in the logs when I log in remotely. I dont believe it to be a firewall issue because iptables on the local ftp server has been disabled by stopping the service and the router has been configured to open port 21 and the passive ports I have selected (60000-65535). I have verified that port 21 is open with nmap: [root@VIRTCENT29:~] #nmap -p 21 snjh.net Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-22 20:39 EDT Interesting ports on pool-71-187-203-194.nwrknj.fios.verizon.net (71.187.203.194): PORT STATE SERVICE 21/tcp open ftp Nmap finished: 1 IP address (1 host up) scanned in 0.371 seconds And it looks like the system is prompting for a password, but authentication fails. But why it only fails when I attempt this remotely and it works when I do this locally is a bit puzzling. And if I mount an NFS directory login fails on localhost too: [root@VIRTCENT29:~] #mount nas2:/mnt/home /home [root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 530 Login incorrect. Login failed. 421 Service not available, remote server has closed connection ftp> This is what happens in the extended log when I have the NFS partition mounted: [root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log ::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:42:49 -0400] "USER bluethundr" 331 - And if I unmount the NFS partition, I am able to log in again: [root@VIRTCENT29:~] #umount /home [root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 230 User bluethundr logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,205,137). 150 Opening ASCII mode data connection for file list 226 Transfer complete ftp> And this is what happens in the logs once I am able to log in again [root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log ::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:45:31 -0400] "USER bluethundr" 331 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "PASS (hidden)" 230 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "SYST" 215 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "PASV" 227 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "LIST" 226 0 ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:37 -0500] "QUIT" 221 - Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards! tim ------------------------------ # This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html # Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on # Cause every FTP user except adm to be chrooted into their home directory # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to # work at session-end time (http://bugzilla.redhat.com/477120) VRootEngine on DefaultRoot ~ !adm VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf # Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c # If you use NIS/YP/LDAP you may need to disable PersistentPasswd #PersistentPasswd off # Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off # Set the user and group that the server runs as User nobody Group nobody # Debug Level - set to max currently DebugLevel 10 # Extended log ExtendedLog /var/log/proftpd/pftpd-extended.log # To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20 # Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off # Define the log formats LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" # Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql.c # # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables # (contrib/mod_sql_passwd.html) # LoadModule mod_sql_passwd.c # # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_mysql.c # # Postgresql support (requires proftpd-postgresql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_postgres.c # # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) # LoadModule mod_quotatab.c # # File-specific "driver" for storing quota table information in files # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) # LoadModule mod_quotatab_file.c # # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) # LoadModule mod_quotatab_sql.c # # LDAP support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) # LoadModule mod_ldap.c # # LDAP quota support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) # LoadModule mod_quotatab_ldap.c # # Support for authenticating users using the RADIUS protocol # (http://www.proftpd.org/docs/contrib/mod_radius.html) # LoadModule mod_radius.c # # Retrieve quota limit table information from a RADIUS server # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) # LoadModule mod_quotatab_radius.c # # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) # LoadModule mod_ctrls_admin.c # # Execute external programs or scripts at various points in the process # of handling FTP commands # (http://www.castaglia.org/proftpd/modules/mod_exec.html) # LoadModule mod_exec.c # # Support for POSIX ACLs # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # # Support for using the GeoIP library to look up geographical information on # the connecting client and using that to set access controls for the server # (http://www.castaglia.org/proftpd/modules/mod_geoip.html) # LoadModule mod_geoip.c # # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c # # Limit downloads to a multiple of upload volume (see README.ratio) # LoadModule mod_ratio.c # # Rewrite FTP commands sent by clients on-the-fly, # using regular expression matching and substitution # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) # LoadModule mod_sftp.c # # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) # LoadModule mod_sftp_pam.c # # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user # and host based authentication # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) # LoadModule mod_sftp_sql.c # # Provide data transfer rate "shaping" across the entire server # (http://www.castaglia.org/proftpd/modules/mod_shaper.html) # LoadModule mod_shaper.c # # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # # Provide an external SSL session cache using shared memory # (contrib/mod_tls_shmcache.html) # LoadModule mod_tls_shmcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) # LoadModule mod_wrap.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c # # Support module for mod_wrap2 that handles access rules stored in specially # formatted files on disk # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) # LoadModule mod_wrap2_file.c # # Support module for mod_wrap2 that handles access rules stored in SQL # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) # LoadModule mod_wrap2_sql.c # # Provide a flexible way of specifying that certain configuration directives # only apply to certain sessions, based on credentials such as connection # class, user, or group membership # (http://www.proftpd.org/docs/contrib/mod_ifsession.html) # LoadModule mod_ifsession.c # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab # If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 # Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine> # Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global> # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022 # Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit> </Global> # A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd <IfDefine ANONYMOUS_FTP> <Anonymous ~ftp> User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply." # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 "Sorry, max %m users -- try again later" # Put the user into /pub right after login #DefaultChdir /pub # We want 'welcome.msg' displayed at login, '.message' displayed in # each newly chdired directory and tell users to read README* files. DisplayLogin /welcome.msg DisplayChdir .message DisplayReadme README* # Cosmetic option to make all files appear to be owned by user "ftp" DirFakeUser on ftp DirFakeGroup on ftp # Limit WRITE everywhere in the anonymous chroot <Limit WRITE SITE_CHMOD> DenyAll </Limit> # An upload directory that allows storing files but not retrieving # or creating directories. <Directory uploads/*> AllowOverwrite no <Limit READ> DenyAll </Limit> <Limit STOR> AllowAll </Limit> </Directory> # Don't write anonymous accesses to the system wtmp file (good idea!) WtmpLog off # Logging for the anonymous transfers ExtendedLog /var/log/proftpd/access.log WRITE,READ default ExtendedLog /var/log/proftpd/auth.log AUTH auth </Anonymous> </IfDefine> # ---------------------------------------------------- # ftp.snjh.net # internalftp server # <VirtualHost 192.168.1.55> ServerAdmin bluethundr(a)jokefire.com ServerName "JF FTP Server" TransferLog /var/log/proftpd/ftp.snjh-internal.net MaxLoginAttempts 3 RequireValidShell no DefaultRoot /var/www/html/mydomain.com User nobody Group nobody AllowOverwrite yes MasqueradeAddress 192.168.1.55 PassivePorts 60000 65535 <Directory /var/www/html/jokefire.com> <Limit ALL> AllowAll </Limit> </Directory> </VirtualHost> # # ---------------------------------------------------- # ftp.snjh.net # external ftp server # <VirtualHost xx.xx.xx.xx> ## <-- verified as my external address ServerAdmin foo(a)bar.com ServerName "JF FTP Server" TransferLog /var/log/proftpd/ftp.snjh.net MaxLoginAttempts 3 RequireValidShell no DefaultRoot /var/www/html/jokefire.com User nobody Group nobody AllowOverwrite yes MasqueradeAddress xx.xx.xx.xx ## <-- verified as my external address PassivePorts 60000 65535 <Directory /var/www/html/mydomain.com> <Limit ALL> AllowAll </Limit> </Directory> # # Auth files.... # #AuthUserFile /var/conf/ftp//authfiles/passwd.ftp.example.net #AuthGroupFile /var/conf/ftp//authfiles/group.ftp.example.net </VirtualHost>

1 0

Mount --bind source / mountpoint out of sync
by Trey Dockendorf 22 Aug '11

22 Aug '11

I have a shared web server that users can SSH / SFTP into to access their web content. Each users home directory is in a change root, and I use "mount -o bind" to put their respective webpage's document root into their home directory. Recently I was made aware that the contents of the mount's source are not the same as the mount point's, which I don't see how that is possible. The file system is 3 virtual disks...each part of the same volume group. I have three LVMs, "/" , "/chroot" , and "/var". Here's the entry in /etc/fstab... /var/www/example.com /chroot/home/user1/example.com none defaults,bind 0 0 The mount is active, yet running a recursive diff between "/var/www/ example.com" and "/chroot/home/user1/example.com" shows numerous differences. Here's "mount" output ------------------ /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) /dev/mapper/VolGroup00-lv_chroot on /chroot type ext3 (rw) /var/www/example.com on /chroot/home/user1/example.com type none (rw,bind) /dev/mapper/VolGroup00-lv_var on /var type ext3 (rw) I honestly have no idea how this is possible. Is using "mount -o bind" not the best method to give a chrooted user access to a single directory outside the chroot? Would it be better to leave the web root in the chroot and have Apache (outside chroot) reference that location? Thanks - Trey

3 3

Does anyone know if I can reconfigure a PERC H700 without rebooting?
by Kevin Thorpe 22 Aug '11

22 Aug '11

Hi all, I have a server which is really difficult to restart because of usage requirements and the fact that it's in a co-lo rack so miles away. I've added a couple of drives which I'd like to bring up and add to LVM but the config I know is in the PERC BIOS and requires a reboot. Can the config be changed in the openmanage suite and if so can someone point me in the right direction? thanks

6 5

Intel 82599 driver?
by Lars Hecking 22 Aug '11

22 Aug '11

Which version of the ixgbe driver is included in 5.6? I went through all the RHEL5 release notes, but they only ever state that the driver was updated, not which devices was added. This device is not supported up to CentOS 5.5 (2.0.44-k2), but the latest driver from the Intel web site works fine (3.2.10). 05:00.0 Ethernet controller: Intel Corporation Unknown device 151c (rev 01) 05:00.0 0200: 8086:151c (rev 01) Subsystem: 8086:a03c Flags: bus master, fast devsel, latency 0, IRQ 170 Memory at de400000 (64-bit, non-prefetchable) [size=2M] I/O ports at ecc0 [size=32] Memory at de3f8000 (64-bit, non-prefetchable) [size=16K] Expansion ROM at de200000 [disabled] [size=1M] Capabilities: [40] Power Management version 3 Capabilities: [50] Message Signalled Interrupts: 64bit+ Queue=0/0 Enable- Capabilities: [70] MSI-X: Enable+ Mask- TabSize=64 Capabilities: [a0] Express Endpoint IRQ 0 Capabilities: [e0] Vital Product Data Capabilities: [100] Advanced Error Reporting Capabilities: [140] Device Serial Number 2c-cf-9a-ff-ff-21-1b-00 Capabilities: [150] Unknown (14) Capabilities: [160] Unknown (16)

7 15

Determine high i/o reads/write directories
by Robert Arkiletian 22 Aug '11

22 Aug '11

I have a DRBL server, basically an nfs fileserver, which I am rebuilding. I want to put the high i/o directories on a separate raid array for performance. Currently everything is under / in one raid array. How can I tell which directories, obviously other than /home, are getting high reads and/or writes? Any tools to measure i/o per directory? Thanks -- Robert Arkiletian Eric Hamber Secondary, Vancouver, Canada

4 4

Apache Changing IPtables C 5.6 via Apache
by Always Learning 22 Aug '11

22 Aug '11

When a web site is attacked, so far by unsuccessful hackers, my error routine adds the attackers IP address, prefixed by 'deny', to that web site's .htaccess file. It works and the attacker, on second and subsequent attacks, gets a 403 error response. I want to extend the exclusion ability to every web site hosted on a server. My preferred method is iptables. However, when breaking-out of a PHP script on a web page and running a normal iptables command, for example: iptables -A 3temp -s 1.2.3.4 -j DROP iptables responds with: iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root) Executing 'whoami' confirms Apache is the user. Giving Apache group rw on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is executable by all, fails to resolve the problem. Is there any method of running iptables from an Apache originated process ? Thank you. -- With best regards, Paul. England, EU.

10 17

.XXX Domain Name / Trade Mark Protection
by Always Learning 22 Aug '11

22 Aug '11

A new .xxx domain suffix for sexual content is becoming available. If you have a cherished Trade Mark or brand name and do not want relish having your_domain_name.xxx being available to Cyber Squatters or the 'porn trade' you can block the issuing of that .xxx domain name for a single payment of USD $200 - $300. The blocking application period is from 7 September 2011 until 28 October 2011. The details of where to apply were not disclosed. .xxx will cost about USD $75 yearly. Source: Law Now mailing list CMS Cameron McKenna, London, England 19 August 2011. -- With best regards, Paul. England, EU.

5 9

Multipath w/ iscsi
by Joseph L. Casale 22 Aug '11

22 Aug '11

I have several CentOS 6 boxes that mount iscsi based luns and use mpath. They all had problems shutting down as a result of unused maps not getting flushed as the system halted. After examining the init scripts, netfs, iscsi and multipathd all had the correct order but mpath failed to flush these maps and the system waited indefinitely. In the meantime I hacked this by adding a `/sbin/multipath -F` at the end of the stop clause in the init script. I seriously doubt this problems exists w/o being the result of my error in configuration. Anyone know what the required mpath config might be in this scenario where the block devices all disappear once netfs unmounts and iscsi stops? Thanks! jlc

2 2

help with gpg
by Jerry Geis 21 Aug '11

21 Aug '11

Under Centos 5 I ran this command: gpg --passphrase-file /home/myuser/pass_phrase.txt -c ../Versions/program.x86_64.tgz and this worked fine. On CentOS 6 running the same command prompts me for the passphrase. Thats exactly what I dont want to have happen. I have the pass phrase I want in the file. After some searching it says I need to start the daemon like "gpg-agent --daemon" take the output: GPG_AGENT_INFO=/tmp/gpg-x4WH7K/S.gpg-agent:19156:1; export GPG_AGENT_INFO; and use it - which I did. Then when I run my command above I still get prompted for the pass phrase. What am I not doing correct? I just want a simple phrase on a file that someone has to know before they can extract it. Nothing special going on.... Thanks, Jerry

2 3

Centos6 - Logwatch not mailing on 64bit
by david 21 Aug '11

21 Aug '11

Folks Logwatch is doing its thing properly on my 32-bit servers, delivering the report by mail to my root account once a day sometime around 3:30am. On the 64-bit systems, no mail is occurring. From the "cron" log on a 64-bit system, there are lines like: cron-20110821:Aug 21 03:36:23 XXX run-parts(/etc/cron.daily)[9727]: finished 0logwatch (where "XXX" stands for the server name) but no report is sent. If I run logtwatch manually, by simply typing logwatch as root, I get the mail. Is this a known issue? Is there some information I could supply that would help identify the reason? To the best of my knowledge, I made no changes to the logwatch configuration. Thanks David Kurn

2 4

← Newer
1
...
6
7
8
9
10
11
12
...
21
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss August 2011