Hey list,
Sorry for all the questions today. But I am trying to wrap up this ftp business and still having some issues. I appreciate your input.
SELinux is temporarily disabled (until I can work this all out) and I am now able to log into the FTP server.
[root@LCENT05:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 230 User bluethundr logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (xx,xx,xx,xxx,255,44). ftp: connect: Invalid argument ftp>
I still have DebugLevel set to 10 in the config and this is what I see in the proftpd logs:
Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): USER bluethundr: Login successful. Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_tls Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching CMD command 'SYST' to mod_core Aug 13 12:00:39 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'SYST' to mod_log Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASV' to mod_tls Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASV' to mod_core Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASV' to mod_core Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching CMD command 'PASV' to mod_core Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): in dir_check_full(): path = '/', fullpath = '/'. Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): Entering Passive Mode (71,187,203,194,255,44). Aug 13 12:00:45 LCENT05 proftpd[2922] 192.168.1.48 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'PASV' to mod_log Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): Client session idle timeout, disconnected Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): ROOT PRIVS at mod_auth_pam.c:173 Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): ROOT PRIVS: ID switching disabled Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): RELINQUISH PRIVS at mod_auth_pam.c:207 Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): RELINQUISH PRIVS: ID switching disabled Aug 13 12:05:08 LCENT05 proftpd[2863] 192.168.1.48 (71.187.203.194[71.187.203.194]): FTP session closed.
This is what my proftpd config is looking like at the moment.
I have the default root set to this directory:
DefaultRoot /var/www/html/jokefire.com
And I give access to this directory with this directive:
<Directory /var/www/html/jokefire.com> <Limit ALL> AllowAll </Limit> </Directory>
I plan to tighten up the security a little bit as I make some more progress. But my immediate goal is just to get this to work. :)
Here is the entire config.. just in case it might help!
Thanks once again!
Tim
# This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to # work at session-end time (http://bugzilla.redhat.com/477120) VRootEngine on DefaultRoot /var/www/html/jokefire.com #DefaultRoot ~ !adm VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Masqurade Address MasqueradeAddress xx.xxx.xxx.xxx
# Passive Ports PassivePorts 60000 65535
# Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c # If you use NIS/YP/LDAP you may need to disable PersistentPasswd #PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off
# Set the user and group that the server runs as User nobody Group nobody
# To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off
# Defines debug level DebugLevel 10
# Define the log formats LogFormat default "%h %l %u %t "%r" %s %b" LogFormat auth "%v [%P] %h %t "%r" %s"
# Define a system log SystemLog /var/log/proftpd/proftpd.log
# Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql.c # # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables # (contrib/mod_sql_passwd.html) # LoadModule mod_sql_passwd.c # # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_mysql.c # # Postgresql support (requires proftpd-postgresql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_postgres.c # # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) # LoadModule mod_quotatab.c # # File-specific "driver" for storing quota table information in files # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) # LoadModule mod_quotatab_file.c # # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) # LoadModule mod_quotatab_sql.c # # LDAP support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) # LoadModule mod_ldap.c # # LDAP quota support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) # LoadModule mod_quotatab_ldap.c # # Support for authenticating users using the RADIUS protocol # (http://www.proftpd.org/docs/contrib/mod_radius.html) # LoadModule mod_radius.c # # Retrieve quota limit table information from a RADIUS server # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) # LoadModule mod_quotatab_radius.c # # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) # LoadModule mod_ctrls_admin.c # # Execute external programs or scripts at various points in the process # of handling FTP commands # (http://www.castaglia.org/proftpd/modules/mod_exec.html) # LoadModule mod_exec.c # # Support for POSIX ACLs # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # # Support for using the GeoIP library to look up geographical information on # the connecting client and using that to set access controls for the server # (http://www.castaglia.org/proftpd/modules/mod_geoip.html) # LoadModule mod_geoip.c # # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c # # Limit downloads to a multiple of upload volume (see README.ratio) # LoadModule mod_ratio.c # # Rewrite FTP commands sent by clients on-the-fly, # using regular expression matching and substitution # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) # LoadModule mod_sftp.c # # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) # LoadModule mod_sftp_pam.c # # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user # and host based authentication # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) # LoadModule mod_sftp_sql.c # # Provide data transfer rate "shaping" across the entire server # (http://www.castaglia.org/proftpd/modules/mod_shaper.html) # LoadModule mod_shaper.c # # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # # Provide an external SSL session cache using shared memory # (contrib/mod_tls_shmcache.html) # LoadModule mod_tls_shmcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) # LoadModule mod_wrap.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c # # Support module for mod_wrap2 that handles access rules stored in specially # formatted files on disk # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) # LoadModule mod_wrap2_file.c # # Support module for mod_wrap2 that handles access rules stored in SQL # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) # LoadModule mod_wrap2_sql.c # # Provide a flexible way of specifying that certain configuration directives # only apply to certain sessions, based on credentials such as connection # class, user, or group membership # (http://www.proftpd.org/docs/contrib/mod_ifsession.html) # LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine>
# Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global>
# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022
# Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit>
</Global>
# A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd <IfDefine ANONYMOUS_FTP> <Anonymous ~ftp> User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp
# Limit the maximum number of anonymous logins MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login #DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in # each newly chdired directory and tell users to read README* files. DisplayLogin /welcome.msg DisplayChdir .message DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp" DirFakeUser on ftp DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot <Limit WRITE SITE_CHMOD> DenyAll </Limit>
# An upload directory that allows storing files but not retrieving # or creating directories. <Directory uploads/*> AllowOverwrite no <Limit READ> DenyAll </Limit>
<Limit STOR> AllowAll </Limit> </Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!) WtmpLog off
# Logging for the anonymous transfers ExtendedLog /var/log/proftpd/access.log WRITE,READ default ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous> </IfDefine>
<Directory /var/www/html/jokefire.com> <Limit ALL> AllowAll </Limit> </Directory>