Hello list!
Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server. :)
I believe I have the passive mode issue that I was expereriencing last time mostly worked out. But there are still a couple of things going on with this config that I was hoping to run by you in hopes of finding a solution.
If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory.
[root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 230 User bluethundr logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,183,201). 150 Opening ASCII mode data connection for file list 226 Transfer complete ftp> quit 221 Goodbye.
However if I log into the external address of the FTP server the login fails.
Name (snjh.net:root): bluethundr 331 Password required for bluethundr Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye.
There is no activity in the logs when I log in remotely. I dont believe it to be a firewall issue because iptables on the local ftp server has been disabled by stopping the service and the router has been configured to open port 21 and the passive ports I have selected (60000-65535).
I have verified that port 21 is open with nmap:
[root@VIRTCENT29:~] #nmap -p 21 snjh.net
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-22 20:39 EDT Interesting ports on pool-71-187-203-194.nwrknj.fios.verizon.net (71.187.203.194): PORT STATE SERVICE 21/tcp open ftp
Nmap finished: 1 IP address (1 host up) scanned in 0.371 seconds
And it looks like the system is prompting for a password, but authentication fails. But why it only fails when I attempt this remotely and it works when I do this locally is a bit puzzling.
And if I mount an NFS directory login fails on localhost too:
[root@VIRTCENT29:~] #mount nas2:/mnt/home /home
[root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 530 Login incorrect. Login failed. 421 Service not available, remote server has closed connection ftp>
This is what happens in the extended log when I have the NFS partition mounted:
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log ::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:42:49 -0400] "USER bluethundr" 331 -
And if I unmount the NFS partition, I am able to log in again:
[root@VIRTCENT29:~] #umount /home
[root@VIRTCENT29:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 230 User bluethundr logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,205,137). 150 Opening ASCII mode data connection for file list 226 Transfer complete ftp>
And this is what happens in the logs once I am able to log in again
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log ::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:45:31 -0400] "USER bluethundr" 331 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "PASS (hidden)" 230 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "SYST" 215 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "PASV" 227 - ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "LIST" 226 0 ::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:37 -0500] "QUIT" 221 -
Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards!
tim
------------------------------
# This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to # work at session-end time (http://bugzilla.redhat.com/477120) VRootEngine on DefaultRoot ~ !adm VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c # If you use NIS/YP/LDAP you may need to disable PersistentPasswd #PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off
# Set the user and group that the server runs as User nobody Group nobody
# Debug Level - set to max currently DebugLevel 10
# Extended log ExtendedLog /var/log/proftpd/pftpd-extended.log
# To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off
# Define the log formats LogFormat default "%h %l %u %t "%r" %s %b" LogFormat auth "%v [%P] %h %t "%r" %s"
# Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql.c # # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables # (contrib/mod_sql_passwd.html) # LoadModule mod_sql_passwd.c # # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_mysql.c # # Postgresql support (requires proftpd-postgresql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_postgres.c # # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) # LoadModule mod_quotatab.c # # File-specific "driver" for storing quota table information in files # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) # LoadModule mod_quotatab_file.c # # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) # LoadModule mod_quotatab_sql.c # # LDAP support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) # LoadModule mod_ldap.c # # LDAP quota support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) # LoadModule mod_quotatab_ldap.c # # Support for authenticating users using the RADIUS protocol # (http://www.proftpd.org/docs/contrib/mod_radius.html) # LoadModule mod_radius.c # # Retrieve quota limit table information from a RADIUS server # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) # LoadModule mod_quotatab_radius.c # # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) # LoadModule mod_ctrls_admin.c # # Execute external programs or scripts at various points in the process # of handling FTP commands # (http://www.castaglia.org/proftpd/modules/mod_exec.html) # LoadModule mod_exec.c # # Support for POSIX ACLs # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # # Support for using the GeoIP library to look up geographical information on # the connecting client and using that to set access controls for the server # (http://www.castaglia.org/proftpd/modules/mod_geoip.html) # LoadModule mod_geoip.c # # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c # # Limit downloads to a multiple of upload volume (see README.ratio) # LoadModule mod_ratio.c # # Rewrite FTP commands sent by clients on-the-fly, # using regular expression matching and substitution # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) # LoadModule mod_sftp.c # # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) # LoadModule mod_sftp_pam.c # # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user # and host based authentication # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) # LoadModule mod_sftp_sql.c # # Provide data transfer rate "shaping" across the entire server # (http://www.castaglia.org/proftpd/modules/mod_shaper.html) # LoadModule mod_shaper.c # # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # # Provide an external SSL session cache using shared memory # (contrib/mod_tls_shmcache.html) # LoadModule mod_tls_shmcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) # LoadModule mod_wrap.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c # # Support module for mod_wrap2 that handles access rules stored in specially # formatted files on disk # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) # LoadModule mod_wrap2_file.c # # Support module for mod_wrap2 that handles access rules stored in SQL # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) # LoadModule mod_wrap2_sql.c # # Provide a flexible way of specifying that certain configuration directives # only apply to certain sessions, based on credentials such as connection # class, user, or group membership # (http://www.proftpd.org/docs/contrib/mod_ifsession.html) # LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine>
# Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global>
# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022
# Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit>
</Global>
# A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd <IfDefine ANONYMOUS_FTP> <Anonymous ~ftp> User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp
# Limit the maximum number of anonymous logins MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login #DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in # each newly chdired directory and tell users to read README* files. DisplayLogin /welcome.msg DisplayChdir .message DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp" DirFakeUser on ftp DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot <Limit WRITE SITE_CHMOD> DenyAll </Limit>
# An upload directory that allows storing files but not retrieving # or creating directories. <Directory uploads/*> AllowOverwrite no <Limit READ> DenyAll </Limit>
<Limit STOR> AllowAll </Limit> </Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!) WtmpLog off
# Logging for the anonymous transfers ExtendedLog /var/log/proftpd/access.log WRITE,READ default ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous> </IfDefine>
# ---------------------------------------------------- # ftp.snjh.net # internalftp server # <VirtualHost 192.168.1.55> ServerAdmin bluethundr@jokefire.com ServerName "JF FTP Server" TransferLog /var/log/proftpd/ftp.snjh-internal.net MaxLoginAttempts 3 RequireValidShell no DefaultRoot /var/www/html/mydomain.com User nobody Group nobody AllowOverwrite yes MasqueradeAddress 192.168.1.55 PassivePorts 60000 65535
<Directory /var/www/html/jokefire.com> <Limit ALL> AllowAll </Limit> </Directory>
</VirtualHost> # # ---------------------------------------------------- # ftp.snjh.net # external ftp server # <VirtualHost xx.xx.xx.xx> ## <-- verified as my external address ServerAdmin foo@bar.com ServerName "JF FTP Server" TransferLog /var/log/proftpd/ftp.snjh.net MaxLoginAttempts 3 RequireValidShell no DefaultRoot /var/www/html/jokefire.com User nobody Group nobody AllowOverwrite yes MasqueradeAddress xx.xx.xx.xx ## <-- verified as my external address PassivePorts 60000 65535
<Directory /var/www/html/mydomain.com> <Limit ALL> AllowAll </Limit> </Directory>
# # Auth files.... # #AuthUserFile /var/conf/ftp//authfiles/passwd.ftp.example.net #AuthGroupFile /var/conf/ftp//authfiles/group.ftp.example.net
</VirtualHost>