[CentOS] cant login remotely proftpd

Tue Aug 23 00:48:57 UTC 2011
Tim Dunphy <bluethundr at jokefire.com>

Hello list!

 Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server. :)

  I believe I have the passive mode issue that I was expereriencing last time mostly worked out. But there are still a couple of things going on with this config that I was hoping to run by you in hopes of finding a solution. 

  If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory. 

[root at VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,183,201).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> quit
221 Goodbye.


However if I log into the external address of the FTP server the login fails.

Name (snjh.net:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

There is no activity in the logs when I log in remotely. I dont believe it to be a firewall issue because iptables on the local ftp server has been disabled by stopping the service and the router has been configured to open port 21 and the passive ports I have selected (60000-65535).

I have verified that port 21 is open with nmap:

[root at VIRTCENT29:~] #nmap -p 21 snjh.net

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-22 20:39 EDT
Interesting ports on pool-71-187-203-194.nwrknj.fios.verizon.net (71.187.203.194):
PORT   STATE SERVICE
21/tcp open  ftp

Nmap finished: 1 IP address (1 host up) scanned in 0.371 seconds


And it looks like the system is prompting for a password, but authentication fails. But why it only fails when I attempt this remotely and it works when I do this locally is a bit puzzling. 


And if I mount an NFS directory login fails on localhost too:

[root at VIRTCENT29:~] #mount nas2:/mnt/home /home

[root at VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
421 Service not available, remote server has closed connection
ftp>

This is what happens in the extended log when I have the NFS partition mounted:


[root at VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:42:49 -0400] "USER bluethundr" 331 -


And if I unmount the NFS partition, I am able to log in again:

[root at VIRTCENT29:~] #umount /home


[root at VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,205,137).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>

And this is what happens in the logs once I am able to log in again

[root at VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:45:31 -0400] "USER bluethundr" 331 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "PASS (hidden)" 230 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "SYST" 215 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "PASV" 227 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "LIST" 226 0
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:37 -0500] "QUIT" 221 -



Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards!


tim



------------------------------

# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html

ServerName			"ProFTPD server"
ServerIdent			on "FTP Server ready."
ServerAdmin			root at localhost
DefaultServer			on

# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine			on
DefaultRoot			~ !adm
VRootAlias			etc/security/pam_env.conf /etc/security/pam_env.conf

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig			proftpd
AuthOrder			mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd		off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS			off

# Set the user and group that the server runs as
User				nobody
Group				nobody


# Debug Level - set to max currently 
DebugLevel                      10

# Extended log 
ExtendedLog                     /var/log/proftpd/pftpd-extended.log

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile			off

# Define the log formats
LogFormat			default	"%h %l %u %t \"%r\" %s %b"
LogFormat			auth	"%v [%P] %h %t \"%r\" %s"

# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
#   LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
#   LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
#   LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
#   LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
#   LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
#   LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
#   LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
#   LoadModule mod_quotatab_radius.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
#   LoadModule mod_ctrls_admin.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
#   LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
#   LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
#   LoadModule mod_geoip.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
#   LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
#   LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution 
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
#   LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
#   LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
#   LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
#   LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
#   LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
#   LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
#   LoadModule mod_tls_shmcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
#   LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
#   LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
#   LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
#   LoadModule mod_wrap2_sql.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
#   LoadModule mod_ifsession.c

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine			on
  TLSRequired			on
  TLSRSACertificateFile		/etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile	/etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite		ALL:!ADH:!DES
  TLSOptions			NoCertRequest
  TLSVerifyClient		off
  #TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
  TLSLog			/var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache		shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule			mod_ban.c
  BanEngine			on
  BanLog			/var/log/proftpd/ban.log
  BanTable			/var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent			MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs		all allow user ftpadm
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask				022

  # Allow users to overwrite files and change permissions
  AllowOverwrite		yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>

</Global>

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User			ftp
    Group			ftp
    AccessGrantMsg		"Anonymous login ok, restrictions apply."

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias			anonymous ftp

    # Limit the maximum number of anonymous logins
    MaxClients			10 "Sorry, max %m users -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir		/pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin		/welcome.msg
    DisplayChdir		.message
    DisplayReadme		README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser			on ftp
    DirFakeGroup		on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    # An upload directory that allows storing files but not retrieving
    # or creating directories.
    <Directory uploads/*>
      AllowOverwrite		no
      <Limit READ>
        DenyAll
      </Limit>

      <Limit STOR>
        AllowAll
      </Limit>
    </Directory>

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog			off

    # Logging for the anonymous transfers
    ExtendedLog			/var/log/proftpd/access.log WRITE,READ default
    ExtendedLog			/var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>

# ----------------------------------------------------
# ftp.snjh.net 
# internalftp server 
#
<VirtualHost 192.168.1.55>
ServerAdmin             bluethundr at jokefire.com                     
ServerName              "JF FTP Server"
TransferLog             /var/log/proftpd/ftp.snjh-internal.net
MaxLoginAttempts        3
RequireValidShell       no
DefaultRoot             /var/www/html/mydomain.com
User                    nobody
Group                   nobody
AllowOverwrite          yes
MasqueradeAddress       192.168.1.55
PassivePorts            60000 65535

<Directory /var/www/html/jokefire.com>
		<Limit ALL>
			AllowAll
		</Limit>
</Directory>

</VirtualHost>
#
# ----------------------------------------------------
# ftp.snjh.net 
# external ftp server 
#
<VirtualHost xx.xx.xx.xx> ## <-- verified as my external address
ServerAdmin             foo at bar.com                     
ServerName              "JF FTP Server"
TransferLog             /var/log/proftpd/ftp.snjh.net
MaxLoginAttempts        3
RequireValidShell       no
DefaultRoot             /var/www/html/jokefire.com
User                    nobody
Group                   nobody
AllowOverwrite          yes
MasqueradeAddress       xx.xx.xx.xx ## <-- verified as my external address
PassivePorts            60000 65535

<Directory /var/www/html/mydomain.com>
		<Limit ALL>
			AllowAll
		</Limit>
</Directory>

#
# Auth files....
#
#AuthUserFile	/var/conf/ftp//authfiles/passwd.ftp.example.net
#AuthGroupFile	/var/conf/ftp//authfiles/group.ftp.example.net

</VirtualHost>