proftpd problem after update

Hi,

My ISP has all ports up to 54000 blocked (exept for 80, 21, 20, ect.). My ispconfig runs on 54001 instead of 81.

But after I updated my ISPConfig to 2.2.28 version my proftpd ignores the passiveports settings in proftpd.conf. I really can't understand why. I had this problem before and somehow managed to fix this, but now it is back and I tried everything I can recall to try.

This is my proftp.conf

Code:

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				off

ServerName			"MalakaPower wilt server"
ServerType			standalone
DeferWelcome			off

#MultilineRFC2228		on
DefaultServer			on
#ShowSymlinks			on

#TimeoutNoTransfer		600
#TimeoutStalled			600
#TimeoutIdle			1200

#DisplayLogin                    welcome.msg
#DisplayFirstChdir               .message
#ListOptions                	"-l"

DenyFilter			\*.*/

Port				21

PassivePorts                    55000 60000

MaxInstances			300

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_tls.c>
TLSEngine off
</IfModule>

<IfModule mod_quota.c>
QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
Ratios on
</IfModule>

UseReverseDNS off
IdentLookups off

Include /etc/proftpd_ispconfig.conf

I removed lager parts of comments.

As you can see I set my PassivePorts to 55000 60000, but this is a transfer log from smartFTP on my Windows machine running in VMWare Fusion:

Code:

[23:04:28] Resolving host name "ftp.****.com"
[23:04:29] Connecting to ***.***.***.*** Port: 21
[23:04:29] Connected to ftp.****.com.
[23:04:39] 220 ProFTPD 1.3.0 Server (MalakaPower wilt server) [***.***.***.***]
[23:04:39] USER web37_paul
[23:04:39] 331 Password required for web37_paul.
[23:04:39] PASS (hidden)
[23:04:39] 230 User web37_paul logged in.
[23:04:39] SYST
[23:04:39] 215 UNIX Type: L8
[23:04:39] Detected Server Type: UNIX
[23:04:39] FEAT
[23:04:39] 211-Features:
[23:04:39]  MDTM
[23:04:39]  REST STREAM
[23:04:39]  SIZE
[23:04:39] 211 End
[23:04:39] PWD
[23:04:39] 257 "/" is current directory.
[23:04:39] TYPE A
[23:04:39] 200 Type set to A
[23:04:39] PASV
[23:04:39] 227 Entering Passive Mode (***,***,***,***,152,179).
[23:04:39] Opening data connection to ***.***.***.*** Port: 39091
[23:04:39] LIST -aL

and there it timeout, ofcourse becouse port 39091 is blocked.

this is what shows up in /etc/proftpd/proftpd.log:

Code:

Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): FTP session opened.
Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
Jan 13 23:10:30 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): FTP session opened.
Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,224,159 (address mismatch)

I tried another connection with proftpd in debug, and this is that result:
http://www.paulpeelen.com/proftpd.txt

Does anyone have a simular problem? Does someone know how to fix this?

Best regards,
Paul Peelen

 

You mean like

Code:

<global>
PassivePorts                    55000 60000
</global>

?

// Paul

 

Hi,

Sorry for my late answer. You sollution works but not I got myself in a other problem.

I set my passiveports between 54000 and 55000, works perfectly... but now I am getting "Illegal PORT command" error in my Transfer.

This is the result of my /var/log/proftpd/proftd.log:

Code:

Jan 20 19:26:09 wilt.***.com proftpd[10686] localhost.localdomain: ProFTPD 1.3.0 (stable) (built mar gen 2 10:57:47 CET 2007) standalone mode STARTUP
Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session opened.
Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
Jan 20 19:26:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session opened.
Jan 20 19:27:01 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
Jan 20 19:27:01 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
Jan 20 19:27:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,3 (address mismatch)
Jan 20 19:27:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,4 (address mismatch)
Jan 20 19:28:35 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Refused EPRT |1|192.168.1.4|53008| (address mismatch)
Jan 20 19:28:36 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,16 (address mismatch)
Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Passive data transfer failed, possibly due to network issues
Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Check your PassivePorts and MasqueradeAddress settings,
Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): and any router, NAT, and firewall rules in the network path.
Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP no transfer timeout, disconnected
Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session closed.
Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Passive data transfer failed, possibly due to network issues
Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Check your PassivePorts and MasqueradeAddress settings,
Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): and any router, NAT, and firewall rules in the network path.
Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP no transfer timeout, disconnected
Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session closed.

I don't understand this error message:

Code:

Passive data transfer failed, possibly due to network issues. Check your PassivePorts and MasqueradeAddress settings, and any router, NAT, and firewall rules in the network path. 

It can't be at my ISP because the ports above 54000 are opened, it can't be here at home as well because of this error occurs at different networks all around.
The weird thing though is, when I am at my office (located at my ISP) and I am on the same network I can access my server without any problems.

I checked my IPTables as well, and this is the result:

Code:

wilt:/var/log/proftpd# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpts:50000:50050 
ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpt:50000 
ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpts:50000:60000 
ACCEPT     tcp  --  anywhere             wilt.***.com       tcp dpts:50000:60000 
ACCEPT     tcp  --  anywhere             wilt.***.com       tcp dpts:ftp-data:ftp 
ACCEPT     tcp  --  anywhere             anywhere          tcp dpts:ftp-data:ftp 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

the 10.1.15.1 address I happen to have just added following a tutorial about iptables on debian.

I don't think it can't be my IPTables as well, what could it be?

Best regards,
Paul Peelen

 

Does your router forward the ports 54000 - 55000?

 

Locally? Should that make any difference?

It wasn't forwarding, but I changed it now... at my home router.

-- The result:

Code:

paul-peelens-dator:~ ppeelen$ ftp web37_paul@***.com
Connected to ***.com.
220 ProFTPD 1.3.0 Server (*** wilt server) [***.***.***.***]
331 Password required for web37_paul.
Password: 
230 User web37_paul logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||54283|)
200 EPRT command successful

421 Service not available, remote server timed out. Connection closed

When connecting to my server thrue on OSX.

// Paul

 

Does anyone have any more suggestions?

// Paul

 

Unfortunately no...

 

Solved

Hi,

I solved the problem. I went in on another server running no IspConfig and FreeBSD instead of debian but was still running proftpd without problems, on the same net.

I copied the proftpd.conf file (made a backup ofcourse of my current conf file), and edited the conf file to the ISP config settings.

This is the result:

Code:

ServerName			"*** Wilt server"
ServerType 			standalone
DefaultServer 			on
UseIPv6				off

UseReverseDNS			off
IdentLookups			off
#PassivePorts 			56000 57000

#ScoreboardFile			/var/run/proftpd.scoreboard

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				000

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User				proftpd
Group				nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite		on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  AllowAll
</Limit>

<Global>
	PassivePorts 			56000 57000
</Global>

# Added by hand for ispconfig
TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

Include /etc/proftpd_ispconfig.conf

the ispconfig.conf file is as it should be, not changed.

Hope this helps others in the future.

best regards,
Paul Peelen

 

I just tried using that config and I am still getting error 503.

I can login via web-ftp no problems.

Anytime I use an FTP client, I receive 503.