Cannot connect via proftpd

Discussion in 'Installation/Configuration' started by wpwood3, Apr 22, 2010.

  1. wpwood3

    wpwood3 New Member

    I rarely use proftpd but, it has been working fine for years on my ISPConfig2 box.
    Today I tried to connect and the connection times out.

    Here are results in /var/log/messages
    Code:
    Apr 22 00:02:05 mbshop2 proftpd[18652]: mbshop2.peachparts.com (::ffff:127.0.0.1[::ffff:127.0.0.1]) - FTP session opened. 
    Apr 22 00:02:05 mbshop2 proftpd[18652]: mbshop2.peachparts.com (::ffff:127.0.0.1[::ffff:127.0.0.1]) - FTP session closed.
    proftpd is running.

    Here's proftpd.conf:
    Code:
    # This is the ProFTPD configuration file
    # $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
    
    ServerName			"ProFTPD server"
    ServerIdent			on "FTP Server ready."
    ServerAdmin			root@localhost
    ServerType			standalone
    #ServerType			inetd
    DefaultServer			on
    AccessGrantMsg			"User %u logged in."
    #DisplayConnect			/etc/ftpissue
    #DisplayLogin			/etc/ftpmotd
    #DisplayGoAway			/etc/ftpgoaway
    DeferWelcome			off
    
    # Use this to excude users from the chroot
    DefaultRoot			~ !adm
    IdentLookups off
    ServerIdent on "FTP Server ready."
    
    # Use pam to authenticate (default) and be authoritative
    AuthPAMConfig			proftpd
    AuthOrder			mod_auth_pam.c* mod_auth_unix.c
    
    # Do not perform ident nor DNS lookups (hangs when the port is filtered)
    IdentLookups			off
    UseReverseDNS			off
    
    # Port 21 is the standard FTP port.
    Port				21
    
    # Umask 022 is a good standard umask to prevent new dirs and files
    # from being group and world writable.
    Umask				022
    
    # Default to show dot files in directory listings
    ListOptions			"-a"
    
    # See Configuration.html for these (here are the default values)
    #MultilineRFC2228		off
    #RootLogin			off
    #LoginPasswordPrompt		on
    #MaxLoginAttempts		3
    #MaxClientsPerHost		none
    #AllowForeignAddress		off	# For FXP
    
    # Allow to resume not only the downloads but the uploads too
    AllowRetrieveRestart		on
    AllowStoreRestart		on
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances			20
    
    # Set the user and group that the server normally runs at.
    User				nobody
    Group				nobody
    
    # Disable sendfile by default since it breaks displaying the download speeds in
    # ftptop and ftpwho
    UseSendfile			no
    
    # This is where we want to put the pid file
    ScoreboardFile			/var/run/proftpd.score
    
    # Normally, we want users to do a few things.
    <Global>
      AllowOverwrite		yes
      <Limit ALL SITE_CHMOD>
        AllowAll
      </Limit>
    </Global>
    
    # Define the log formats
    LogFormat			default	"%h %l %u %t \"%r\" %s %b"
    LogFormat			auth	"%v [%P] %h %t \"%r\" %s"
    
    # TLS
    # Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
    #TLSEngine			on
    #TLSRequired			on
    #TLSRSACertificateFile		/etc/pki/tls/certs/proftpd.pem
    #TLSRSACertificateKeyFile	/etc/pki/tls/certs/proftpd.pem
    #TLSCipherSuite			ALL:!ADH:!DES
    #TLSOptions			NoCertRequest
    #TLSVerifyClient		off
    ##TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
    #TLSLog				/var/log/proftpd/tls.log
    
    # SQL authentication Dynamic Shared Object (DSO) loading
    # See README.DSO and howto/DSO.html for more details.
    #<IfModule mod_dso.c>
    #   LoadModule mod_sql.c
    #   LoadModule mod_sql_mysql.c
    #   LoadModule mod_sql_postgres.c
    #</IfModule>
    
    # A basic anonymous configuration, with an upload directory.
    #<Anonymous ~ftp>
    #  User				ftp
    #  Group				ftp
    #  AccessGrantMsg		"Anonymous login ok, restrictions apply."
    #
    #  # We want clients to be able to login with "anonymous" as well as "ftp"
    #  UserAlias			anonymous ftp
    #
    #  # Limit the maximum number of anonymous logins
    #  MaxClients			10 "Sorry, max %m users -- try again later"
    #
    #  # Put the user into /pub right after login
    #  #DefaultChdir			/pub
    #
    #  # We want 'welcome.msg' displayed at login, '.message' displayed in
    #  # each newly chdired directory and tell users to read README* files. 
    #  DisplayLogin			/welcome.msg
    #  DisplayFirstChdir		.message
    #  DisplayReadme			README*
    #
    #  # Some more cosmetic and not vital stuff
    #  DirFakeUser			on ftp
    #  DirFakeGroup			on ftp
    #
    #  # Limit WRITE everywhere in the anonymous chroot
    #  <Limit WRITE SITE_CHMOD>
    #    DenyAll
    #  </Limit>
    #
    #  # An upload directory that allows storing files but not retrieving
    #  # or creating directories.
    #  <Directory uploads/*>
    #    AllowOverwrite		no
    #    <Limit READ>
    #      DenyAll
    #    </Limit>
    #
    #    <Limit STOR>
    #      AllowAll
    #    </Limit>
    #  </Directory>
    #
    #  # Don't write anonymous accesses to the system wtmp file (good idea!)
    #  WtmpLog			off
    #
    #  # Logging for the anonymous transfers
    #  ExtendedLog		/var/log/proftpd/access.log WRITE,READ default
    #  ExtendedLog		/var/log/proftpd/auth.log AUTH auth
    #
    #</Anonymous>
    
    
    DefaultRoot ~
    
    Include /etc/proftpd_ispconfig.conf
     
    Last edited: Apr 22, 2010
  2. wpwood3

    wpwood3 New Member

    More info...

    I seem to be getting segfaults:
    Code:
    Apr 22 11:15:22 mbshop2 kernel: php[13394]: segfault at 00007fff3a6feff8 rip 0000000000670b30 rsp 00007fff3a6ff028 error 6
    Apr 22 11:17:33 mbshop2 kernel: php[14160]: segfault at 00007fffacfcbfd8 rip 000000000068f1eb rsp 00007fffacfcc028 error 6
    Possibly a hardware problem?

    In addition, I had to turn off my dkim and dk milters because they were unable to connect:
    Code:
    NOQUEUE: milter-reject: EHLO from localhost.localdomain[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
     NOQUEUE: milter-reject: MAIL from localhost.localdomain[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<localhost>
    I think all of these problems are related somehow.
     
  3. wpwood3

    wpwood3 New Member

    Port 21 not open?

    I just ran a port scan of my server and port-21 is showing closed even though it shows open in ISPConfig2.

    Here's the output from iptables -L
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       all  --  localhost            anywhere            
    ACCEPT     tcp  --  98.d2.7bae.static.theplanet.com/29  anywhere            tcp dpt:smtp 
    ACCEPT     tcp  --  208.65.144.0/21      anywhere            tcp dpt:smtp 
    ACCEPT     tcp  --  208.81.64.0/22       anywhere            tcp dpt:smtp 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp 
    DROP       tcp  --  anywhere             127.0.0.0/8         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    DROP       all  --  localhost            anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    
    Chain INT_IN (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PAROLE (9 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:submission 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:fujitsu-dtcns 
    DROP       icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere
     
  4. wpwood3

    wpwood3 New Member

    ISPConfig not updating firewall

    Ok, if i stop the Bastille firewall ( /etc/init.d/bastille-firewall stop ) I can connect via FTP.
    The weird thing is that ISPConfig still shows the firewall "Online" even though it is stopped.
    When I restart the firewall ( /etc/init.d/bastille-firewall start) I cannot connect via FTP. Even though ISPConfig shows that FTP Port-21 is open.

    The problem appears to be that ISPConfig is not changing the status of the firewall. I can turn ports on or off and even turn the firewall off in ISPConfig and nothing really changes even though ISPConfig indicates that it did.
     
    Last edited: Apr 22, 2010
  5. wpwood3

    wpwood3 New Member

    ISPConfig not updating firewall

    I ran more tests and found that changing a port from active to not active in ISPConfig does indeed change the status in the ispconfigdb isp_firewall dienst_aktiv from ja to nein. So the MySQL updates are working.

    The problem is that the Bastille firewall never get updated. No iptables rules are being changed. If I run iptables -L before making a firewall change in ISPConfig and then again after the change, I get exactly the same result. No iptables change.

    How to fix???
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Do you see your changes in the Bastille configuration file /etc/Bastille/bastille-firewall.cfg?
     
  7. wpwood3

    wpwood3 New Member

    No.
    When I open Port-21 in ISPConfig, it never gets added to this line:
    Code:
    TCP_PUBLIC_SERVICES="22 25 53 80 81 110 443 587"
     
  8. wpwood3

    wpwood3 New Member

    Segmentation fault

    Falko-
    Running writeconf.php results in a segmentation fault:
    Code:
    [root@mbshop2 ~]# /root/ispconfig/php/php -q /root/ispconfig/scripts/writeconf.php
    start
    Segmentation fault
    ispconfig.log only shows these entries:
    Code:
    23.04.2010 - 16:45:51 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 137: cp -fr /etc/postfix/local-host-names /etc/postfix/local-host-names~
    23.04.2010 - 16:45:51 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 284: cp -fr /etc/postfix/virtusertable /etc/postfix/virtusertable~
    23.04.2010 - 16:45:51 => INFO - /root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php, Line 289: postmap hash:/etc/postfix/virtusertable
    23.04.2010 - 16:45:51 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1268: cp -fr /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf~
    The segfault appears to happen at this step in writeconf.php:
    Code:
    //Firewall-Konfiguration
    $isp_web->make_firewall();
     
  9. wpwood3

    wpwood3 New Member

    Fixed!

    A big thanks to crypted for his help!

    The solution was as follows:

    1) Make sure the permissions are correct on the folders bind uses:
    Code:
    chmod 755 /var/named/
    chmod 775 /var/named/chroot/
    chmod 775 /var/named/chroot/var/
    chmod 775 /var/named/chroot/var/named/
    chmod 775 /var/named/chroot/var/run/
    chmod 777 /var/named/chroot/var/run/named/
    cd /var/named/chroot/var/named/
    ln -s ../../ chroot
    2) Check the Server Settings in ISPConfig
    Go to Management > Server > Settings
    Click on the DNS tab
    These settings must be as follows:
    Code:
    named.conf: /var/named/chroot/etc/named.conf
    Zonefiles Dir.: /var/named/chroot/var/named
    Life is good again! [​IMG]
     
  10. crypted

    crypted Member

    No problem...
     

Share This Page