Hello Operating System: Ubuntu Linux 14.04.5 ISPC3 Version: 3.1.13 After completing an un-eventful ISPC3 installation I have configured a new site, I have also created an FTP user for this site. Pure-ftpd seems to be ignoring requests for ftp connections I suspect that the rules in IPTables can be an issue for port 21 at least ?? Code: :f2b-dovecot-pop3imap - [0:0] :f2b-postfix-sasl - [0:0] :f2b-pureftpd - [0:0] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 21 -j f2b-pureftpd -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j f2b-dovecot-pop3imap -A INPUT -p tcp -m multiport --dports 25 -j f2b-postfix-sasl -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -p tcp -m tcp --dport 1812 -j ACCEPT -A INPUT -p udp -m udp --dport 1812 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1813 -j ACCEPT -A INPUT -p udp -m udp --dport 1813 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1814 -j ACCEPT -A INPUT -p udp -m udp --dport 1814 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -p udp -m udp --dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow Incoming FTP connections on port 21" -j f2b-pureftpd -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow Incoming Active FTP connections on port 20" -j f2b-pureftpd -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow Incoming Passive FTP connections" -j f2b-pureftpd -A OUTPUT -p tcp -m tcp --dport 1812 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 1812 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1812 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1813 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 1813 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 1814 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1814 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A OUTPUT -p udp -m udp --dport 3306 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow Outgoing FTP connections on port 21" -j f2b-pureftpd -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow Outgoing Active FTP connections on port 20" -j f2b-pureftpd -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow Outgoing Passive FTP connections" -j f2b-pureftpd -A f2b-dovecot-pop3imap -j RETURN -A f2b-postfix-sasl -j RETURN -A f2b-pureftpd -j RETURN -A f2b-sshd -j RETURN When I attempt to access this server from another local server via FTP using the CLI i receive the following: Code: ftp: connect: Connection refused From this server in question I am able to ftp into other local servers VIA CLI successfully and other devices can see this server IP address as well. Likewise, when I attempt to log onto the ISPC3 server using an FTP Client, the following error is returned: Code: Connection attempt failed with "ECONREFUSED - Connection refused by server" In /var/log/pure-ftpd no logs are being generated, in /var/log/syslog I have found the following line(s) Code: Sep 9 10:03:03 knctd systemd[1]: Started pure-ftpd-mysql.service. Sep 9 10:03:03 knctd pure-ftpd: ([email protected]?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Which is indicating that pure-ftpd is unable to locate it's pem cert. I have validated the existence of the key-file: Code: pure-ftpd.pem I also checked the file permission: Code: -rw------- 1 root root 1704 Sep 9 10:03 pure-ftpd.pem Should I just re-generate a new key for pure-ftpd ? Output of the ISPC3 common issues script: Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.***, ***.***.***.*** [WARN] ip addresses from hostname differ from ifconfig output. Please check your ip settings. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.13 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.0.30-0ubuntu***.***.***.*** ##### PORT CHECK ##### [WARN] Port 21 (FTP server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 1614) [INFO] I found the following mail server(s): Postfix (PID 2261) [INFO] I found the following pop3 server(s): Dovecot (PID 1272) [INFO] I found the following imap server(s): Dovecot (PID 1272) [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) ***.***.***.***:53 (1190/named) ***.***.***.***:53 (1190/named) [localhost]:53 (1190/named) [anywhere]:22 (1206/sshd) [anywhere]:25 (2261/master) [localhost]:953 (1190/named) [anywhere]:993 (1272/dovecot) [anywhere]:995 (1272/dovecot) [localhost]:10023 (1442/postgrey.pid) [localhost]:10025 (2261/master) [localhost]:10027 (2261/master) [anywhere]:587 (2261/master) [localhost]:11211 (1199/memcached) [localhost]:6379 (1267/redis-server) [anywhere]:110 (1272/dovecot) [anywhere]:143 (1272/dovecot) [anywhere]:10000 (1665/perl) [anywhere]:465 (2261/master) *:*:*:*::*:53 (1190/named) *:*:*:*::*:22 (1206/sshd) *:*:*:*::*:25 (2261/master) *:*:*:*::*:953 (1190/named) *:*:*:*::*:443 (1614/apache2) *:*:*:*::*:993 (1272/dovecot) *:*:*:*::*:995 (1272/dovecot) *:*:*:*::*:10023 (1442/postgrey.pid) *:*:*:*::*:3306 (1247/mysqld) *:*:*:*::*:587 (2261/master) [localhost]10 (1272/dovecot) [localhost]43 (1272/dovecot) [localhost]0000 (1665/perl) *:*:*:*::*:8080 (1614/apache2) *:*:*:*::*:80 (1614/apache2) *:*:*:*::*:465 (2261/master) *:*:*:*::*:8081 (1614/apache2) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21 f2b-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 1 10,995,143,993 f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1812 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1812 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1813 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1813 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1814 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1814 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306 f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ctstate NEW,EST ABLISHED /* Allow Incoming FTP connections on port 21 */ f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 ctstate RELATED ,ESTABLISHED /* Allow Incoming Active FTP connections on port 20 */ f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp spts:1024:65535 dpts:1 024:65535 ctstate ESTABLISHED /* Allow Incoming Passive FTP connections */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1812 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1812 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1812 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1813 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1813 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1814 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:1814 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306 f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ctstate NEW,EST ABLISHED /* Allow Outgoing FTP connections on port 21 */ f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 ctstate ESTABLI SHED /* Allow Outgoing Active FTP connections on port 20 */ f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 tcp spts:1024:65535 dpts:1 024:65535 ctstate RELATED,ESTABLISHED /* Allow Outgoing Passive FTP connections */ Chain f2b-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-pureftpd (7 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 This server sits behind a DMZ. Thank you
Rather, pure-ftpd is not starting up/running, because of the non-existent certificate file, per the error you supplied. Ie. you show that file in /etc/ssl/private? Code: ls -l /etc/ssl/private/pure-ftpd.pem A note on your firewall rules, I would not expect them to work as-is. You need to allow incoming connections to port 21 (which you do); you do not need to allow connections to port 20, as active ftp connections originate from the server's port 20, they are not incoming, nor do they connect to port 20 on the remote end, and they pretty much don't matter anyways because when you use TLS (and you both should, and are trying to, by supplying a certificate file) almost all ftp client connections to your server will use passive mode, as they normally pass through an NAT and/or statefull firewall, which kills active mode connections with TLS enabled; and most importantly, your passive port rules will fail, as they match ESTABLISHED state - you can't get to ESTABLISHED state without first passing the NEW state, which is not allowed; and don't just allow NEW state for that particular rule, or you will have effectively disabled your firewall entirely for all but ports <1024, you should specify a port range to be used for passive mode connections, and only allow connections to that range (see https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/). I don't know what tool was used to create those, but I'd recommend installing ufw and just specify the port ranges you need in the ISPConfig firewall setting, it will create a little more comprehensive firewall and is pretty simple.
Doh, I just noticed you have an ACCEPT policy on your INPUT chain, there's not a single thing denied (unless fail2ban adds something to the f2b rules), so you actually should be able to use passive mode ftp once you get the ftp server going -- but you should fix the firewall rules.
Thank you for the reply Jesse Ok, no cert no go. I will regenerate a new cert. Pretty odd situation, I can view the .pem file at /etc/ssl/private and it contains a private key, but pure-ftpd is unable to locate and use it? I will install ufw as you suggest. Once done I will post an update. Best Regards Thank you for your firewall insight
After generating a new .pem cert, I was able to establish a TLS FTP connection. Thank you for your help. Best Regards ¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦
