proftpd problem after update

Discussion in 'General' started by ppeelen, Jan 13, 2008.

  1. ppeelen

    ppeelen New Member

    Hi,

    My ISP has all ports up to 54000 blocked (exept for 80, 21, 20, ect.). My ispconfig runs on 54001 instead of 81.

    But after I updated my ISPConfig to 2.2.28 version my proftpd ignores the passiveports settings in proftpd.conf. I really can't understand why. I had this problem before and somehow managed to fix this, but now it is back and I tried everything I can recall to try.

    This is my proftp.conf
    Code:
    #
    # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
    # To really apply changes reload proftpd after modifications.
    # 
    
    # Includes DSO modules
    Include /etc/proftpd/modules.conf
    
    # Set off to disable IPv6 support which is annoying on IPv4 only boxes.
    UseIPv6				off
    
    ServerName			"MalakaPower wilt server"
    ServerType			standalone
    DeferWelcome			off
    
    #MultilineRFC2228		on
    DefaultServer			on
    #ShowSymlinks			on
    
    #TimeoutNoTransfer		600
    #TimeoutStalled			600
    #TimeoutIdle			1200
    
    #DisplayLogin                    welcome.msg
    #DisplayFirstChdir               .message
    #ListOptions                	"-l"
    
    DenyFilter			\*.*/
    
    Port				21
    
    PassivePorts                    55000 60000
    
    MaxInstances			300
    
    # Set the user and group that the server normally runs at.
    User				proftpd
    Group				nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask				022  022
    # Normally, we want files to be overwriteable.
    AllowOverwrite			on
    
    TransferLog /var/log/proftpd/xferlog
    SystemLog   /var/log/proftpd/proftpd.log
    
    <IfModule mod_tls.c>
    TLSEngine off
    </IfModule>
    
    <IfModule mod_quota.c>
    QuotaEngine on
    </IfModule>
    
    <IfModule mod_ratio.c>
    Ratios on
    </IfModule>
    
    UseReverseDNS off
    IdentLookups off
    
    Include /etc/proftpd_ispconfig.conf
    
    I removed lager parts of comments.

    As you can see I set my PassivePorts to 55000 60000, but this is a transfer log from smartFTP on my Windows machine running in VMWare Fusion:
    Code:
    [23:04:28] Resolving host name "ftp.****.com"
    [23:04:29] Connecting to ***.***.***.*** Port: 21
    [23:04:29] Connected to ftp.****.com.
    [23:04:39] 220 ProFTPD 1.3.0 Server (MalakaPower wilt server) [***.***.***.***]
    [23:04:39] USER web37_paul
    [23:04:39] 331 Password required for web37_paul.
    [23:04:39] PASS (hidden)
    [23:04:39] 230 User web37_paul logged in.
    [23:04:39] SYST
    [23:04:39] 215 UNIX Type: L8
    [23:04:39] Detected Server Type: UNIX
    [23:04:39] FEAT
    [23:04:39] 211-Features:
    [23:04:39]  MDTM
    [23:04:39]  REST STREAM
    [23:04:39]  SIZE
    [23:04:39] 211 End
    [23:04:39] PWD
    [23:04:39] 257 "/" is current directory.
    [23:04:39] TYPE A
    [23:04:39] 200 Type set to A
    [23:04:39] PASV
    [23:04:39] 227 Entering Passive Mode (***,***,***,***,152,179).
    [23:04:39] Opening data connection to ***.***.***.*** Port: 39091
    [23:04:39] LIST -aL
    
    and there it timeout, ofcourse becouse port 39091 is blocked.

    this is what shows up in /etc/proftpd/proftpd.log:
    Code:
    Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): FTP session opened.
    Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
    Jan 13 23:10:30 www.mydomain.com proftpd[824] www.mydomain.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
    Jan 13 23:10:30 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): FTP session opened.
    Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
    Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
    Jan 13 23:12:01 www.mydomain.com proftpd[844] www.mydomain.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,224,159 (address mismatch)
    
    I tried another connection with proftpd in debug, and this is that result:
    http://www.paulpeelen.com/proftpd.txt

    Does anyone have a simular problem? Does someone know how to fix this?

    Best regards,
    Paul Peelen
     
    Last edited: Jan 13, 2008
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to put the PassivePorts settings inside of global tags.
     
  3. ppeelen

    ppeelen New Member

    You mean like
    Code:
    <global>
    PassivePorts                    55000 60000
    </global>
    
    ?

    // Paul
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, please try this.
     
  5. ppeelen

    ppeelen New Member

    Hi,

    Sorry for my late answer. You sollution works but not I got myself in a other problem.

    I set my passiveports between 54000 and 55000, works perfectly... but now I am getting "Illegal PORT command" error in my Transfer.

    This is the result of my /var/log/proftpd/proftd.log:
    Code:
    Jan 20 19:26:09 wilt.***.com proftpd[10686] localhost.localdomain: ProFTPD 1.3.0 (stable) (built mar gen 2 10:57:47 CET 2007) standalone mode STARTUP
    Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session opened.
    Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
    Jan 20 19:26:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
    Jan 20 19:26:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session opened.
    Jan 20 19:27:01 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): USER web37_paul: Login successful.
    Jan 20 19:27:01 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Preparing to chroot to directory '/var/www/web37'
    Jan 20 19:27:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,3 (address mismatch)
    Jan 20 19:27:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,4 (address mismatch)
    Jan 20 19:28:35 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Refused EPRT |1|192.168.1.4|53008| (address mismatch)
    Jan 20 19:28:36 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Refused PORT 192,168,1,4,207,16 (address mismatch)
    Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Passive data transfer failed, possibly due to network issues
    Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): Check your PassivePorts and MasqueradeAddress settings,
    Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): and any router, NAT, and firewall rules in the network path.
    Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP no transfer timeout, disconnected
    Jan 20 19:31:14 wilt.***.com proftpd[10688] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session closed.
    Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Passive data transfer failed, possibly due to network issues
    Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): Check your PassivePorts and MasqueradeAddress settings,
    Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): and any router, NAT, and firewall rules in the network path.
    Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP no transfer timeout, disconnected
    Jan 20 19:31:58 wilt.***.com proftpd[10736] wilt.***.com (85.227.129.***[85.227.129.***]): FTP session closed.
    
    I don't understand this error message:
    Code:
    Passive data transfer failed, possibly due to network issues. Check your PassivePorts and MasqueradeAddress settings, and any router, NAT, and firewall rules in the network path. 
    It can't be at my ISP because the ports above 54000 are opened, it can't be here at home as well because of this error occurs at different networks all around.
    The weird thing though is, when I am at my office (located at my ISP) and I am on the same network I can access my server without any problems.

    I checked my IPTables as well, and this is the result:
    Code:
    wilt:/var/log/proftpd# iptables --list
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpts:50000:50050 
    ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpt:50000 
    ACCEPT     tcp  --  anywhere             10.1.15.1           tcp dpts:50000:60000 
    ACCEPT     tcp  --  anywhere             wilt.***.com       tcp dpts:50000:60000 
    ACCEPT     tcp  --  anywhere             wilt.***.com       tcp dpts:ftp-data:ftp 
    ACCEPT     tcp  --  anywhere             anywhere          tcp dpts:ftp-data:ftp 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 
    
    the 10.1.15.1 address I happen to have just added following a tutorial about iptables on debian.

    I don't think it can't be my IPTables as well, what could it be?

    Best regards,
    Paul Peelen
     
  6. falko

    falko Super Moderator Howtoforge Staff

    Does your router forward the ports 54000 - 55000?
     
  7. ppeelen

    ppeelen New Member

    Locally? Should that make any difference?

    It wasn't forwarding, but I changed it now... at my home router.

    -- The result:
    Code:
    paul-peelens-dator:~ ppeelen$ ftp web37_paul@***.com
    Connected to ***.com.
    220 ProFTPD 1.3.0 Server (*** wilt server) [***.***.***.***]
    331 Password required for web37_paul.
    Password: 
    230 User web37_paul logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    229 Entering Extended Passive Mode (|||54283|)
    200 EPRT command successful
    
    421 Service not available, remote server timed out. Connection closed
    
    When connecting to my server thrue on OSX.

    // Paul
     
    Last edited: Jan 21, 2008
  8. ppeelen

    ppeelen New Member

    Does anyone have any more suggestions?

    // Paul
     
  9. falko

    falko Super Moderator Howtoforge Staff

    Unfortunately no... :(
     
  10. ppeelen

    ppeelen New Member

    Solved

    Hi,

    I solved the problem. I went in on another server running no IspConfig and FreeBSD instead of debian but was still running proftpd without problems, on the same net.

    I copied the proftpd.conf file (made a backup ofcourse of my current conf file), and edited the conf file to the ISP config settings.

    This is the result:
    Code:
    ServerName			"*** Wilt server"
    ServerType 			standalone
    DefaultServer 			on
    UseIPv6				off
    
    UseReverseDNS			off
    IdentLookups			off
    #PassivePorts 			56000 57000
    
    #ScoreboardFile			/var/run/proftpd.scoreboard
    
    # Port 21 is the standard FTP port.
    Port 21
    
    # Umask 022 is a good standard umask to prevent new dirs and files
    # from being group and world writable.
    Umask				000
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd).
    MaxInstances 30
    
    # Set the user and group under which the server will run.
    User				proftpd
    Group				nogroup
    
    # To cause every FTP user to be "jailed" (chrooted) into their home
    # directory, uncomment this line.
    #DefaultRoot ~
    
    # Normally, we want files to be overwriteable.
    AllowOverwrite		on
    
    # Bar use of SITE CHMOD by default
    <Limit SITE_CHMOD>
      AllowAll
    </Limit>
    
    <Global>
    	PassivePorts 			56000 57000
    </Global>
    
    # Added by hand for ispconfig
    TransferLog /var/log/proftpd/xferlog
    SystemLog   /var/log/proftpd/proftpd.log
    
    Include /etc/proftpd_ispconfig.conf
    
    the ispconfig.conf file is as it should be, not changed.

    Hope this helps others in the future.

    best regards,
    Paul Peelen
     
  11. Slurpee

    Slurpee New Member

    I just tried using that config and I am still getting error 503.

    I can login via web-ftp no problems.

    Anytime I use an FTP client, I receive 503.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    netstat -tap

    and:

    iptables -L
     

Share This Page