Pure-FTPd (on Debian 6.0.2): port 21 desperately closed... Hi there, I just got a preinstalled server (Debian Squeeze with ISPConfig 3) and I spent about 2 days searching for a solution but I just can't seem to find it... Here is my problem... On ISPConfig, I created a site, and then an FTP account butwhen I try to use it, the connection is refused. I'm not surprised now because the port 21 seems to be closed! If I do netstat -tap | grep ftp, I got NOTHING! If I do dpkg -l | grep -i "ftp", I get this : Code: ii ftp 0.17-23 The FTP client ii pure-ftpd-common 1.0.28-3 Pure-FTPd FTP server (Common Files) ii pure-ftpd-mysql 1.0.28-3+b1 Secure and efficient FTP server with MySQL user authentication So the FTP seems to be there, right? I don't know if you have everything to help me but don't hesitate to ask. This problem is driving me nuts! Thanks in advance! Vincent EDIT 1: I forgot to say I can access the server through FTP with the root account (SFTP on port 22) only.
For information, my jail.local (/etc/fail2ban/jail.local) looks like this: Code: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 And when I do this iptables -L -n, I get this... Code: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 I hope this is relevant and it will help Thanks!
Is this a virtual server? Ifyes, please post the output of: cat /proc/user_beancounters Did you try to restart pure ftpd? SFTP is a ssh protocol, so not ftp even if the name might imply this so sftp is provided by the openssh daemon.
Thanks for your answer Till! cat /proc/user_beancounters sends this output: Code: cat: /proc/user_beancounters: Aucun fichier ou dossier de ce type ...means "no such file or directory" Sorry for my error, I didn't know this about SFTP So I suppose no FTP is working.... Also, I tried o restart pure-ftpd this way : Code: /etc/init.d/pure-ftpd-mysql restart ...but it doesn't change anything. Thank you VERY MUCH for your kind help! Vincent
Sorry I forgot to mention I'm on a dedicated server. So I suppose it's not a "virtual" server. Am I correct? Sorry my ignorance, I'm really willing to learn though. The more I discover it, the more I love Linux and ISPConfig! Thanks again!
No problem at all Thats a common confusion and what it makes even worse is that "FTPS" (with the S at the end) is FTP again. Yes. Thats my guess too. According to your netstat output, there must be a startup error. Please check /var/log/syslog and the logs in /var/log/pure-ftpd/ for pureftpd errors. e.g. with: grep ftp /var/log/syslog
Oh waw, I think we've got something?! grep ftp /var/log/syslog Code: Jan 22 19:25:56 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Jan 22 19:36:08 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Jan 22 19:45:20 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Jan 22 21:21:43 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Jan 22 21:22:34 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] Jan 22 21:47:48 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
It seems to be related to the SSL certificate I installed recently!!! I followed this tutorial: http://www.howtoforge.com/securing-...h-a-free-class1-ssl-certificate-from-startssl What do you think?
OK so I just checked and the file does exist but it's a symlink. When I open it, I have the complete certificate. So I'm not sure the problem is coming from there... Any idea?
The ssl cert issue is most likely the reason. Please post the output of: ls -la /usr/local/ispconfig/interface/ssl/ ls -la /etc/ssl/private/
OK sure: ls -la /usr/local/ispconfig/interface/ssl/ Code: total 56 drwxr-s--- 2 ispconfig ispconfig 4096 20 janv. 17:50 . drwxr-s--- 7 ispconfig ispconfig 4096 7 sept. 2011 .. -rw-r--r-- 1 root ispconfig 2609 20 janv. 17:43 ispserver.crt -rwxr-x--- 1 ispconfig ispconfig 2399 20 janv. 16:15 ispserver.crt_bak -rwxr-x--- 1 ispconfig ispconfig 1858 20 janv. 16:15 ispserver.csr -rwxr-x--- 1 ispconfig ispconfig 3243 20 janv. 16:15 ispserver.key -rwxr-x--- 1 ispconfig ispconfig 3311 20 janv. 16:11 ispserver.key.secure -rw------- 1 root ispconfig 10824 20 janv. 17:50 ispserver.pem -rw-r--r-- 1 root ispconfig 2760 6 mai 2008 startssl.ca.crt -rw-r--r-- 1 root ispconfig 4972 20 janv. 17:50 startssl.chain.class1.server.crt -rw-r--r-- 1 root ispconfig 2212 17 avril 2010 startssl.sub.class1.server.ca.crt ls -la /etc/ssl/private/ Code: total 24 drwx--x--- 2 root ssl-cert 4096 20 janv. 18:07 . drwxr-xr-x 4 root root 4096 21 f?vr. 2011 .. -rw------- 1 root dovecot 891 16 janv. 11:27 dovecot.pem -rw------- 1 root root 891 16 janv. 11:27 ks4003865.ip-142-4-212.net.key lrwxrwxrwx 1 root root 48 20 janv. 18:07 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw------- 1 root root 2266 16 janv. 11:27 pure-ftpd.pem_bak -rw-r----- 1 root ssl-cert 1679 7 sept. 2011 ssl-cert-snakeoil.key
Normally not. But you can try to replace the symlink with the cert: Try this: rm /etc/ssl/private/pure-ftpd.pem cp -pf /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/ssl/private/pure-ftpd.pem and restart pure-ftpd.
I did this but nothing changed apparently... With grep ftp /var/log/syslog I still get this: Code: Jan 23 12:07:13 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem] I don't get it :-/
By the way, I restart with this command: /etc/init.d/pure-ftpd-mysql restart Is it correct? I get this output when doing so: Code: Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -u 1000 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -b -A -8 UTF-8 -4 -H -D -E -S *,21 -B
Maybe I need to update PureFTPd to the latest version? My version is 1.0.28 and I see the latest release is 1.0.36. Do you think it could solve my problem?
It is unlikely that its related to the pure-ftpd version. Did pure-ftpd work before you installed the new ssl cert? in this case, it might be that the pem file content is wrong: try to renme the .pem file to a different name and rename the pem_bak file to .pem and restart pure-ftpd to test if it works with the old file.
OMG! You got it!!! OK, so everything's OK now, everything's good but what can I do to correct this SSL certificate. I just noticed I had 3 certificates stacked on each other in this file, just after the RSA key, which seems very strange to me. Could it be the problem? Thank you very much for your help again! You're saving me so much time and pain finding this. I bought the ISPConfig documentation but couldn't figure out a solution for this problem... Any idea to fix this certificate?
Holly cow!!! Forget my last message, I finally found the problem! For some reason, there was a mistake in the pile of certificates in the generated pure-ftpd.pem After the first or second certificate, a line break was missing, which was creating a problem to read the rest of certificates insite the file, obviously :-D Instead of Code: -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- I had Code: -----END CERTIFICATE----------BEGIN CERTIFICATE----- I guess it,s something to let users know about. I hope my fixing will help others! Anyway, a big big thank you Till, you saved my life! Cheers and hail to ISPConfig ;-)
