| View previous topic :: View next topic |
| Author |
Message |
najkon
n00b
Joined: 14 Aug 2016
Posts: 13
|
 Posted: Mon Jul 10, 2017 7:24 pm Post subject: Protftpd - problem with MLSD |
 |
|
Hi,
It seems so easy to install ftp server by choosing Proftpd with basic configuration.
Unfortunately, all the calls are trying to get around MLSD and after PASV and all connection ends with a timeout error
Can someone help him bite to get it started as it should? 
my config
| Code: |
### /etc/proftpd/proftpd.conf
ServerName "ProFTPD Server"
ServerType standalone
DefaultServer on
MultilineRFC2228 on
RequireValidShell off
AuthPAM off
AuthPAMConfig ftp
UseIPv6 on
UseReverseDNS off
PassivePorts 57000 58000
# Listen on the standard FTP port 21.
Port 21
# New directories and files should not be group or world writable.
Umask 022
# To prevent DoS attacks set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once simply increase this value.
MaxInstances 30
# The server will run under ftp/ftp.
User ftp
Group ftp
# Every FTP sessions is "jailed" into the user's home directory.
DefaultRoot ~ !ftp-special
# Generally files are overwritable.
AllowOverwrite on
# Disallow the use of the SITE CHMOD command.
<Limit SITE_CHMOD>
DenyAll
</Limit>
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
<IfModule mod_facts.c>
FactsAdvertise off
</IfModule>
|
version: ProFTPD Version 1.3.5e
loaded modules ProFTPD
| Code: |
/usr/sbin/proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_rlimit.c
mod_auth_unix.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_facts.c
mod_dso.c
mod_auth_pam.c
mod_facl.c
mod_case.c
mod_sql.c
mod_sql_passwd.c
mod_sql_mysql.c
mod_sftp.c
mod_sftp_pam.c
mod_sftp_sql.c
mod_tls.c
mod_tls_shmcache.c
mod_wrap2.c
mod_wrap2_file.c
mod_wrap2_sql.c
mod_cap.c
mod_lang.c
|
emerge proftpd -pv
| Code: |
[ebuild R ] net-ftp/proftpd-1.3.5e::gentoo USE="acl caps case dso ipv6 mysql ncurses nls pam pcre sftp ssl tcpd -authfile -ban -clamav -copy -ctrls -deflate -diskuse -doc -dynmasq -exec -ident -ifsession -ifversion -kerberos -ldap (-libressl) -log_forensic -memcache -msg -postgres -qos -radius -ratio -readme -rewrite (-selinux) -shaper -sitemisc -snmp -softquota -sqlite {-test} -trace -unique_id -vroot -xinetd" LINGUAS="-bg_BG -en_US -fr_FR -it_IT -ja_JP -ko_KR -ru_RU -zh_CN -zh_TW" 0 KiB
|
iptables
| Code: |
-A INPUT -p tcp -m multiport --dports 57000:58000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
|
The same thing happens even if I remove all iptables rules
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu] |
|
| Back to top |
|
 |
Quincy
Apprentice
Joined: 02 Jun 2005
Posts: 201
Location: Germany
|
| Posted: Wed Jul 12, 2017 9:19 pm Post subject: |
|
|
Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?
What are the default policies, are there other rules in effect (give us a "iptables -L")?
What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23071
|
| Posted: Thu Jul 13, 2017 12:48 am Post subject: |
|
|
| If you need to show iptables rules for public review, always use iptables-save, never iptables -L. |
|
| Back to top |
|
|
najkon
n00b
Joined: 14 Aug 2016
Posts: 13
|
| Posted: Thu Jul 13, 2017 9:29 am Post subject: |
|
|
| Quincy wrote: | Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?
What are the default policies, are there other rules in effect (give us a "iptables -L")?
What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)? |
Default policies are ACCEPT for all CHAINS when i remove all rules of iptables.
but if I have attached the all rule, default policies are DENY for INPUT, and FORWARD - ACCEPT for OUTPUT
relationship between client and server is a server on internet.
There is a log from trying connect to the FTP server
| Code: |
----------
Connect to: (13.07.2017 11:21:51)
hostname=domain.com
username=najkon
startdir=
domain.com=xx.xx.xx.xxx
220 ProFTPD 1.3.5e Server (ProFTPD Server) [::ffff:xx.xx.xx.xxx]
USER najkon
331 Password required for najkon
PASS ***********
230 User najkon logged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
MDTM
SIZE
LANG pl-PL.utf8*
REST STREAM
UTF8
EPRT
EPSV
211 End
HELP SITE
214-HELP
214-CHGRP
214 CHMOD
OPTS UTF8 ON
200 UTF8 set to on
Connect ok!
PWD
257 "/home/najkon" is the current directory
Download catalog
TYPE A
200 Type set to A
PORT 192,168,1,100,225,72
200 PORT command successful
MLSD - PORT failed,
try PASV mode!
PASV - PORT failed
QUIT
|
|
|
| Back to top |
|
|
Quincy
Apprentice
Joined: 02 Jun 2005
Posts: 201
Location: Germany
|
| Posted: Sun Jul 16, 2017 9:48 am Post subject: |
|
|
Currently I'm curios that your session log reports:
| Code: | PORT 192,168,1,100,225,72
200 PORT command successful |
This is a LAN IP (192.168.1.100) and not an official IP for an internet connection.
Which client software are you using?
Can you connect and change dirs/download something on e.g. ftp://ftp5.gwdg.de/pub/ (a public German FTP)?
@Hu: Why "iptables-save" instead of "iptables -L"? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3494
|
| Posted: Sun Jul 16, 2017 1:09 pm Post subject: |
|
|
iptables-save provides some informations that are omitted by iptables -L
iptables -L is still useful in some other scenarios though, like iptables -nvL |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23071
|
| Posted: Sun Jul 16, 2017 3:39 pm Post subject: |
|
|
szatox is correct that iptables-save shows information not shown by iptables -L, which is one reason it is preferable. However, I disagree that iptables -L is ever more useful for forum posts. If hit counters are needed, use iptables-save -c. When posting to the forum, we have no ability to inspect your rules other than what is shown. For us to model how a packet will traverse the rules, we need to know all the relevant rules. Showing all rules, as done by iptables-save, serves that purpose most readily. Other advantages:- iptables-save defaults to showing all tables. iptables shows only one table, and by default shows table filter.
- iptables-save defaults to numeric-only resolution; iptables without -n tries to pretty-print some data, which can make it harder for us to understand, particularly when hostnames are substituted.
- As a machine-readable format, iptables-save must print everything necessary for a later iptables-restore to reconstruct the rules. By default, iptables omits some information to conserve screen space. Sometimes this information is relevant to the problem at hand.
|
|
| Back to top |
|
|
najkon
n00b
Joined: 14 Aug 2016
Posts: 13
|
| Posted: Sun Jul 16, 2017 5:33 pm Post subject: |
|
|
| Quincy wrote: | Currently I'm curios that your session log reports:
| Code: | PORT 192,168,1,100,225,72
200 PORT command successful |
This is a LAN IP (192.168.1.100) and not an official IP for an internet connection.
Which client software are you using?
Can you connect and change dirs/download something on e.g. ftp://ftp5.gwdg.de/pub/ (a public German FTP)?
|
Yep, IP 192.168.1.100 - it's my Lan IP of computer what i trying connect to the FTP server.
I dont know why it's showed there.. 
I used a Total Commander 64 bit client but the same problem is if i use ftp client console on Linux
| Code: |
ftp> open domain.com
Connected to domain.com.
220 ProFTPD 1.3.5e Server (ProFTPD Server) [::ffff:xx.xxx.xxx.xx]
Name (domain.com:najkon):
331 Password required for najkon
Password:
230 User najkon logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Exceeded time waiting on connection
ftp> dir
450 LIST: Exceeded time waiting on connection
|
about trying connect and download/change dir on that public FTP on Germany - with no problem, always work
| Code: |
----------
Connect to: (16.07.2017 19:25:53)
hostname=ftp5.gwdg.de
username=anonymous
startdir=
ftp5.gwdg.de=134.76.12.6
220-Welcome to ftp.gwdg.de
220-
220-Dear user of ftp.gwdg.de, we will have a scheduled downtime for FTP
220-at July, 22nd from 7am approx. till 4pm
220-
220
USER anonymous
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
EPRT
EPSV
MDTM
PASV
REST STREAM
SIZE
TVFS
UTF8
211 End
HELP SITE
214-The following commands are recognized.
ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD
MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR
RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
XPWD XRMD
214 Help OK.
OPTS UTF8 ON
200 Always in UTF8 mode.
Connect ok!
CWD /pub/
250 Directory successfully changed.
PWD
257 "/pub"
Download directory
TYPE A
200 Switching to ASCII mode.
PORT 192,168,1,100,229,210
500 Illegal PORT command.
PASV
227 Entering Passive Mode (134,76,12,6,120,161).
LIST
150 Here comes the directory listing.
Downloading
Waiting on server...
226 Directory send OK.
|
|
|
| Back to top |
|
|
Quincy
Apprentice
Joined: 02 Jun 2005
Posts: 201
Location: Germany
|
| Posted: Mon Jul 17, 2017 6:00 am Post subject: |
|
|
Thanks for the iptables clarification!
Back on real topic:
Connection to gwdg.de just succeeds because it denies the PORT command and then the client continues with trying PASV:
| Code: | PORT 192,168,1,100,229,210
500 Illegal PORT command.
PASV
227 Entering Passive Mode (134,76,12,6,120,161). |
This is exactly what I wanted to see. So the problem is that the client issues a port command with a private IP that the server doesn't deny (deeper explanation see e.g. http://www.raidenftpd.com/kb/kb000000010.html - first good hit when searching).
So either you can force your client not to use the wrong PORT command (see https://www.ghisler.com/efaqftp.htm#NoDownload) or you tell the server not to accept the PORT command at all:
| Code: |
<Limit EPRT PORT>
DenyAll
</Limit>
|
|
|
| Back to top |
|
|
najkon
n00b
Joined: 14 Aug 2016
Posts: 13
|
| Posted: Mon Jul 17, 2017 9:39 am Post subject: |
|
|
And that was my problem! I choise setup server too not to accept the PORT command at all because never know (as RaidenFTPD TEAM In every line write) what will bring in the future 
I admit that I did not know about these "problems" of the PORT command
Thanks very much @Quincy Beer for you ! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
