| View previous topic :: View next topic |
| Author |
Message |
urcindalo
l33t
Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain
|
 Posted: Wed May 23, 2007 9:30 pm Post subject: [SOLVED] proftpd: can't get file listing from the server |
 |
|
Hi and thanks for reading this.
Since a month ago or so my proftpd server is malfunctioning: I can't get the directory listing. This is what I've emerged: | Code: | | [ebuild R ] net-ftp/proftpd-1.3.1_rc2-r1 USE="acl authfile ipv6 ldap mysql ncurses nls pam postgres ssl tcpd -clamav -hardened -ifsession -noauthunix -opensslcrypt -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" 0 kB |
If I connect to "localhost" from within my own server everything's OK: | Code: | myname@myserver ~ $ ftp localhost
Connected to localhost (127.0.0.1).
220 ProFTPD 1.3.1rc2 Server (ProFTPD Default Installation) [::ffff:127.0.0.1]
Name (localhost:myname):
500 AUTH not understood
SSL not available
331 Password required for myname
Password:
230 User myname logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 myname users 80 May 2 2006 autosave
drwxr-xr-x 11 myname users 888 May 8 10:48 Config
drwx------ 11 myname users 1120 May 23 08:35 Desktop
[.......]
226 Transfer complete
ftp> quit
221 Goodbye. |
But if, however, I connect using my box's DNS name, I get an error whenever I want to retrieve the directory listing. It even happens from within the server itself: | Code: | myname@myserver ~ $ ftp myserver.mydomain.xx
[.....]
ftp> dir
200 PORT command successful
425 Unable to build data connection: Refused connection
ftp> quit
221 Goodbye. |
Since everything was working OK in the past, and I've changed nothing, I wonder why this is happening. This is the relevant content my /etc/hosts file: | Code: | 127.0.0.1 localhost
XXX.XXX.XXX.XXX myserver.mydomain.xx myserver
# IPV6 versions of localhost and co
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts |
and this is my /etc/proftpd/proftpd.conf: | Code: | # This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anonymous access.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
RequireValidShell off
AuthPAM off
AuthPAMConfig ftp
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit the maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User ftp
Group ftp
#User proftpd
#Group proftpd
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
# A basic anonymous configuration, with no upload directories.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp".
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins.
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
# DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot.
<Limit WRITE>
DenyAll
</Limit>
</Anonymous> |
Any clue is much appreciated. Currently I don't have remote ftp access to my server 
Last edited by urcindalo on Fri May 25, 2007 9:42 pm; edited 1 time in total |
|
| Back to top |
|
 |
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Thu May 24, 2007 4:46 am Post subject: |
|
|
check the firewall for closed ports 20
what type of the connection is configured pasim or active ftp.
if you using pasive ftp check the port range if it is open,
check authentification type too is it from local users from DB or from virtualusers.
| Code: | | AUTH not understood |
I did not use proftp for long time you could try vsftpd if you are not useng virtual ftp domains is small a fast.
_________________
www.gentoo.ro |
|
| Back to top |
|
|
urcindalo
l33t
Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain
|
| Posted: Thu May 24, 2007 12:16 pm Post subject: |
|
|
Thanks for your answer. I unmerged proftpd and installed vsftpd, to no avail.
However, I've found out the problem lies on my iptables config, because if I stop iptables everything's back to normal. Since I haven't changed my iptables rules for a long time, I guess one of the kernel or other package upgrades in the recent past must be the culprit.
This is my current iptables policy (as I said, working in the past and not changed in a long while): | Code: | # Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*raw
:PREROUTING ACCEPT [46975:14020864]
:OUTPUT ACCEPT [39597:4677724]
COMMIT
# Completed on Wed Mar 22 22:31:27 2006
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*nat
:PREROUTING ACCEPT [1634:298393]
:POSTROUTING ACCEPT [593:47528]
:OUTPUT ACCEPT [593:47528]
COMMIT
# Completed on Wed Mar 22 22:31:27 2006
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*mangle
:PREROUTING ACCEPT [46975:14020864]
:INPUT ACCEPT [46658:13963678]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39597:4677724]
:POSTROUTING ACCEPT [39812:4711878]
COMMIT
# Completed on Wed Mar 22 22:31:27 2006
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
#*filter
#:INPUT ACCEPT [46658:13963678]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [39597:4677724]
#part of this comes from http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
*filter
:INPUT ACCEPT [5:5903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# para VMware red local
-A INPUT -s 192.168.123.128/25 -j ACCEPT
-A OUTPUT -s 192.168.123.128/25 -j ACCEPT
-A INPUT -s 192.168.67.128/25 -j ACCEPT
-A OUTPUT -s 192.168.67.128/25 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# VNC
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1417:1420 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5902 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5900:5902 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5802 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5800:5802 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5500:5502 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5500:5502 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Mar 22 22:31:27 2006 |
Any clue?
Thanks in advance. |
|
| Back to top |
|
|
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Thu May 24, 2007 1:18 pm Post subject: |
|
|
for proftp if is using passive connection than you will need to enable a lot more ports exactly a port range for data transfer.
check this info that may help you http://slacksite.com/other/ftp.html
and check RFC 959 for more details on ftp protocol
regards
_________________
www.gentoo.ro |
|
| Back to top |
|
|
urcindalo
l33t
Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain
|
| Posted: Fri May 25, 2007 8:54 am Post subject: |
|
|
| mudrii wrote: | for proftp if is using passive connection than you will need to enable a lot more ports exactly a port range for data transfer.
check this info that may help you http://slacksite.com/other/ftp.html
and check RFC 959 for more details on ftp protocol
regards |
Thanks again. I've updated my iptables rules accordingly, but the problem persists. Since this is no longer a proftpd problem, but an iptables one, I will keep trying to solve this issue in this thread, since the problem described is exactly as mine. |
|
| Back to top |
|
|
urcindalo
l33t
Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain
|
| Posted: Fri May 25, 2007 9:42 pm Post subject: |
|
|
| Well, I think I solved the problem. Details in this thread. |
|
| Back to top |
|
|
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Sat May 26, 2007 6:54 am Post subject: |
|
|
so problem was from the different nature 
_________________
www.gentoo.ro |
|
| Back to top |
|
|
|
Networking & Security
