Discussion:
[Proftpd-user] problem setting up virtual server with proftpd
c***@ccs.covici.com
2016-02-29 20:41:25 UTC
Permalink
Hi. I have a situation where I want to have an ftp server where each
user has his own password but they all wind up in the same directory and
can upload and download to that directory.

So, what I did I used proftpd and added a virtual host and since I only
have one ip address, I added a port command and a defaultroot command
like this
<virtualhost ftp.covici.com>
port 2121
umask 007
defaultroot /home/krn_to_transcribe ftpgroup
</virtualhost>
so, I logged in with a user and it logged in successfully, but when I
tried to even list the directory, it would time out. Firewall rules
look OK, so I wonder what is happening here?

Here is my complete config:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anonymous access.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
port 21
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit the maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User proftpd
Group proftpd

<global>
RequireValidShell off
AuthPAM off
#AuthPAMConfig ftp
# Port 21 is the standard FTP port.
PassivePorts 49152 49552
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022


# Normally, we want files to be overwriteable.
#<Directory />
AllowOverwrite on
#</Directory>
DefaultRoot ~ !covici
</global>
# A basic anonymous configuration, with no upload directories.
#<Anonymous ~ftp>
# User ftp
# Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp".
# UserAlias anonymous ftp

# Limit the maximum number of anonymous logins.
# MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot.
# <Limit WRITE>
# DenyAll
# </Limit>
#</Anonymous>
<virtualhost ftp.covici.com>
port 2121
umask 007
defaultroot /home/krn_to_transcribe ftpgroup
</virtualhost>

Thanks in advance for any suggestions.
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici
***@ccs.covici.com

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
TJ Saunders
2016-03-01 18:19:40 UTC
Permalink
Post by c***@ccs.covici.com
So, what I did I used proftpd and added a virtual host and since I only
have one ip address, I added a port command and a defaultroot command
like this
<virtualhost ftp.covici.com>
port 2121
umask 007
defaultroot /home/krn_to_transcribe ftpgroup
</virtualhost>
so, I logged in with a user and it logged in successfully, but when I
tried to even list the directory, it would time out. Firewall rules
look OK, so I wonder what is happening here?
Could you show us your exact firewall rules, so that we can see if
there's something amiss?
Also, for failed data transfers (which include directory listings!),
see:

http://slacksite.com/other/ftp.html
http://www.proftpd.org/docs/howto/NAT.html

Cheers,
TJ

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
c***@ccs.covici.com
2016-03-01 23:06:39 UTC
Permalink
My server is on a public ip and port 2121 conects me (using tcp) and
port 2020 says connection refused, so I am pretty sure those are
correct.

Thanks.
Post by TJ Saunders
Post by c***@ccs.covici.com
So, what I did I used proftpd and added a virtual host and since I only
have one ip address, I added a port command and a defaultroot command
like this
<virtualhost ftp.covici.com>
port 2121
umask 007
defaultroot /home/krn_to_transcribe ftpgroup
</virtualhost>
so, I logged in with a user and it logged in successfully, but when I
tried to even list the directory, it would time out. Firewall rules
look OK, so I wonder what is happening here?
Could you show us your exact firewall rules, so that we can see if
there's something amiss?
Also, for failed data transfers (which include directory listings!),
http://slacksite.com/other/ftp.html
http://www.proftpd.org/docs/howto/NAT.html
Cheers,
TJ
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici
***@ccs.covici.com

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Matus UHLAR - fantomas
2016-03-17 21:19:40 UTC
Permalink
Post by c***@ccs.covici.com
My server is on a public ip and port 2121 conects me (using tcp) and
port 2020 says connection refused, so I am pretty sure those are
correct.
note that most firewalls do not understand that 2121 runs FTP protocol, so
ftp protocol helpers might not help.

can you try open some ports on fw, define the range in PassivePorts and see
if passive connection to it works?
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
c***@ccs.covici.com
2016-03-17 22:06:24 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by c***@ccs.covici.com
My server is on a public ip and port 2121 conects me (using tcp) and
port 2020 says connection refused, so I am pretty sure those are
correct.
note that most firewalls do not understand that 2121 runs FTP protocol, so
ftp protocol helpers might not help.
can you try open some ports on fw, define the range in PassivePorts and see
if passive connection to it works?
hmmm, I can try that, what I have now in my firewall rules is:
ACCEPT net $FW udp 2120:2121
ACCEPT net $FW tcp 2120:2121

these are shorewall rules and they are exactly what I have for the
regular ftp ports 20 and 21.
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici
***@ccs.covici.com

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Matus UHLAR - fantomas
2016-03-17 22:22:42 UTC
Permalink
This post might be inappropriate. Click to display it.
c***@ccs.covici.com
2016-03-17 22:53:35 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by c***@ccs.covici.com
Post by Matus UHLAR - fantomas
Post by c***@ccs.covici.com
My server is on a public ip and port 2121 conects me (using tcp) and
port 2020 says connection refused, so I am pretty sure those are
correct.
note that most firewalls do not understand that 2121 runs FTP protocol, so
ftp protocol helpers might not help.
can you try open some ports on fw, define the range in PassivePorts and see
if passive connection to it works?
ACCEPT net $FW udp 2120:2121
ACCEPT net $FW tcp 2120:2121
these are shorewall rules and they are exactly what I have for the
regular ftp ports 20 and 21.
on linux, option "ports" for kernel module nf_conntrack_ftp would help too.
Note that the usually firewall understands and accepts RELATED connections
to ftp control connection - the ftp data connections.
It understands which connections are RELATED by watching port 21 traffic.
So, on port 21 the ftp data connections are usually allowed by standard
firewall rules. If you tell kernel that port 2121 is also FTP, it could help
you allowing data connections.
Note this does not apply to ftps connections, since kernel is unable to
decrypt the SSL traffic. While clients can use CCC command before transfer
requests, some clients don't support that.
in all those cases, definning some tcp ports in passivedataports and opening
those ports on firewall will allow incoming data traffic to ftp server.
note that those ports should not be in ephemeral port range, 49152 to 65535
defined by IANA and used by e.g. FreeBSD, and ports used on linux seen in
/proc/sys/net/ipv4/ip_local_port_range, usually 32768 to 61000
So, how do I tell the kernel that port 2121 is ftp? Also, your default
passive data ports are 49152 49552 which seem to be in the range you say
not to have them?
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici
***@ccs.covici.com

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Matus UHLAR - fantomas
2016-03-19 15:49:56 UTC
Permalink
Post by c***@ccs.covici.com
Post by Matus UHLAR - fantomas
Post by c***@ccs.covici.com
Post by Matus UHLAR - fantomas
Post by c***@ccs.covici.com
My server is on a public ip and port 2121 conects me (using tcp) and
port 2020 says connection refused, so I am pretty sure those are
correct.
note that most firewalls do not understand that 2121 runs FTP protocol, so
ftp protocol helpers might not help.
can you try open some ports on fw, define the range in PassivePorts and see
if passive connection to it works?
ACCEPT net $FW udp 2120:2121
ACCEPT net $FW tcp 2120:2121
these are shorewall rules and they are exactly what I have for the
regular ftp ports 20 and 21.
on linux, option "ports" for kernel module nf_conntrack_ftp would help too.
Note that the usually firewall understands and accepts RELATED connections
to ftp control connection - the ftp data connections.
It understands which connections are RELATED by watching port 21 traffic.
So, on port 21 the ftp data connections are usually allowed by standard
firewall rules. If you tell kernel that port 2121 is also FTP, it could help
you allowing data connections.
Note this does not apply to ftps connections, since kernel is unable to
decrypt the SSL traffic. While clients can use CCC command before transfer
requests, some clients don't support that.
in all those cases, definning some tcp ports in passivedataports and opening
those ports on firewall will allow incoming data traffic to ftp server.
note that those ports should not be in ephemeral port range, 49152 to 65535
defined by IANA and used by e.g. FreeBSD, and ports used on linux seen in
/proc/sys/net/ipv4/ip_local_port_range, usually 32768 to 61000
So, how do I tell the kernel that port 2121 is ftp?
Post by Matus UHLAR - fantomas
on linux, option "ports" for kernel module nf_conntrack_ftp would help too.
Also, your default
passive data ports are 49152 49552 which seem to be in the range you say
not to have them?
no, they are not, they are YOUR passive data ports, according to config you
have pasted before.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Loading...