14th June 2012, 12:28
|
|
Senior Member
|
|
Join Date: Feb 2009
Posts: 250
Thanks: 71
Thanked 5 Times in 4 Posts
|
|
Active mode Pure-ftpd dont work
Hello!
I have ISPConfig 3 final, Ubuntu 12.04 LTS.
Today I restart server (after kernel updates) and now pure-ftpd
dont want to work in active mode.
passive mode work ok.
pure-ftpd start:
Code:
Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -H -u 1000 -d -b -Y 1 -A -8 UTF-8 -p 40110:40210 -L 5000:500 -D -O clf:/var/log/pure-ftpd/transfer.log -E -B
Verbose mode:
Code:
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] New connection from 12.12.12.12
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [user] [inf2ftp2]
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [pass] [<*>]
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] inf2ftp2 is now logged in
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [opts] [UTF8 ON]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [pwd] []
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [type] [I]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [port] [12,12,12,12,19,138]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [mlsd] []
12.12.12.12 is client internal IP.
Thank you.
|
15th June 2012, 12:45
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
|
|
Looks like a firewall issue. What's the output of ?
|
15th June 2012, 17:01
|
|
Senior Member
|
|
Join Date: Feb 2009
Posts: 250
Thanks: 71
Thanked 5 Times in 4 Posts
|
|
Hello Falko!
Thank you for your reply.
Output:
Code:
root@in:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache tcp -- anywhere anywhere multiport dports http,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PAROLE (14 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PUB_IN (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpts:40110:40210
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain PUB_OUT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-multiport (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-courierauth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-couriersmtp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (1 references)
target prot opt source destination
DROP all -- 84-55-108-33.customers.ownit.se anywhere
DROP all -- 85-130-25-203.2073795190.shumen.cablebg.net anywhere
DROP all -- c935b135.virtua.com.br anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
|
16th June 2012, 15:29
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
|
|
Have you tried to disable the firewall for testing purposes?
|
18th June 2012, 12:26
|
|
Senior Member
|
|
Join Date: Feb 2009
Posts: 250
Thanks: 71
Thanked 5 Times in 4 Posts
|
|
Yes I tried to off ISPConfig firewall.
But result is the same.
Iptables after firewall off:
Code:
root@in:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-apache (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-multiport (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-noscript (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-overflows (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-courierauth (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-couriersmtp (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-dovecot-pop3imap (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-pureftpd (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh-ddos (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
|
20th June 2012, 00:00
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
|
|
Are there any firewalls between you and the server (routers, etc.)?
|
|
The Following User Says Thank You to falko For This Useful Post:
|
|
20th June 2012, 16:22
|
|
Senior Member
|
|
Join Date: Feb 2009
Posts: 250
Thanks: 71
Thanked 5 Times in 4 Posts
|
|
Thank you Falko that dont forget about me.
Yes we have MikroTik router.
But all work with this router configurations until server was rebooted.
Firewall config is:
Code:
0 ;;; Ping Allow/Drop
chain=input action=drop protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established
2 ;;; default configuration
chain=input action=accept connection-state=related
4 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid
5 ;;; Allow Established connections
chain=input action=accept connection-state=established
6 ;;; Allow UDP
chain=input action=accept protocol=udp
7 ;;; Allow access to router from known network
chain=input action=accept src-address=192.168.0.0/24
8 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69
9 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111
10 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135
11 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139
12 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445
13 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049
14 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346
15 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034
16 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133
17 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68
18 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69
19 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111
20 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135
21 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139
22 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049
23 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133
24 chain=forward action=drop src-address=0.0.0.0/8
25 chain=forward action=drop dst-address=0.0.0.0/8
26 chain=forward action=drop src-address=127.0.0.0/8
27 chain=forward action=drop dst-address=127.0.0.0/8
28 chain=forward action=drop src-address=224.0.0.0/3
29 chain=forward action=drop dst-address=224.0.0.0/3
|
21st June 2012, 19:15
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
|
|
Is it possible you ran iptables rules on the command line (without putting them in some configuration file)? Those iptables rules are lost on reboot.
|
21st June 2012, 20:50
|
|
Senior Member
|
|
Join Date: Feb 2009
Posts: 250
Thanks: 71
Thanked 5 Times in 4 Posts
|
|
Thank you Falko.
No there are no iptables that runs via command line.
We restart server at other time when active mode worked, and after restart it was ok.
I think it was some updates, and after restart active mode goes down.
it was dh-apparmor, but I delete it after that by apt-get remove.
Any ideas?
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 09:25.
|
|
English | 
Deutsch
Recent comments
8 hours 4 min ago
13 hours 9 min ago
17 hours 33 min ago
19 hours 22 min ago
1 day 9 hours ago
1 day 9 hours ago
1 day 14 hours ago
1 day 21 hours ago
1 day 22 hours ago
1 day 23 hours ago