Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th July 2012, 06:50
Nap Nap is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 10
Thanked 2 Times in 2 Posts
Default vsftpd and ISPConfig | Users can't log in

Hi,
I've installed ISPConfig on my system, then decided to install vsftpd afterwards. From a configuration point of view, everything installed correctly, and seems to be running ok.
I am just not able to log in with any users and don't understand why.
What have I done wrong, or not done.

Below are the configurations I've setup for the various modules:
1) ISPConfig information
2) Login details supplied to FTP client
3) dbispconfig information
4) vsftpd.conf

1) FTP User added by Client in ISPConfig:
Website: only one website for this client
Username: ftp2_username
password: mypassword
active: is ticked
options: left as per default. points to client2/web2 folder
SAVED

2) Login details supplied to FTP Client:
(Using FireFTP in Firefox)
Code:
Account Name:  Client Domain
Host: clientdomain.com
Login: ftp2_username          (have also tried  ftp2_username@clientcomain.com but no luck)
Password:  mypassword
Anonymous:  left unticked
Connection Type:  Passive Mode ticked
Security: None
Port:  21
Private Key: not able to set (as security is none)
Initial Directories Local:  left blank
Initial Directories remote:  left blank
No Advanced options set.
3) dbispconfig information:
I looked into the ftp_user table and can see an entry for the above mentioned account.
Fields are as follows:
Code:
ftp_user_id: 2
sys_userid: 3
sys_groupid: 3
sys_perm_user: ruid
sys_perm_group: ruid
server_id: 1
parent_domain_id: 2
username: ftp2_username
password:  (MD5 hash)
quota_size: -1
active: Y (ticked)
uid: web2
gid: client2
dir: /var/ww/clients/client2/web2
quota_files: -1
ul_ratio: -1
ul_bandwidth: -1
dl_bandwidth: -1
all other fields are blank

4) vsftpd.conf:
Code:
# Example config file /etc/vsftpd.conf
#
# Lines added by me in accordance to the HowToForge Guide
# 
# Turn on SSL
ssl_enable=YES
#
# Allow anonymous users to use secure SSL connections
allow_anon_ssl=YES
#
# All non-anonymous logins are forced to use a secure SSL connection in order
# to send and receive data on data connections (if YES, locks out non TLS users)
force_local_data_ssl=NO
#
# All non-anonymous logins are forced to use a secure SSL connection in order
# to send the password (if YES, locks out non TLS users)
force_local_logins_ssl=NO
#
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
#
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
#
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
#
# Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=NO
#
# Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
#
# END OF MY ADDITIONS
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default.  These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
I had force_local_data_ssl and force_local_logins_ssl both set to YES but changed them to NO while I'm trying to get the basics working.

In my /etc folder, where vsftpd.conf is, there is no vsftpd_user file.
I'm not quite sure how vsftpd checks login details against the data in mysql yet.

Last edited by Nap; 17th July 2012 at 07:16. Reason: added more info @ bottom
Reply With Quote
Sponsored Links
  #2  
Old 18th July 2012, 13:45
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Do you use ISPConfig 3? ISPConfig 3 supports PureFTPd, but not vsftpd.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 21st July 2012, 05:13
Nap Nap is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 10
Thanked 2 Times in 2 Posts
Default

I've installed PureFTP as per the guide, and it's working like a charm.

Is there a way of getting SFTP or FTP (SSL/TLS) going alongside? Can I install vsftpd, and manage it through puTTY etc.?
__________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MySQL 5.5.38, PHP 5.5.9, ISPConfig 3.0.5.4p1, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)
Reply With Quote
  #4  
Old 21st July 2012, 10:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Quote:
Originally Posted by Nap View Post
Is there a way of getting SFTP or FTP (SSL/TLS) going alongside?
Here's a guide for setting up FTPS with PureFTPd on Ubuntu 10.10: http://www.howtoforge.com/how-to-con...n-ubuntu-10.10
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Nap (23rd July 2012)
  #5  
Old 24th July 2012, 11:38
Nap Nap is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 10
Thanked 2 Times in 2 Posts
Default

thnx Falko,

I've done the few steps required.

I'm able to connect using ISPConfig created ftp accounts, but only with normal FTP.
I am also able to login using SFTP (SSH) with the linux accounts I created when setting up the server.
What I can't seem to do is connect with ISPConfig created accounts using FTP (TSL/SSL).

I suspect the problems is that I'm using a more recent version (3.5.3) of Filezilla than what's shown in the guide, and the options to choose from are different now. In the Site Manager, I setup the following:
Code:
Host:  myhost.com
Port:  [left blank]
Protocol: FTP - File Transfer Protocol
Encryption: Require explicit FTP over TLS

Logon Type:  Normal
User:  myISPConfigUser
Password: password_myISPConfigUser

Transfer Settings Tab left Transfer Mode = Default
Here is the display from Filezilla's activity pane:
Code:
Status:	Resolving address of mydomain.com
Status:	Connecting to www.xxx.yyy.zzz:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 50 allowed.
Response:	220-Local time is now 18:36. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220-IPv6 connections are also welcome on this server.
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Error:	Connection timed out
Error:	Could not connect to server
Do I need a private key on the clients side? Or is something else missing/wrong?

Cheers,
Nap
__________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MySQL 5.5.38, PHP 5.5.9, ISPConfig 3.0.5.4p1, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)

Last edited by Nap; 24th July 2012 at 11:46.
Reply With Quote
  #6  
Old 25th July 2012, 17:16
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Can you try with WinSCP?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 25th July 2012, 17:23
Nap Nap is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 10
Thanked 2 Times in 2 Posts
Default

I created a saved session (hostname, username, but no password stored) using all default values except:
File Protocol: FTP
TLS Explicit encryptions (selected from the dropdown list)

WinSCP, after contacting the server, prompted me for the password but was not able to connect. WinSCP popped up a window: Connection Failed...

Here is the WinSCP log file:[/code]. 2012-07-26 01:17:34.590 --------------------------------------------------------------------------
. 2012-07-26 01:17:34.590 WinSCP Version 4.3.5 (Build 1463) (OS 6.0.6002 Service Pack 2)
. 2012-07-26 01:17:34.590 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2012-07-26 01:17:34.590 Local account: MyPC\ME
. 2012-07-26 01:17:34.590 Login time: Thursday, 26 July 2012 1:17:34 AM
. 2012-07-26 01:17:34.590 --------------------------------------------------------------------------
. 2012-07-26 01:17:34.591 Session name: ftp_user@mydomain.com (Modified stored session)
. 2012-07-26 01:17:34.591 Host name: mydomain.com (Port: 21)
. 2012-07-26 01:17:34.591 User name: ftp_user (Password: No, Key file: No)
. 2012-07-26 01:17:34.591 Tunnel: No
. 2012-07-26 01:17:34.591 Transfer Protocol: FTP
. 2012-07-26 01:17:34.591 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2012-07-26 01:17:34.591 Proxy: none
. 2012-07-26 01:17:34.591 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: No]
. 2012-07-26 01:17:34.591 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-07-26 01:17:34.591 Cache directory changes: Yes, Permanent: Yes
. 2012-07-26 01:17:34.591 DST mode: 1
. 2012-07-26 01:17:34.591 --------------------------------------------------------------------------
. 2012-07-26 01:17:34.591 Password prompt (no password provided or last login attempt failed)
. 2012-07-26 01:17:45.194 Connecting to mydomain.com ...
. 2012-07-26 01:17:45.245 Connected with mydomain.com, negotiating SSL connection...
< 2012-07-26 01:17:47.270 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 2012-07-26 01:17:47.464 220-You are user number 2 of 50 allowed.
< 2012-07-26 01:17:47.464 220-Local time is now 01:17. Server port: 21.
< 2012-07-26 01:17:47.464 220-This is a private system - No anonymous login
< 2012-07-26 01:17:47.464 220-IPv6 connections are also welcome on this server.
< 2012-07-26 01:17:47.464 220 You will be disconnected after 15 minutes of inactivity.
> 2012-07-26 01:17:47.464 AUTH TLS
< 2012-07-26 01:17:47.941 234 AUTH TLS OK.
. 2012-07-26 01:18:03.991 Timeout detected.
. 2012-07-26 01:18:03.991 Connection failed.
* 2012-07-26 01:18:03.999 (ESshFatal) Connection failed.
* 2012-07-26 01:18:03.999 Timeout detected.
* 2012-07-26 01:18:03.999 Connection failed.
* 2012-07-26 01:18:03.999 AUTH TLS OK.[/code]

Fail2ban took over after a few retries. I was surprised though that I was able to login using puTTY on SSH. The IPTABLES indicate that all packets from my IP should be dropped, if I'm reading the firewall rules correctly.

Also, why is the welcome message from the server transmitted to the client before authentication?

Unfortunately, pure-ftpd's log file /var/log/messages (even after adding echo 'yes' > /etc/pure-ftpd/conf/VerboseLog and restarting) doesn't give any good info, except to confirm there was a new connection from my IP.

Am I setting up WinSCP the right way?

Cheers,
Nap
__________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MySQL 5.5.38, PHP 5.5.9, ISPConfig 3.0.5.4p1, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)

Last edited by Nap; 25th July 2012 at 18:40.
Reply With Quote
  #8  
Old 26th July 2012, 13:17
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

What's the output of
Code:
iptables -L
? Did you try both active and passive transfers in your FTP client?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 27th July 2012, 15:51
Nap Nap is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 10
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by falko View Post
What's the output of [CODE]iptables -L[/CODE
I must have been accessing SSH at the time when I triggered fail2ban.
I looked into jail.conf and noticed that I had not configured it to monitor pure-ftpd. I've now added a record for pure-ftpd, using parameters similar to the other ftp servers. I haven't made any changes to the pure-ftpd filter file.
While I'm working on this problem, I'm going to leave it turned off though.

Unfortunately, I did not make a copy of the IPTables list at the time. And it's now reset back to normal. But I don't think it's the source of the problem I'm having, since I've checked jail.conf.
Quote:
Originally Posted by falko View Post
Did you try both active and passive transfers in your FTP client?
In my version of WinSCP, I can only select Passive (On/Off) in the Connection node of the settings list. I've tried with both settings.

I noticed that when I change the encryption method to SSL/TLS Implicit or SSL Explicit, the connection fails very quickly because the those methods are not implemented on my server and WinSCP detects that.
However, on TLS Explicit, there is a long delay, as if things are happening but not successfully.

When I followed the guide, I created the pem certificate as required. Is the directory (/etc/ssl/private/) shown in the guide valid for my distribution (Ubuntu 10.04 LTS)?
Also, at the start of the guide, there is a link to Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Ubuntu 10.10. I wanted to check the configuration information there against how I configured my system, but that link returns "Page not Found" at the moment.

Cheers,
Nap






Cheers,
Nap
__________________
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MySQL 5.5.38, PHP 5.5.9, ISPConfig 3.0.5.4p1, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)

Last edited by Nap; 27th July 2012 at 15:59. Reason: More info
Reply With Quote
  #10  
Old 28th July 2012, 11:08
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
 
Default

Quote:
Originally Posted by Nap View Post
Is the directory (/etc/ssl/private/) shown in the guide valid for my distribution (Ubuntu 10.04 LTS)?
Yes.
Quote:
Originally Posted by Nap View Post
Also, at the start of the guide, there is a link to Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Ubuntu 10.10. I wanted to check the configuration information there against how I configured my system, but that link returns "Page not Found" at the moment.
Thanks for the hint, I've corrected this - the correct link is http://www.howtoforge.com/virtual-ho...verick-meerkat
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd mysql & ispconfig gluki General 2 7th March 2011 03:17
How to add vsftpd to ISPConfig 3 puya4ever HOWTO-Related Questions 3 25th May 2010 15:15
Slow download from own FTP (vsftpd + proftpd) Overcrook Installation/Configuration 0 12th January 2010 22:41
add vsftpd to ispconfig kwickcut HOWTO-Related Questions 5 20th December 2009 18:04
vsftpd and ISPConfig teves HOWTO-Related Questions 3 17th October 2006 18:44


All times are GMT +2. The time now is 01:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.