Active mode Pure-ftpd dont work

Discussion in 'Installation/Configuration' started by Captain, Jun 14, 2012.

  1. Captain

    Captain Member

    Hello!

    I have ISPConfig 3 final, Ubuntu 12.04 LTS.
    Today I restart server (after kernel updates) and now pure-ftpd
    dont want to work in active mode.
    passive mode work ok.

    pure-ftpd start:
    Code:
     Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -H -u 1000 -d -b -Y 1 -A -8 UTF-8 -p 40110:40210 -L 5000:500 -D -O clf:/var/log/pure-ftpd/transfer.log -E -B
    Verbose mode:
    Code:
    Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] New connection from 12.12.12.12
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [user] [inf2ftp2]
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [pass] [<*>]
Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] inf2ftp2 is now logged in
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [opts] [UTF8 ON]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [pwd] []
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [type] [I]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [port] [12,12,12,12,19,138]
Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [mlsd] []
    12.12.12.12 is client internal IP.

    Thank you.
     
    Captain, Jun 14, 2012
    #1
  2. falko

    falko Super Moderator ISPConfig Developer

    Looks like a firewall issue. What's the output of
    Code:
    iptables -L
    ?
     
    falko, Jun 15, 2012
    #2
  3. Captain

    Captain Member

    Hello Falko!

    Thank you for your reply.
    Output:
    Code:
    root@in:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-courierauth  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-couriersmtp  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp
fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp
fail2ban-apache-overflows  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-noscript  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-multiport  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
DROP       tcp  --  anywhere             127.0.0.0/8
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  base-address.mcast.net/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere
PUB_OUT    all  --  anywhere             anywhere

Chain INT_IN (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain INT_OUT (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (14 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (5 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ftp
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ssh
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:smtp
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:domain
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:http
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:pop3
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:imap2
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:https
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:imaps
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:pop3s
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:mysql
PAROLE     tcp  --  anywhere             anywhere             tcp dpt:http-alt
PAROLE     tcp  --  anywhere             anywhere             tcp dpts:40110:40210
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mysql
DROP       icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-multiport (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-courierauth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-couriersmtp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-postfix (1 references)
target     prot opt source               destination
DROP       all  --  84-55-108-33.customers.ownit.se  anywhere
DROP       all  --  85-130-25-203.2073795190.shumen.cablebg.net  anywhere
DROP       all  --  c935b135.virtua.com.br  anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
     
    Captain, Jun 15, 2012
    #3
  4. falko

    falko Super Moderator ISPConfig Developer

    Have you tried to disable the firewall for testing purposes?
     
    falko, Jun 16, 2012
    #4
  5. Captain

    Captain Member

    Yes I tried to off ISPConfig firewall.

    But result is the same.

    Iptables after firewall off:
    Code:
    root@in:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-multiport (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-noscript (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-overflows (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-courierauth (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-couriersmtp (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-dovecot-pop3imap (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-postfix (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-pureftpd (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-sasl (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
     
    Captain, Jun 18, 2012
    #5
  6. falko

    falko Super Moderator ISPConfig Developer

    Are there any firewalls between you and the server (routers, etc.)?
     
    falko, Jun 20, 2012
    #6
  7. Captain

    Captain Member

    Thank you Falko that dont forget about me.

    Yes we have MikroTik router.
    But all work with this router configurations until server was rebooted.

    Firewall config is:

    Code:
    0   ;;; Ping Allow/Drop
     chain=input action=drop protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 4   ;;; Drop  Invalid  connections 
     chain=input action=drop connection-state=invalid 

 5   ;;; Allow  Established  connections
     chain=input action=accept connection-state=established 

 6   ;;; Allow  UDP
     chain=input action=accept protocol=udp 

 7   ;;; Allow  access  to  router  from  known  network
     chain=input action=accept src-address=192.168.0.0/24 

 8   ;;; deny TFTP
     chain=tcp action=drop protocol=tcp dst-port=69 

 9   ;;; deny RPC portmapper
     chain=tcp action=drop protocol=tcp dst-port=111 

10   ;;; deny RPC portmapper
     chain=tcp action=drop protocol=tcp dst-port=135 

11   ;;; deny NBT
     chain=tcp action=drop protocol=tcp dst-port=137-139 

12   ;;; deny cifs
     chain=tcp action=drop protocol=tcp dst-port=445 

13   ;;; deny NFS
     chain=tcp action=drop protocol=tcp dst-port=2049 

14   ;;; deny NetBus
     chain=tcp action=drop protocol=tcp dst-port=12345-12346 

15   ;;; deny NetBus
     chain=tcp action=drop protocol=tcp dst-port=20034 

16   ;;; deny BackOriffice
     chain=tcp action=drop protocol=tcp dst-port=3133 

17   ;;; deny DHCP
     chain=tcp action=drop protocol=tcp dst-port=67-68 

18   ;;; deny TFTP
     chain=udp action=drop protocol=udp dst-port=69 

19   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=111 

20   ;;; deny PRC portmapper
     chain=udp action=drop protocol=udp dst-port=135 

21   ;;; deny NBT
     chain=udp action=drop protocol=udp dst-port=137-139 

22   ;;; deny NFS
     chain=udp action=drop protocol=udp dst-port=2049 

23   ;;; deny BackOriffice
     chain=udp action=drop protocol=udp dst-port=3133 

24   chain=forward action=drop src-address=0.0.0.0/8 

25   chain=forward action=drop dst-address=0.0.0.0/8 

26   chain=forward action=drop src-address=127.0.0.0/8 

27   chain=forward action=drop dst-address=127.0.0.0/8 

28   chain=forward action=drop src-address=224.0.0.0/3 

29   chain=forward action=drop dst-address=224.0.0.0/3
     
    Captain, Jun 20, 2012
    #7
  8. falko

    falko Super Moderator ISPConfig Developer

    Is it possible you ran iptables rules on the command line (without putting them in some configuration file)? Those iptables rules are lost on reboot.
     
    falko, Jun 21, 2012
    #8
  9. Captain

    Captain Member

    Thank you Falko.

    No there are no iptables that runs via command line.

    We restart server at other time when active mode worked, and after restart it was ok.

    I think it was some updates, and after restart active mode goes down.
    it was dh-apparmor, but I delete it after that by apt-get remove.

    Any ideas?
     
    Captain, Jun 21, 2012
    #9

Share This Page